10/28/2015 9:12 AM
by COL Greg Conti
Director, Army Cyber Institute
One of the challenges created by the ubiquity of Internet connected devices we use every day is the manner in which we interact with our devices as different user roles. If you are at work, on the Department of Defense Information Network (DoDIN), chances are you are a general user, with very little ability to alter your system other than through ordinary use. Even as an information security specialist and cyber officer, my current workstation restricts me to the rights and privileges afforded to any other general user. At home, on our laptop, tablet, or phone, however, we mostly operate as privileged users, often with complete control of security, updates, software, and use. On our personal devices we assume personal responsibility for the way we use our devices, the software we install, and the security of our data. As users we must be able to resolve the differences in our user roles and act with diligence across domains and devices.
To that end, the Chief Information Officer/G-6, along with multiple Army, Joint, academic and industry partners, has developed the Army Data Strategy. The Army Data Strategy is nested with the DoD Net-Centric Data Strategy and supports the Army Network Campaign Plan and Army Operating Concept. The current data environment is characterized by diverse, disconnected data sets, stovepiped analytical systems, complex standalone applications that depend on skilled expertise to access, and huge data storage and transport costs. These conditions render the exchange of data confusing, time-consuming and expensive, and have hindered warfighting effectiveness by denying decision makers powerful predictive and analytical capabilities.
At some level, I think there is this notion that “if it works, it must be ok” that exists throughout the Army with regards to DoD computer use. For example, at work, if I want to charge my smartphone and I plug it in via USB cable and it begins to charge, I assume I have not violated any policy or placed the network and Army at risk. This is a dangerous mindset and one predicated by insufficient information security awareness and lack of perceived individual responsibility for network and data security. I think this mindset is further substantiated by a lack of feedback and a lack of incident reports that are conveyed to all users to stress the importance of following set security policies and taking personal responsibility for computing safely both at home and at work. Using true and relevant incident case studies during unit cybersecurity training will help to bring the threat more into focus for many of our Leaders and Soldiers. As Army Leaders we must make every effort to educate, train, and inspire our Soldiers to act responsibly and understand that their actions on and off the network can have strategic Army and national effects. As GEN (Ret.) Colin Powell once said, “Never neglect details. When everyone’s mind is dulled or distracted the leader must be doubly vigilant.”
With the recent evolution of the Army Cyber Branch, the definition of cyber in terms of Army operations has been further blurred. While the workforce may now have separate career fields, the need for teamwork has never been more paramount. As a former Military Intelligence Officer and later a member of the Signal Regiment, I was often the sole information security officer in my unit, and understand the challenges of training not only the information technology professionals within the unit’s staff, but also the importance of emphasizing information security to all Soldiers within an organization. The Cyber Branch has carved out for itself a very specific cyber operations mission set, however, most of the boots on the ground, fundamental information security tasks still lie in the hands of the Army Signal Corps as the network service provider and information technology support specialists, but they shouldn’t be alone in protecting the network and data.
The term cyber workforce brings to mind a bunch of on-net-operators holed up at Fort Meade countering nation-state aggression against DoD computer assets. While this is a mission set reserved for Army Cyber Command and other specialists, our network is most vulnerable when used inappropriately by our own team members. In this respect, the Signal Corps Soldiers and Leaders at lower echelons play a very pivotal role in the cybersecurity of the Army’s networks. In order to reduce the risk of network disruption and exploitation by our adversaries, the Army Signal Corps in conjunction with Army Cyber branched Soldiers must work hand-in-hand in order to defend the network from both the bottom-up and from the top-down.
One of the Army Cyber Institute’s ongoing efforts is to catalyze Army transformation in order to assure our cyber dominance. However, the Cyber Branch alone is not capable of achieving dominance without partnership and collaboration with the Signal Corps and vice versa. With the limited size of the Cyber branch, and the consolidated nature of their duty positions, Signal Soldiers and Leaders assume the mantle of information security and network operations subject matter expert at their unit. Information security is not just a challenge faced by those at Fort Meade and Fort Gordon, but rather must be emphasized at all duty stations, in all units, by all Army personnel. The creation of the Cyber branch, is a powerful complement to the Signal Corps, and can do much to help enable and support the Signal Corps in its effort to provide world-class Information Technology resources and secure tactical communications for our warfighters. Only together, through shared values, culture, and technical expertise can the Army’s Cyber and Signal professionals continue to build credibility, respect, and trust between our Army’s combat commanders and those of us providing the secure and robust network communications they require for victory.
The Army Signal Corps motto is “Pro Patria, Vigilans” or “Watchful for the Country.” This motto should be echoed by each computer user, who approaches each work day and each action as a deliberate task to be performed securely within policies, guidelines, and informed common sense. Information security cannot be achieved through the diligent acts of a few, but must be a daily priority of all. Through the vigilant protection and maintenances of our Army’s networks, we can do our part to ensure we are always ready to protect the nation.