In an unclassified memo viewed by DefenseScoop this week, the Navy’s Chief Information Officer Jane Rathbun unveiled this policy change and overarching plan to overhaul networks and their respective infrastructure into an integrated system that leverages enterprise IT services. 

“All shore legacy and excepted networks must transition to designated enterprise networks no later than December 31, 2027,” she wrote.

In response to questions Thursday, Rathbun said her team decided to set an absolute deadline in that timeframe because they recognize that migration can be hard, but they’re “looking for mavericks to figure out a better way to approved paths like Naval Enterprise Network (NEN) and Marine Corps Enterprise Network (MCEN) soonest.”

The CIO will process waivers on a case-by-case basis for the networks that officials determine cannot move into a designated enterprise environment due to their unique mission requirements. 

“Change is hard and not everyone will be happy that we are turning off their legacy and exception-based networks, but operational resilience is better, it’s more secure, more adaptable and users are happier and more effective — it’s time to move,” she said.

To enable the transition, network owners are directed in the memo to carry out a list of activities, including but not limited to: reviewing and updating the Pentagon’s Information Technology Portfolio Repository for the Department of the Navy’s registered networks to reflect those documented in this revamp process; completing a network assessment to map network requirements to the enterprise IT services catalog; developing a transition plan and timeline for transitioning legacy assets; and supplying a detailed breakdown for funding and resourcing their elements of the consolidation effort.

Resource-informed transition proposals for each legacy network will be evaluated by senior officials in the Navy and Marine Corps’ CIO offices to determine resource adequacy and certify the DON IT and Cyber Activity (IT/CA) budget for fiscal 2027.

“Failure to submit an executable transition plan with documentation of resources per above will result in decertification of the IT/CA budget under the cognizance of the applicable Budget Submitting Office,” Rathbun wrote in the memo.

This new policy builds on some modernization initiatives launched by the Navy during the Biden administration, and also aligns with President Donald Trump’s key priorities in his second term associated with eliminating government waste and accelerating tech-driven innovation. 

“One of the benefits of making use of world class commercial capabilities, is that we don’t need to carry around hundreds of inferior capabilities that were developed before the enterprise service existed,” Rathbun said Thursday.

She pointed to the Navy’s cloud-based office suite of tools known as FlankSpeed, and the Marine Corps’ unclassified M365 cloud environment called Hyperion, which were both recently designated as official DON enterprise IT services for messaging and collaboration.

After that, “the doors for divestment have swung wide open,” she explained.

“We now have an award-winning capability that Sailors and Marines tell us is better than their out-of-work experience for the first time in their careers. Our warfighters deserve this and more — it’s so good that they want it,” Rathbun said. “And with that, the other side of the coin is that there are a lot of old or bespoke networks that have to go.”

The post A first look at the Navy’s new plan to drastically consolidate legacy IT networks by late 2027 appeared first on DefenseScoop.

The upcoming losses are due to some DISA employees accepting deferred resignation or voluntary early retirement programs, terminations of probationary employees and other workforce reduction initiatives inspired by Elon Musk’s DOGE, according to Lt. Gen. Paul Stanton, head of DISA and the Joint Force Headquarters-Department of Defense Information Network.

DOGE stands for Department of Government Efficiency.

However, the workforce reductions may glean some benefits for the agency, Stanton suggested during a Senate Armed Services cybersecurity subcommittee hearing.

“It’s giving us an opportunity to ruthlessly realign and optimize how we are addressing what is an evolving mission,” he said.

DISA is the Pentagon’s combat support agency responsible for providing IT and communication support to the military, as well as other federal organizations like the Department of Homeland Security and U.S. Secret Service. At the moment, DISA employs roughly 20,000 individuals — including around 6,800 DOD civilians and 1,200 active duty military personnel — and more than half are contractors, Stanton said.

Across the federal government, agencies are carrying out mandates from President Donald Trump designed to “maximize efficiency” by massively reducing the civilian workforce and making significant budget cuts. At the Pentagon, leaders are currently planning to slash more than 50,000 of the department’s 900,000-plus civilian personnel through deferred resignations, cutting probationary staff and implementing temporary hiring freezes.

Stanton told lawmakers that DISA is using the downsizing as an opportunity to reorganize its remaining workforce and direct more focus to some of its top priorities. 

“Things like the Multi-Partner Environment and initiatives like DoDNet are driving our workforce to perform roles that they hadn’t previously, and so we are doing a realignment,” he said. 

The agency also plans to request Pentagon approval to do a “surgical rehiring” in order to fill any gaps as a result of the workforce cuts that could negatively impact DISA’s missions.

“We need to hire the right people back into the right positions to then lead us forward,” Stanton said.

Along with cuts to its civilian workforce, the DOD is looking to cancel a number of IT consulting contracts following an April memo from Secretary of Defense Pete Hegseth. Components affected by the directive include the Defense Health Agency, the Defense Advanced Research Projects Agency and some of the military services.

Stanton told lawmakers that reviewing IT contracts is already a regular practice within DISA, as it allows the agency to adapt to emerging capabilities and stay aligned with its highly technical workforce.

“In the IT world, as technology changes, we have to continually evaluate whether or not we have the right industry partner performing the right mission, and so we routinely evaluate,” he said. “They’re not consulting contracts. These are individuals that are putting hands on keyboards, that are running fiber optic cables, that are performing server maintenance in a global footprint. And our contracts are healthy and are in a good spot.”

The post DISA expects 10 percent reduction in workforce due to DOGE-inspired campaign appeared first on DefenseScoop.

The nomination was submitted to Congress on Tuesday and referred to the Senate Armed Services Committee for consideration, according to a notice posted on Congress.gov.

The Defense Department CIO “is the principal staff assistant and senior advisor to the Secretary of Defense and Deputy Secretary of Defense for information technology (IT) (including national security systems and defense business systems), information resources management (IRM), and efficiencies. This means that DoD CIO is responsible for all matters relating to the DoD information enterprise, such as cybersecurity, communications, information systems, and more,” according to a Pentagon description of the role.

Davies has served in IT and cybersecurity roles at major firms in the private sector.

Previously, she was chief information security officer for Unilever; senior vice president and chief information security officer at the Estee Lauder Companies; managing director and group chief security officer at Barclays Africa (now known as Absa); vice president of enterprise security strategy and transformation solution at Hewlett-Packard; global deputy CISO at Siemens; and senior associate at Booz Allen Hamilton, according to her LinkedIn profile.

She is cofounder and CEO of the Institute for Cyber, which is a “non-profit organization with a mission to advance the safety, security, privacy, and digital integrity of experiences citizens have while using technology, AI, and digital data in their everyday lives,” according to the organization’s website.

Davies has also been a member of the National Security Institute’s Cyber and Tech Security Council. NSI is part of George Mason University’s Antonin Scalia Law School.

Katie Arrington is currently the acting DOD CIO and recently launched a new Software Fast Track (SWIFT) program that aims to overhaul cumbersome bureaucratic mechanisms and streamline the Pentagon’s ability to rapidly approve new software capabilities for warfighters.

Leslie Beavers was acting CIO before Arrington was appointed to that role.

John Sherman served as Pentagon CIO during most of the Biden administration and was the last to be Senate-confirmed in the role.

The post Trump nominates Kirsten Davies to be next DOD CIO appeared first on DefenseScoop.

The moves — outlined in a pair of memos issued to the chief of naval operations, Marine Corps commandant, Navy assistant secretaries and general counsel — are pursuant to Defense Secretary Pete Hegseth’s “commitment to strategically rebuild our military, restore accountability to the Department of Defense, cut wasteful spending, and implement the President’s orders,” Phelan wrote.

The IT contracts axed by the SECNAV include those for the Naval Maintenance, Repair and Overhaul (NMRO) program.

The NMRO system was designed to provide mobile access for users, embedded job performance aids, lobby functions providing customizable work areas of interest, and 3D interactive renderings of ship systems enabling sailors to click on an object to access technical and logistics data, according to a news release last year from Fleet Force Command.

“The NMRO logistics program is critical software for the Navy. However, for 5 years systems integrators have over-engineered the software to the point where it is unusable. Upon the recommendation of Navy leadership, the current contracts under the NMRO program shall be terminated. This will allow the Program Office to apply the savings towards a new strategy to meet our needs,” Phelan wrote in a new memo obtained by DefenseScoop from a Navy official.

He also directed the Navy’s chief information officer to prepare a new acquisition strategy by July 31, along with management review of the program.

“Collectively, these contract terminations represent over $568 million in total contract value, which we estimate can allow the Navy to repurpose up to $200 million in taxpayer funds in a more effective manner,” Phelan wrote.

“I commend the Navy leaders who raised this opportunity that will result in a more effective fighting force. Moreover, I encourage leaders across the Department of the Navy to follow this example in identifying opportunities to eliminate wasteful spending which we can then re-invest into critical mission needs,” he added.

In a separate memo obtained by DefenseScoop, Phelan ordered the termination of 45 other contracts and grants. He said the cuts target “wasteful spending” on climate change, DEI, social science, and “other activities which are not aligned with DoD and DoN priorities.”

The cuts include grants for studies of “Persuasion, Identity, and Morality in Social-Cyber Environments” and “engendering and leveraging trust in longitudinal human-AI interactions,” among others, according to the memo.

“Collectively, these 45 terminations represent over $87 million in total award value, which we estimate can save up to $41 million in taxpayer funds the Navy can better apply to critical priorities,” Phelan wrote.

The cuts come as Pentagon leadership has been working with the Trump administration’s Department of Government Efficiency (DOGE) team, led by tech titan and presidential adviser Elon Musk, to review spending.

“I commend the DOGE team for finding these opportunities to help save the Navy and increase our readiness and warfighting capability,” Phelan said in a video posted on X, the social media platform owned by Musk. “Stay tuned — there’s more to come.”

Earlier this month at the Sea-Air-Space conference, Navy CIO Jane Rathbun noted that the Trump administration’s DOGE team was examining the Navy’s software enterprise and use of commercial software.

“It’s actually being led through the DOD CIO, and it is collaborative and they are asking for information from us. They are asking for information from the industry partners and really understanding how we buy, how we consume, and how we could do it more effectively,” she told DefenseScoop.

Hegseth has also been pushing to rein in Pentagon spending on IT services contracts. About two weeks ago, he issued a directive ordering the termination of several major contracts, with estimated savings of more than $4 billion. He also directed the Pentagon’s chief information officer to draw up plans for in-sourcing, among other measures.

The post Navy Secretary Phelan terminates IT contracts, grants amid DOGE drive appeared first on DefenseScoop.

The aim is to “cut wasteful spending” and “support the continued rationalization” of the Defense Department’s IT enterprise, Hegseth wrote.

The move comes amid a broader push by the Trump administration to implement Department of Government Efficiency (DOGE) initiatives across federal agencies.

Hegseth’s new memo to senior Pentagon leadership ordered the termination of contracts affecting a variety of DOD components, including a Defense Health Agency contract for consulting services; an Air Force contract to re-sell third party enterprise cloud IT services; a Navy contract for business process consulting services; and a Defense Advanced Research Projects Agency (DARPA) contract for IT helpdesk services.

In a video released on social media touting these DOGE-related efforts, Hegseth estimated that those contract terminations would save the Pentagon approximately $1.8 billion, $1.4 billion, $500 million and $500 million, respectively.

“These contracts represent non-essential spending on third party consultants to perform services more efficiently performed by the highly skilled members of our DoD workforce using existing resources,” he wrote in the memo.

Hegseth also tasked the Pentagon CIO to work with the DOGE team to produce a plan within 30 days for how DOD will in-source IT consulting and management services to the department’s civilian workforce.

The new call for in-sourcing comes as Pentagon leaders are advancing efforts to make major cuts to the civilian workforce. Hegseth has said he wants to reinvest savings from employee reductions into higher-priority warfighting capabilities.

The plan from the CIO that Hegseth ordered in Thursday’s memo must also address how the Defense Department will negotiate “most favorable rates on software and cloud services, so the DoD pays no more for IT services than any other enterprise in America,” the SecDef wrote.

The memo also tasks the chief information officer to complete an audit of Pentagon software licensing by April 18. The purpose of the audit is “to ensure we are only paying for the licenses we actually use, the features we actually need, at the most favorable rates,” according to Hegseth.

Katie Arrington is currently performing the duties of DOD CIO.

Earlier this week at the Sea-Air-Space conference, Navy Chief Information Officer Jane Rathbun said DOGE and the DOD CIO were reviewing the service’s software enterprise.

“It’s all about making the right investments in modernizing, but modernizing with an eye towards effectiveness and efficiency. We’ve got this new administration. We’ve got the DOGE in working with us, and they’re focused on effective consumption of commercial software. Are we doing the best job we can deliver in buying and utilizing the software that we have?” she said.

The Navy is a huge purchaser of software licenses, Rathbun noted.

“It’s a big number. And so are we buying effectively? Are we utilizing the things that we’re buying effectively? There’s always opportunity for improvement. And I would say that’s an area in my portfolio that I want to focus on but have not a lot of people to do that, which is something that has always bothered me and I want to be doing better at is really this optimization concept. I’ve got to continuously modernize but I have to do it in an optimal way,” she said.

The post Hegseth issues new directive to rein in Pentagon spending on IT services contracts appeared first on DefenseScoop.

“This concludes a rewarding journey through military service, private industry, and government leadership. It’s been an honor to support our mission, lead technology initiatives, and work alongside the exceptional personnel of our Air and Space Forces,” she said in a post on LinkedIn announcing her exit. 

Goodwine was tapped to serve as DAF CIO in August 2023, and oversaw modernization efforts for information technology, cybersecurity, data and artificial intelligence for both the Air and Space Forces. She led several initiatives throughout her tenure that aimed to streamline the DAF’s experimentation and adoption of emerging AI capabilities, while also pushing for increased transparency on the department’s development and spending on the technology.

In 2024, she helped stand up the DAF’s NIPRGPT 1.0 platform, where airmen, guardians, civilian employees and contractors can interact with a generative AI chatbot on the Non-classified Internet Protocol Router Network (NIPRNet). The tool served as a way for the department to experiment with large language models to help determine best use cases in the future.

Goodwine was also involved in the department’s work to adopt zero-trust cybersecurity frameworks, as mandated by the Pentagon. Her Zero Trust Strategy, released last year, emphasized leveraging cloud-based capabilities and integrating identity, credential, and access management (ICAM) solutions.

Prior to serving as DAF CIO, Goodwine was the director of enterprise information technology for the department. She previously spent more than two years as chief information security officer at the Department of Agriculture.

Goodwine is an Air Force veteran, having joined active duty in 1986 and serving as a signals intelligence analyst. She then served in the Air Force Reserve from 2002 until her retirement from uniformed military service in 2022.

Although she is leaving federal service, Goodwine noted in her LinkedIn post that she is open to other opportunities outside of government.

“After years of tackling complex challenges, I’m looking forward to this period of rest and reflection. But make no mistake—this is just a break, not an ending. I remain excited about future opportunities and new ways to contribute,” she wrote.

The post Venice Goodwine exiting role as Air Force CIO appeared first on DefenseScoop.

Network modernization is a top priority for service leadership. The deputy chief of staff, G-6, trumpeted the unveiling of Army Unified Network Plan 2.0 in a LinkedIn post Tuesday.

“AUNP 2.0 is new guidance on how the warfighter actually approaches, accelerates and operationalizes the unified network across the board,” Lt. Gen. Jeth Rey said in a statement. “It’s going to enable multi-domain operations and chart the roadmap of where we’re going for the unified network by 2027. It also talks about the critical enablers required to achieve a multi-domain operational Army by 2030.”

The first iteration of the unified network plan was released in 2021.

“Since then, a confluence of emerging technologies and events has transformed the world into a multidomain, persistently contested information environment that demands a far more data-centric approach to harness the power of the Army Network to fight and win,” officials wrote in version 2.0.

Integrating zero trust — a cybersecurity framework that assumes adversaries are already moving through information technology networks and therefore requires organizations to continuously monitor and validate users and their devices as they move through the network — is a key element of the second iteration. It’s also a top IT modernization priority for the Defense Department writ large. The DOD’s goal is for all components to achieve “target levels” of zero trust by the end of fiscal 2027.

The Army’s new document is “a strategic guide to operationalize the Unified Network through a focus on ZT principles that improve how the Army’s network moves and secures data,” officials wrote. “The plan incorporates observations and lessons learned from ongoing operations around the globe, as well as best practices for security. Static command posts are no longer uncontested in combat operations; neither are our data or network. As with command posts, the network and data must be agile, adaptable, and able to rapidly move to the point of need even in a denied, disrupted, intermittent, and limited bandwidth (DDIL) environment. Whereas past network strategies homed in on perimeter defense and hardware, the AUNP 2.0 is focused on common principles and standards to centrally deliver and manage the network and data.”

Other key principles include reducing or eliminating information technology complexity at the tactical edge; centralizing IT service delivery and resourcing; establishing and employing common standards, processes and systems; pursuing priorities for command and control in support of multi-domain operations; enabling faster, secure data-sharing across security domains and with allies and partners; and developing concepts of operation and “validated operational requirements at echelon.”

In the near term, the Army is focused on efforts to “operationalize” the unified network, including by completing the operations construct for the Army’s portion of the Department of Defense Information Network with supporting force structure; implementing a hybrid compute capability in support of tactical formations operating in denied, disrupted, intermittent and limited bandwidth environments; and establishing a “persistent” Mission Partner Environment and funding strategy, inclusive of “all hardware, software, infrastructure, sustainment, and people” from the tactical edge to the enterprise level, among other initiatives.

“This phase ends with the establishment of a Unified Network based on Zero Trust principles, enabling the seamless transfer of data across all echelons, postured to support” multi-domain operations, according to officials.

For the next phase beginning in 2027, the focus will be on additional modernization and transformation, such as final integration of the zero-trust architecture and continued integration with the other services and mission partners.

Emerging technologies that are expected to play a key role in that effort include dynamic and diverse transport, robust computing and edge sensors; data-centric data management technologies and platforms with tagging and labeling at the source; robotics and autonomous operations; quantum-resistant encryption and technologies; and AI and machine learning models and capabilities, among others, according to the Army.

The post Army unified network plan 2.0 prioritizes zero trust appeared first on DefenseScoop.

Deasy served as the Pentagon CIO during the first Trump administration starting in May 2018 and oversaw a variety of high-profile modernization initiatives.

He was at the helm when the department moved to large-scale telework as employees adapted to the COVID-19 pandemic. He established the COVID-19 Telework Readiness Task Force — which included officials from U.S. Cyber Command, Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), the National Security Agency, Defense Information Systems Agency, Joint Staff, the military services and the CIO’s office — to boost network capacity and deal with what he called an “unprecedented demand for new equipment ranging from tablets, laptops and network equipment to secure devices.”

Those efforts included rolling out tools such as the Commercial Virtual Remote Environment.

During his tenure, the Pentagon stood up the Joint Artificial Intelligence Center (JAIC) to help accelerate the adoption of AI by the Defense Department. The JAIC was later folded — along with several other organizations — into a new Chief Digital and AI Office (CDAO) during the Biden administration.

The department also adopted a set of AI ethical principles in 2020 while Deasy was CIO, which stated that the U.S. military’s tech in this area must be “responsible, equitable, traceable, reliable and governable.”

At the time, he suggested that those principles could also be relevant to the private sector.

“Having been on both sides, there is nothing in these principles as you read them that are uniquely and only specific to the DOD. Any one of these is absolutely applicable to the private industry as well,” he told reporters during a February 2020 press briefing, according to a DOD transcript. “Am I trying to suggest that we are going to be the leaders in driving out in the corporate world? No. The corporate world will pick up at that and deal with it in the appropriate way. But I think the application of how you could apply these are very applicable to private industry.”

Deasy was an advocate for enterprise cloud efforts, but the department’s ill-fated Joint Enterprise Defense Infrastructure (JEDI) initiative fizzled during his tenure. The Pentagon later replaced it with the Joint Warfighting Cloud Capability (JWCC) program.

When officials released a new data strategy in October 2020, Deasy likened data to “ammunition,” saying in a statement that it was “increasingly central to warfighter advantage on and off the battlefield” and needed to be “persistently available to the men and women of the DOD regardless of echelon or geographic location.”

After leaving the Defense Department in 2021, Deasy started his own advisory company, served on corporate boards and was an adjunct professor at Carnegie Mellon University, according to his LinkedIn profile.

John Sherman succeeded Deasy as Pentagon CIO and served in that position during most of the Biden administration. Last year, Sherman left the department to become dean of the Bush School of Government and Public Service at Texas A&M University. Leslie Beavers is currently serving as acting DOD CIO.

Prior to his time at the Pentagon, Deasy worked in corporate leadership positions, including in CIO roles for JPMorgan Chase & Co., BP, General Motors, Tyco International and Siemens AG.

In his new role at Boeing, he’ll “oversee all aspects of information technology, information security, and data and analytics” and serve on the firm’s executive council, the company said in a press release.

Boeing is an aerospace giant and a contractor for a variety of major DOD programs.

Deasy will report to Kelly Ortberg, Boeing’s president and CEO.

“Dana is a well-respected, global technology leader who has a track record of delivering on innovative technologies across large and complex organizations,” Ortberg said in a statement. “With the need to stay vigilant to protect against cyber threats, and emerging technologies like artificial intelligence playing a larger role across all industries, our IT team will have a key role as we focus on meeting our safety and quality goals, delivering reliably for our customers and positioning ourselves for the future.”

The post Former Pentagon CIO appointed to senior position at Boeing appeared first on DefenseScoop.

The center, headquartered at Scott Air Force Base, Illinois, was stood up in 2019 and was responsible for delivering cyber capabilities. The recently announced change making it a field operating agency that is secretariat aligned will require no movement of people, and it’s expected to reach full operational capability by October 2025.

“This is a significant step toward streamlining and consolidating Information Technology functions and ensuring unity of effort in IT service delivery across the Air Force and Space Force,” Frank Kendall, secretary of the Air Force, said in a statement. “By combining and aligning these functions to their authoritative owner, the IT enterprise will be able to produce capabilities in shorter, more rapid development cycles — ensuring requirements are expediently actioned and delivered to the Airmen and Guardians who need them.”

As a field operating agency, the center will develop and manage services such as cloud computing, cybersecurity, mobility, and data centers, to ensure interoperability and consistency across the department, according to a LinkedIn post from the Department of the Air Force CIO.

The move — which was effective Dec. 20, according to a release — is in line with Kendall’s ongoing effort to reoptimize the DAF for great power competition, a sweeping set of changes overhauling how the service is organized and creating new commands as it transitions from 20-plus years of counterterrorism operations and focuses on countering advanced adversaries such as China.

As part of those changes, the Air Force has sought to elevate the role of cyber and IT functions, with forthcoming moves including elevating Air Forces Cyber and splitting the intelligence and cyber roles at the deputy chief of staff level. The latter change aims to elevate the role of IT, cyber and warfighter communications with a dedicated three-star general serving as the chief advisor to the secretary.

“The bifurcation of IT did not meet my intent to rapidly deliver capabilities based on the requirements provided by our people,” Kendall said.

The evolution of the Cyberspace Capabilities Center, which will include the realignment of functions from other organizations and future administrative changes, will more effectively organize, train and equip the IT enterprise and cyber personnel, according to the Air Force.

“Our men and women are used to change, but we’re especially excited about this opportunity to refocus our mission centered around service delivery for the enterprise. We can already see the synergies building between our team and the DAF CIO’s staff,” Col. Chris Rubiano, Headquarters Cyberspace Capabilities Center commander, said in a statement. “We look forward to onboarding other Enterprise IT functions from across the Department and working with stakeholders to grow processes which help us best develop capabilities for both Airmen and Guardians.”

The move also aims to align with the Air Force’s notion of “one department, two services,” since the inception of the Space Force in 2019, with the need to better represent the structure among both entities.

“Many people don’t realize how vast our office’s statutory authority for IT is — there are many responsibilities that my office cannot delegate and that we are responsible for delivering and synchronizing across the Enterprise, which is inclusive of all IT — from business, to warfighting, to intelligence, to services of common concern,” DAF CIO Venice Goodwine said in a statement. “I have a responsibility to the secretary, but also his staff and both services, to ensure their IT requirements are captured and developed in a way that is not only responsive but cost effective and interoperable with one another. We can do this through effective governance, and alignment of the Cyberspace Capabilities Center as a Field Operating Agency to my office, will help reinforce adherence to the capability delivery process.”

The post Air Force aligns cyber center to CIO appeared first on DefenseScoop.

On a panel moderated by DefenseScoop Tuesday at a Scoop News Group-produced GDIT event, two Defense Department officials and two defense industry executives shared their latest insights on contemporary, real-world threats they’re tracking — at this convergence of IT systems, like computers and servers, with OT systems, like vehicles and medical devices — and how their teams are moving swiftly to adapt and respond.

“When we think about it, installations are our critical power projection platforms. They’re foundational to allow us to launch our critical missions, to ensure readiness, and really do power projection for the United States Air Force and for the DOD in general,” the Department of the Air Force’s acting Deputy Principal Cyber Advisor Lt. Col. Andrew Wonpat said.

“And when we think about cybersecurity, one of the big initiatives across the [DOD] and the U.S. government is zero trust. And that is transformative if we’re going to look at how we do that for operation technology,” he added.

Wonpat and the other panelists reflected on the broad landscape of global, existing and emerging OT vulnerabilities they’re monitoring and moving to mitigate.

Pointing to recent publicly reported numbers he pulled, Wonpat said that “China has approximately 100,000 cyber operators.” Noting that number could be an inflated estimation, he argued it’s best to assume that the real number could be much lower.  

“So, if we just extrapolate that, if China only has half of that — 50,000, that’s about the number of people in a [specific] town or a city within the United States — so that is significant for us from a military perspective, and the Department of Air Force to really grapple with,” Wonpat said.

Dwindling that down further, assuming only 10% of those personnel would be explicitly focused on OT efforts, it would still be about 5,000 people, which in his view is a lot for the service to contend with.

“So, how do we contend with those threats? One thing we did — one of the big initiatives — is [the Air Force established a new] organization called CROCS, or the Cyber Resiliency Office for Control Systems. They’re really responsible for coordinating and overseeing the cybersecurity of our control systems and operation technology, as well as defending critical infrastructure,” Wonpat explained. “And there’s a lot that goes into that.”

He confirmed that early lines of effort for the CROCS team include workforce, governance, visibility and prioritization activities, and transforming OT defense and response.

“I’m really excited about the CROCS organization … It’s the first time I’ve seen something like this in the department and we really need it,” Tony Robertiello, GDIT’s senior program director for Air Force enterprise IT programs, said.

For the Air Force and civil engineering community, GDIT provides cybersecurity and associated protection services for about 600 facility-related control systems across the globe in multiple forms. 

Spotlighting recent analysis the company has captured, Robertiello noted that the convergence between OT and IT across the internet protocol or IP space is currently considered to be an intensifying threat.

“We have inventory data for those 600 systems — 30,000 devices are IP-based. And these are devices that you don’t put certificates on them, but they could scan the network and could be attacked or could be a point of attack,” he explained.

The GDIT team is working in partnership with the 16th Air Force, an information warfare hub with OT data that Robertiello said they’ve never had access to before. 

“What’s no surprise now is that the top 10 systems in the Air Force of all the systems that they track data on — the most vulnerable systems, that top 10 — it’s OT systems. These are legacy systems. So, the threat is real out there against these types of systems,” Robertiello said.

He and other panelists also discussed Volt Typhoon and similar recent OT attacks aligned with what is reportedly China-backed advanced persistent threat (APT) groups, targeting critical infrastructure.

“One observation I will make is that if you look at what’s publicly reported, the Typhoon family is not doing the ransomware phishing attacks. They’re chaining vulnerabilities together and developing some legitimately sophisticated ways of intruding in the systems. The good news about that is that it means the sort of traditional stuff is less effective. So, some of the things that we’ve been doing for years — trying to secure systems and teach people about phishing — some of that is having an effect,” said Terry Kalka, director of the defense industrial base collaborative information-sharing environment at DOD’s Cyber Crime Center (DC3).

Officials inside DC3 are executing on what he referred to as defensive missions on DOD networks, as well as for the defense industrial base.

“One of the things we’ve had a lot of success in is vulnerability disclosure, where we work with white hat open-source or crowd-sourced researchers to look for vulnerabilities on public infrastructure,” Kafka said.

In the eight years since that program launched, around 50,000 vulnerability reports have been submitted, and heaps of patches have been made in response. More recently, the DC3 opted to build on that momentum by setting up a defense industrial base vulnerable disclosure program. 

“Now there’s an IBM report that estimates the cost of a data breach each year. This year, they say a data breach costs, on average, $4.8 million. I’m not going to try to do the math onstage. But if we have so far, in the DIBVDP, mitigated 59 vulnerabilities in six months … that’s about $288 million that we’ve saved industry and therefore saved the taxpayer. That’s a nice statistic if you have to go ask for cybersecurity money. And secondly, it’s a real, tangible effect in terms of what’s publicly available and how can we close that off as a way of entry,” Kalka said.

Autonomous endpoint management is another increasingly powerful solution the panelists highlighted. 

Sam Kinch, who previously worked at U.S. Cyber Command and is now an executive client advisor at Tanium, brought up a recent statistic that 70 percent of successful breaches start at the end point, which he said further reflects the growing need for organizations to capture IT and OT assets under one single umbrella of real-time visibility.

“One of the other stats that came out of DOD recently, if you look at the IT estate across their enterprise, it’s about 4 million endpoints they project right now. And they don’t know, but they’re projecting 15 to 18 million endpoints when you include the OT side of the house,” he noted.

“How is that for a target surface in a vulnerability state? Autonomous endpoint management is going to be essential. And what that means to us is really, how do you incorporate autonomy and automation into the process flows so you can reduce risk and drive down the mistakes that get made from mundane tasks nobody wants to do?” Kinch said.

The post How the Pentagon is moving to counter converging IT and OT threats appeared first on DefenseScoop.