Congress established service level principal cyber advisors in the 2020 defense policy bill. FCW sat down with the Army and Navy PCAs to get a sense of what their priorities have been in the past year.
Congress established principal cyber advisors within the military services in the 2020 National Defense Authorization Act as part of an effort to better synchronize oversight of the military’s cyber activities. The new civilian positions involve coordination and oversight, rather than direct authority over budgets and systems.
Terry Mitchell, the Army’s principal cyber advisor, told FCW that navigating the service’s missions and components has been the main focus for the first year of the new position.
“I think that's where Congress wants us to basically look: between the gaps and the seams and the no man's land and see what's being missed. What are things that are not being seen because they don't have somebody to advocate for it or to fight for it,” Mitchell said.
Mitchell, who was named to his post in September 2020, said that too many messages to Congress when it comes to cyber can lead to not having a message at all. “So what they're looking for is a message, a person to come talk to...to bring all the people together to have one voice,” Mitchell said, “and that's really important from a funding point of view, but it's also kind of important from a DOD point of view.”
So far, the principal cyber advisors have covered planning and funding issues, including the consideration of a cyber contingency fund.
“Do we need to create a contingency fund? We do it for war, but do we do it for cyber? Should there be a contingency response button for cyber because when we do a [program objective memorandum] every two years, you don't know if there's a cyber attack on the horizon; it's kind of that unplanned problem.”
The Navy’s principal cyber advisor, Chris Cleary, told FCW that carving out the distinction between the new role and the CIO role as it pertains to cyber -- while establishing communication lines to the service secretary -- were top priorities in the position’s first year. Cleary was appointed to his role last December.
“I think it's taken the Navy a little bit longer to find how they wanted to interact with PCA or, maybe said the other way, how the PCA [could] get on everybody's calendar. I'm in a much better spot now that I was, you know, four months ago.”
The CIO, Cleary said, is “responsible for providing the information environment -- and there's a very specific definition of what that is -- and as ones and zeros travel across that information environment, he is responsible for ensuring that it is built in such a way that it's resilient and survivable.”
The principal cyber advisor comes in to the right of the CIO’s mission, looking at the cyberspace activities and functions: cybersecurity, cyber operations and resiliency, such as critical infrastructure and weapon systems, and research and development, Cleary said.
The Navy’s version of the PCA’s approach looks like this, Cleary said: “Hey...I understand that most of your lane in the road is cybersecurity and you have a chief information security officer and I'm going to sort of pick up where the resiliency, and the warfighting side of this mission is, acknowledging that there is a brackish water area where cybersecurity overlaps. And weighing in on the adequacy of all of this.”
Cleary named weapons systems, critical infrastructure and the cyber mission force as his top focus areas that he’s encouraging the chief of naval operations, Navy secretary and commandant of the Marine Corps to “double down on” as cyberspace becomes “the new means and methods of warfare, that our peer adversaries, the Russians and the Chinese in particular, are wanting to specialize in. And in some instances, they're outpacing us. All is not lost, but we certainly need to give it the attention it's due,” Cleary said.
Mitchell said he’s interested in how cyber affects the Army’s readiness
“When people talk about cybersecurity with the CIO, they're more IT focused, where I'm trying to bring it to more of an operational discussion,” Mitchell said. “It's not a router discussion or cross domain discussion ... it is more in terms of if we don't get zero trust correct, how is it going to impact our ability to operate.”
The ransomware attack that hit Colonial Pipeline in May, which led to fuel shortages across the East Coast, potentially had downstream impacts on readiness, he said. There is fallout when the family of a soldier getting ready to deploy doesn’t have access to fuel, heat or an ATM because a utility company was hit with a cyberattack.
“There's myriads of ways that the family now will have to be burdened, if you will, as [the soldier is] trying to get out of the post. So where's my focus going to be: getting ready to go to war or my family?” Mitchell said.
On the budget side, principal cyber advisors are tasked with looking at whether the service’s wants, needs and aspirations line up with the allocation of resources.
“The CIO certifies the budget, the PCAs sort of come in over the top, particularly around the cyberspace activities portion of it, and weigh in on the adequacy of that, but the challenge is: where as a service, or as a department are we ultimately trying to go?” Cleary said, “and then weigh sort of those wants, needs and desires against the resources that are allocated towards it and then weigh in on the fact whether we're going to get there or not.”
Cleary noted that at present each military branch treats the cyber domain differently.
“There's not as much consensus within, I think, each of the services as how they're going to treat that domain. We acknowledge it from the threats that it poses to things like critical infrastructure and weapon systems, and traditional information systems and protecting data,” Cleary said.
But as he transitioned in the PCA role after being Leidos’ vice president of business development and strategy for cyber and signals intelligence, different questions and concerns arose regarding how the Navy’s workforce could respond to these threats, Cleary said. That is thinking about how to get an “adequately trained mission force whose job it is to fight in the cyber domain. How are we going to equip that force, both with authorities and tools and training.”
Cleary said the Navy has historically been platform-centric -- ships, planes, and submarines. But with cyber, there’s a “whole new problem set, and we're trying to figure out how to address that” while trying to stay aligned with the other service PCAs and with Rear Adm. Jeffrey Scheidt, the senior military advisor for cyber policy to the undersecretary of defense for policy, and deputy principal cyber advisor to the secretary of defense.
“We kind of speak with one voice on a lot of these things,” Cleary said.
NEXT STORY: Langevin tees up cyber legislation for 2022