What DISA needs for secure networks
- By Mark Pomerleau
- Jan 15, 2016
“If I had to talk about my top priorities, it would be software-defined ‘X,’ and you can insert your term in there,” Defense Information Security Agency CTO David Mihelcic said Jan. 12. He was speaking at an AFCEA DC chapter breakfast, where DISA leaders outlined areas where they’re looking to industry for innovation.
DISA and the Defense Department at large must avoid static configurations and have software-defined infrastructure, he said, beginning at the network layer within the data center reaching up the stack. DOD also must have the ability to automatically configure software applications on top of the software-defined infrastructure and be able to automate testing and the certification process to speed up the deployment process.
In addition to the infrastructure, cutting-edge cyber tools can assist in network security and situational awareness. John Hickey, a cyber security authorizing official at DISA, said that what he needs from industry is two-factor authentication -- particularly for system administrators.
“How do I enable strong authentication on the backside for system administrators is something that we’re looking at -- an enterprise capability for privileged management that we can deploy across multiple products,” he said. There’s a new vulnerability uncovered almost every day that administrators must address across multiple devices on the backend. “How do they get away from user name and password?” he asked.
Another aspect of security is the people who make up the cyber workforce. “Really what I want is experience…or well educated entry-level technical professionals who understand the particular technologies that they’re managing,” Mihelcic said. “So, instead of someone who has just a focus on cybersecurity certifications, I want a computer scientist or I want a system administrator who has a deep experience in successfully managing and building IT and … securing that IT.”
“The best investment we can make in terms of cyber and cybersecurity is upfront insuring that our systems are built in a reliable and a robust and secure way as opposed to trying to bolt on security,” Mihelcic said.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.