The growing use of mobile communications devices by the U.S. military and by civilian agencies is shaping Pentagon efforts to protect information networks from cyber attacks, said a senior defense official.
One of the biggest challenges in protecting the IT infrastructure is having visibility over the thousands of computers and smartphones that soldiers use daily, said Michael J. Jones, chief of emerging technologies in the cyber division of the Office of the Army Chief Information Officer.
“You can’t defend what you can’t see,” he said June 1 at an Association for Enterprise Information conference in Alexandria, Va. “That’s why we’re spending a lot of effort and energy in getting asset visibility,” he told National Defense.
The goal is to develop an “information technology asset management system” that would give cybersecurity officers the ability to see every node in the network and to screen each one, in order to prevent intrusions, he said. “When you’re talking about one out of the 900,000 assets out there and figuring out which one poses vulnerability or which one could have a bad day, it makes it a daunting task.”
The State Department has a program called iPOST, a continuous monitoring and risk reporting application for the agency’s IT infrastructure. The Army is looking to adopt that same model by leveraging current “asset visibility tools,” said Jones. Cybersecurity officials can pull that information back and “score” each of the devices on the network to quantify the risks that exist in cyberspace. “This allows us to then quickly identify what the next problem device is going to be so that we can get after it and then patch it,” he said. “As we look at adding more mobile electronic devices, we’ve got to make sure we have visibility of those devices. How can we make sure we control those devices? Continuous monitoring will help us — we call it ‘see, know and do.'”
Jones expects a working system to be in place by next spring.
“I’m pretty confident that within nine months to a year on the outside, the repository that we’re looking for would be at a minimum at an initial operating capability,” he said in the interview.