DOD looks to redefine roles for IT workforce

The Defense Department working to redefine the role of its IT workforce and make cybersecurity responsibilities a key part of virtually every job.

Many in the cybersecurity field have discussed the responsibility of everyone in the “chain” to employ good cyber hygiene, as they are all responsible for cybersecurity. This includes everything from protecting one's login credentials to knowing not to click on suspicious links in emails.

This paradigm clicked for DOD Deputy CIO for Cyber Security Richard Hale when he visited a DOD data center. While the staff members there were very knowledgeable about the technologies they were running as well as their mission set, they told Hale that cybersecurity for the data center was not their responsibility. Rather, that was left to someone else.

“We crafted our policies and our responsibilities incorrectly,” Hale said at a Feb 17 event hosted by FCW, a GCN sister publication. “We’ve got to get the job descriptions right, and so we’re in the middle of an effort to redefine the work roles, job descriptions, qualification standards and training standards for the whole information technology workforce in the department.”

Just as safety is part of every job in the airplane business, Hale said, everyone in IT must work on cybersecurity. All team members must know what they are responsible for and must receive the proper training to help them meet those responsibilities.

"We've started [to revise] the work-role standards," Hale added, "and we're making good progress. There are a lot of good people helping us with that."

These basic building blocks are something that the head of U.S. Cyber Command and the National Security Agency Michael Rogers also has discussed. According to Rogers, the force needs to approach the network as if it were a standard- issue weapon. “If [DOD] gave you a weapon, you must ensure that that weapon is appropriately treated, appropriately used, always secured. That is pounded into our culture,” Rogers said at a Jan 21 appearance at the Atlantic Council. “You have constant responsibility of the security of that weapon…. And you don’t ever forget that. We need to do the exact same thing in the cyber realm.”

Hale, at the Feb. 17 event, noted that one reason cybersecurity responsibilities must be so widespread is because the attack surface DOD must defend has broadened so dramatically. "If it's got a computer in it, it can be cyberattacked," he said, and embedded processers are now virtually everywhere. "It doesn't matter if it's connected to a network.... And if it's a DOD thing, there's the higher chance that it might be cyberattacked."