Wanted: Metrics for Measuring Cyber Performance and Effectiveness
Intense worries about cybersecurity mean system owners are stacking up cyber tools to help protect their organizations, often duplicating features and capabilities in the process. The problem: There’s no sure way to measure the effectiveness of one tool over another.
Today’s shortage of skilled cybersecurity professionals won’t end overnight, but the answer to solving the shortage may be here. It’s the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. By defining a common language to describe the skills, knowledge and requirements needed to fill each type of cyber job, the framework provides a baseline for understanding which can be shared by employers, educators and workers alike.
The first cyber standard for the Internet of Things provides an object lesson: While any standard is better than no standard, the changing nature of threats means security will remain a moving target and the new standard does not absolve its users from ongoing vigilance against emerging threats.
Insider threat protection programs accumulate massive storage volumes in order to monitor and track user activity over time. What data organizations choose to collect – and how long they choose to retain – depends on its risk tolerance and how much it’s willing to spend.
What We’re Reading
The new administration’s extended transition process has led to an unusual circumstance in which there are literally zero politically-appointed acquisition officials anywhere in the Defense Department. Such a scenario might seem like an unlikely time for DoD to make major changes to the way it buys information technology, but that’s exactly what the career civil servant who’s currently leading the department’s vast acquisition apparatus hopes to do over the next year.
For the U.S. Army, the global war on terror is beginning to look like the good old days. It was a long fight that is not yet over, and as usual, the Army has suffered most of the joint-force casualties, but at least terrorists don’t have long-range fires, tactical aircraft, heavy armor, sophisticated cyber weapons or electronic-warfare capabilities.
The U.S. Department of Defense will soon start sending more secure emails.
The Defense Information Systems Agency (DISA), the body in charge of the Pentagon’s email, said it plans to enable stronger encryption on all emails by July 2018.
A year after then-chief information officer Terry Halvorsen first publicly floated the idea of killing DoD’s Common Access Card in favor of a collection of more flexible authentication technologies, the Pentagon is beginning to test drive at least one of the potential replacements for the CAC.
Last week, the Defense Innovation Unit-Experimental reached an agreement with Plurilock Technologies, a Victoria, British Columbia-based firm that holds several patents on behavior-based authentication (or, “behaviour-based,” to our friends to the north).
Intelligence drives operations. The same can be said for quick-reaction cyber forces when responding to an incident.
Lt. Gen. Alan Lynn took over as director of the Defense Information Systems Agency in July 2015, assuming leadership of the agency after previously serving as vice director and as chief of staff. He’s also spent time leading Army Network Enterprise Technology Command and Army Signal Center of Excellence, priming him to lead the Defense Department’s mission-critical IT agency.
The Defense Information Systems Agency is undertaking a comprehensive modernization effort for endpoint security.
Frank Kendall, the US undersecretary of defense for acquisition, technology and logistics, on the prospect of another continuing resolution, Congress’ proposal to use Overseas Contingency Operations funds to boost the Pentagon’s base budget, and DoD concerns with reform proposals.
One of the U.S. Air Force’s most important online portals is now running in the cloud.
MyPers, the Air Force’s personnel portal for 1.7 million active duty and retired airmen, civilian and reservists, began operating in July out of an Oracle-managed off-premise cloud specifically designed and secured to handle some of the Defense Department’s most sensitive unclassified workloads.