Cyber security industry officials told a Senate panel on Wednesday the Pentagon should embrace more aggressive cyber hunting and automated threat detection capabilities to better protect its networks with the private sector’s improved technology.
During the Senate Armed Services Cybersecurity subcommittee hearing, witnesses from industry told lawmakers the Department of Defense should consider further procurement reforms to ensure it takes better advantage of improved cyber security technologies currently being developed in the private sector.
“Opportunities remain for the department to improve its cyber security capabilities and practices across the enterprise,” Sen. Mike Rounds (R-S.D.), the subcommittee chair, said during his opening remarks. “The department’s cyber security acquisition is slow, decentralized and often over reliant on the National Security Agency’s product evaluation and indigenous production. Because of this, the department’s capabilities often pale in comparison to the best available in the private sector.”
Dmitri Alperovitch, CEO of CrowdStrike, told the panel DoD will continue to fall behind the commercial sector unless it starts to shift away from a focus on cyber hygiene to actively working to rid its network of malicious actors.
“The DoD needs to focus on continually hunting for adversaries on its networks. Much of what the department does today is cyber hygiene,” Alperovitch said. “Implementing security controls is hygiene. Patching vulnerabilities is hygiene. Building an asset inventory is hygiene. No matter how good the department gets at these tasks they alone will not accomplish the most important mission, stopping foreign intelligence and military services from countries such as Russia and China from breaking into their networks.”
Alperovitch said the private sector continues to outpace DoD in agile responses to shared threats, and told lawmakers to push the department to adopt cloud technologies that would improve its threat detection.
John Davis, federal chief security officer for Palo Alto Networks [PANW], added that the Pentagon may rely too heavily on manpower to conduct cyber security, placing the department at an increasing disadvantage.
“Network defenders are losing the cyber security battle because they are bringing people to a software fight,” Davis said.
Davids suggested pushing the Pentagon to adopt the “smartphone + applications” model utilized in the private sector, where the latest cyber security capabilities are more seamlessly integrated onto a single, interoperable platform.
“This is how you bring software to a software fight,” Davis said.
Francis Landolf, a principal with Core Consulting, said DoD’s procurement process is turning away innovative technology companies from seeking contracts.
“I have met with multiple venture capital firms that have actively steered their companies away from even trying to market to the government. Savvy companies seeking investment know to not use the DoD business as a likely source of revenue during their fundraising pitch to potential investors,” Landolf said.
Landolf added that Defense Innovation Unit, the Pentagon’s experimental technologies office, is helping bridge the outreach with Silicon Valley startups.