The Army has over 1.1 million users, 33,0000 servers, 3,500 private web servers, nearly 1,500 public-facing websites, and over 1,000 authorized networks — so the job of keeping all that information secure is no small feat. It falls to people like Ronald W. Pontius the Director for Command and Control Programs and Policy within the Office of the Assistant Secretary of Defense for Networks and Information Integration (OASD(NII,)) who spoke at the Potomac Officers Club Cybersecurity Summit Wednesday.
Pontius said the Army has three priorities when it comes to cyber-security: to “aggressively operate and defend our networks, data and systems; delivering affects against our adversaries; and designing, building, and delivering integrated capabilities for the future.”
Pontius described the need to “aggressively operate and defend our networks” as “job one” for the U.S. Army.”
“That is job one. Job one: operate and defend,” he said. “And we take that very, very seriously. The Army’s got the challenge of scope and scale. One point one million users, over 33,000 servers, almost 1,500 public-facing websites, 3,500 private web servers, over 1,000 authorized networks … 22 active directory forest.”
“So the scope and scale of what the Army is doing, and in many ways the other services are way ahead of us in collapsing and rationalizing their networks. The Army has a desperate need, and we’re driving hard on our network modernization. … The joint regional stacks, the Army has a tremendous need to collapse, converge, modernize,” he said.
“From a practical point of view, it’s costly and unsustainable,” said Pontius, and he added that “it’s also very hard to defend.”
“In order to defend, you’ve got to have situational awareness of what you’re defending, and right now today that is a significant challenge,” he said. “The Army is driving on end point security and end point management, and I talk about those as capabilities, not specific products.”
“We are very much moving to where capabilities make sense to be leveraging a service,” said Pontius. “And what is a service that can meet our needs” and then how to evaluate if that service is evolving and meeting the Army’s needs and protecting them from threats, said Pontius.
Pontius gave the example of end point security. He said the Army spent 8 plus years on implementation and “we never, up to a year ago, we never truly got the real benefit out of it.”
“The way we were managing [it was] decentralized, who had control over the EPO servers and everything else, it just didn’t make any sense,” he said. “So we started about 8 months ago …on standardizing” how it was implemented in the Army, and using the same formula with software licensing. He said the Army is also standardizing nd centralizing end point management.
“We need to get back in balance that mission functionality with mission assurance,” he said. “There aren’t more dollars; so how do you prioritize within the dollars you have in your systems?”
Other aspects of cybersecurity the Army is tackling include integrating cyber with land operations, persistent cyber training workforce training, and kinetic with non-kinetic combat and cyber electronic warfare operations. They are also designing and implementing capabilities for future fighting.
“We are working very hard to implement things with agility, flexibility, and speed to our portion of the cyber mission,” concluded Pontius at the Potomac Officers Club cybersecurity summit Wednesday.
Pontius is responsible for the development of policy and strategic guidance for DoD C2 to transition to the net-centric environment. In the past, Pontius served with the U.S. Army Signal Corps for over 26 years.