To accommodate millennial IT workers, so-called “digital natives,” the service branches of the Department of Defense need to square cybersecurity with the attitudes and behaviors of younger employees, according to senior defense IT officials.
At an AFCEA DC event on May 11 in Arlington, Va., officials said that strong IT governance, policies and cybersecurity best practices need to come from their agencies’ leadership, to set an example for younger workers.
The officials described an inherent tension between dealing with younger IT employees — who might be less cautious about cybersecurity — and dealing with the fact that these employees are becoming more numerous and have ways of thinking and behaving that are quickly becoming the norm.
Creating a Different Kind of IT Culture
The officials said that their IT environments are clearly changing: they need to contend with the behaviors of younger workers. For example, Rear Adm. Marshall Lytle III, the Coast Guard’s assistant commandant for command, control, communications, computers and information technology, noted that USB dongles have been prohibited from being connected to DOD networks for years now, but that every week in the Coast Guard they are still used in several cases, setting off alarm bells.
The service branches need to grasp the fact that a younger generation of workers may not have the same adherence to cybersecurity discipline as older workers, Lytle said. At the same time, agencies now operate in the culture of sharing, social media and cloud-based collaboration, and that needs to be taken into account, he said.
“How do we continue to encourage that, because that is the way we do business nowadays?” Lytle said of the social media world and the inclinations of younger IT workers. “That collaboration is the way we do business.” Agencies need to balance those impulses with education on cybersecurity, he added.
“So it’s that balance, but we have to get that pendulum to swing a little bit more toward the middle of that balance between a culture of cyberawareness and that culture of collaboration that we’ve got going on,” he said.
Meanwhile, Brigadier Gen. Dennis Crall, CIO of the Marine Corps, noted that an agency’s leadership must lead by example on the subject of cybersecurity. Oftentimes, however, it is an agency’s leadership that takes advantage of exceptions to cybersecurity rules, he said.
“We always focus on the lowest end. We find the most junior person. We talk about nonadherence,” he said. “But I’ll tell you it starts at the top. Our greatest vulnerabilities, our greatest exceptions to policy don’t happen at the lower level, they happen with leadership.”
Crall noted that when Commandant of the Marine Corps Robert Neller assumed office in the fall of 2015 he inherited several exceptions to security for issues like Public Key Infrastructure, Public Key Enabling and streaming video. According to Crall, Neller demanded to know what the rules were for everyone in the Marines, and asked why he was excepted, saying he needed to follow the same rules as everyone else.
While there was a short and busy adjustment period, Crall said that Neller “demands the same standards from the very top all the way down to the very bottom. He sets the right example.”
“So if we really want a cultural change, it has to start at the top,” Crall said.
Additionally, Crall said that “digital immigrants,” or people who were born before the mid-1960s and the use of computers, are generally more cognizant of rules. “We always talk about, well, the person’s a bit older and probably doesn’t know the rules. That’s not the case,” he said. “The person who is a bit older normally goes and reads the rules and adheres to them.”
Crall stressed that younger workers need to have good cyberhygiene habits injected into their training from the start. He said that younger workers tend to skip past digital warnings related to cybersecurity.
“It’s the way they work, it’s the way they play,” he said. “They don’t see the risks out there.” Therefore, Crall said, cybersecurity training needs to be instilled very early, and the Marines are trying to do that “starting from boot camp, from the time you come in and stressing that through every phase of training.”
A New Approach to Balancing Risks
Bill Marion, deputy CIO of the Air Force, recalled a recent breakfast he attended at which Hewlett Packard Enterprise CEO Meg Whitman spoke. According to Marion, Whitman said that “in our business today, we can no longer lead IT from a 70,000-foot level.”
“You have to think strategically and you have to act tactically. I’ve always said that,” Marion said of his own philosophy. That involves tying together and communicating strategic areas of IT focus, he said, and “getting the common understanding across your entire workforce.”
Additionally, Marion said that agencies do not look at risk correctly most of the time.
“We all have to be on a journey to change how we look at risk,” he said. “We talk about Windows 10, we’re going to harden the desktop, we’re going to harden the desktop, we’re going to harden the desktop. That’s what we focus on.”
Marion said that agencies can think about security and risks in ways that appeal to how younger workers access networks and systems — often on mobile devices. “But if I have a containerized and encrypted application container on top of a mobile device that’s much lighter, I might have a different way to look at that problem that’s more agile, that’s cleaner, that’s more receptive to the digital native,” he said. “And so we have to look at those problems differently.”