‘Compliant’ Doesn’t Mean Secure, Navy CIO Says

TYSONS CORNER, Va. — The Department of the Navy has a security problem, and it’s embedded in the institutional culture, according to the Navy’s top informational technology executive.

“We are losing the Department of Navy’s information every day. And we’re losing it directly through our supply chain. Our adversaries are literally screening our plans and using them against us every day. And it’s got to stop,” Chief Information Officer Aaron Weiss told a meeting here of industry and department leadership on Jan. 24.

“We have a culture of compliance when it comes to security,” said Weiss, who became CIO in September. That culture leads people to say, ‘If I do the checklist and I do all the right things and I wait a year, then someone will give me a stamp that says I have authority to operate and I am secure,’” Weiss said.

“Well, you might have been secure at that moment you filled out the checklist, but time marched on,” he said. “The adversaries’ capability has moved on. You’re no longer secure.”

Security has to become a “constant of state of readiness,” Weiss maintained. Both the department and industry have to move “from security by compliance to security as a state of being, and it has to be a part of everything we do both inside the Department of the Navy and in our supply chain,” said Weiss, who joined acting Navy Secretary Thomas Modly and the Navy’s first chief learning officer, John Kroger, for a breakfast meeting to discuss technology and education with executives hosted by the National Defense Industry Association.

Coming to the Navy after more than 30 years in the private sector and a stint as senior advisor to the Defense Department’s CIO, Weiss said he was shocked by the difference in the day-to-day technology available to the Navy compared to the private sector.

“What we provide to Sailors, Marines and civilians is about 15 years behind where private industry is,” said Weiss, noting he faces a huge task to bring the Navy Department’s infrastructure capability up to parity with industry.

“We’re not doing that today. We’re providing data. Data without context is not usable information. We’re providing steams of data that we expect our Sailors and Marines to integrate, create context and make usable so that they can decide and act. But we’re not arming them with the information that they need.”

Weiss conceded that changing a culture would be a heavy lift, but coming back to security, he added “there’s very little value in a modernized infrastructure driving innovation if we’re letting the good stuff walk out the back door.”