Pentagon CIO on the future of DoD's cybersecurity
Changing jobs paid off for John Sherman.
In June 2020, Sherman — a 20-year-plus veteran of the U.S. intelligence community and at the time its chief information officer — left to become the principal deputy CIO at the Pentagon.
Seven months later, he became the Defense Department’s acting CIO and last September was nominated by President Joe Biden to permanently fill the top slot at the massive agency.
The Record recently sat down with Sherman at the Pentagon to discuss his priorities, DoD’s recent cyber- and information technology-related shakeups and his view of the department’s greatest digital threats. The below Q+A, which has been edited for length and clarity, is the first of two parts of that interview.
The Record: You were named deputy DoD CIO in June 2020. You served as acting DoD CIO from January 2021 until last September when you were nominated. What did you learn during that time?
John Sherman: I learned about how the department is at such a large scale. I was the intelligence community CIO for just under three years coordinating with CIA, NSA on merits like cloud, cybersecurity, interoperability, et cetera.
I'm glad I was the principal deputy for a while as a running start here, because the scope and topics are similar in terms of cloud, cybersecurity. But we're doing it at such a bigger scale here; four million women and men here in the Department of Defense.
Also, whereas on the intelligence community side I was focused on intel and intel data, this is supporting our warfighters and the women and men who support our warfighters to get their job done.
So areas like command, control and communication, C3, is in my portfolio and learning about things like positioning, navigation and timing, GPS and alternate sources for that, Spectrum and other areas — that's new, that's not what I did on the IC side.
"I'm glad I was the principal deputy for a while as a running start here."—John Sherman, Defense Department CIO
TR: What did you observe that DOD was doing well? Conversely, what areas needed improvement?
JS: What was going well was the Digital Modernization Strategy that was underway. A clear north star set of issues on cloud, cybersecurity, C3, AI and data.
When I got my big read book, when I was still over at the IC and I was about to come over here, reading the very deliberate planning and structuring that had gone in to give a north star on each of these major areas to the department was very impressive.
I didn't see anything that was necessarily not going perfectly well, but there are always areas for improvement.
On the Joint Enterprise Defense Infrastructure (JEDI) Cloud issue, I said, ‘If I get put in charge, we're going to make a pivot here almost certainly, but we’re going to collect some data.’
Something that has manifested here recently with the Chief Digital and AI Officer for better coordination needed between the data and advanced analytics capabilities.
Another area that I've learned to appreciate here, that is a constant ongoing challenge we have, is getting rid of technical debt. It was, for very understandable reasons, allowed to come into our systems as our valiant service members were fighting in Afghanistan, in Iraq and other places, against violent extremists.
But now as we get ready for a pacing challenge of China, and also, as we would say, near-peer competitors, Russia and others, we're dealing with a whole different set of issues for potentially contested battle space. Things like electromagnetic spectrum that we dealt with in, say, Vietnam or in the Cold War, but not so much necessarily going after violent extremists in southern Afghanistan.
If we do have to conduct combat operations against near-peer competitors, things like very solid encryption, being able to protect our systems, our cybersecurity, the electromagnetic spectrum, preserving our P&T and GPS capabilities — those have to be priorities and these can't be options.
TR: You've been CIO here for just about two months. What are your goals?
JS: Cybersecurity, first and foremost — protecting our entire IT ecosystem from very high-end threats, working closely with folks like [U.S. Cyber Command and NSA chief] Paul Nakasone and a host of other key players here within the department.
We talk a lot about Zero Trust. It's based on the principle that the enemy may already be on our network. So how do we not just have a castle-and-moat approach, but very segmented networks with what we would call ‘fine-grain access’ that looks at not just signatures, but behaviors of individuals on there.
We have stood up a Zero Trust Portfolio Management Office to harness the coordination of what it's going to take to implement Zero Trust. We have brought in Randy Resnick from NSA to be the director. He's working for [Chief Information Security Officer] Dave McKeown now. Sudha Vyas has been the chief architect for Zero Trust.
We know that standing up an office is like, ‘Okay, that's one step.’ Paul Nakasone uses the term action verbs. I love that. We're going to get after action verbs on doing tangible things on Zero trust. Google will tell you it took them 10 years to implement Zero Trust. We've already got a foundation here and, while it will take years, there's things we can do in the very near term to start getting after this. Randy is rolling already, working with the Defense Information Systems Agency and others on tangible, actionable things and building on what the services are doing.
I've got this defense industrial base cybersecurity I'm now responsible for, along with the Cybersecurity Maturity Model Certification, CMMC, which is now under me.
But I will note, CMMC is not the totality of DIB cybersecurity. It is a major part of it, but the outreach and working with 220,000 DIB companies is critical.
We work with very large companies. I'm also very worried about the company that has 100 people somewhere in the Midwest or the West Coast or any region of the country here that is providing a widget that goes on a bigger widget that goes on a circuit board that goes into one of our aircraft or ground vehicles. How do we help protect them?
Also on the cyber front and really digital and innovation at large, is the talent. I feel so strongly about ensuring that we have the very best talent pipeline and thinking differently about the sort of individuals we are able to bring in here to the department. We must think differently about this. We must broaden the aperture. This must be a whole-of-nation effort. I want a diverse, rich workforce that represents all of America.
Another major area of priority is compute and software. We talked about the Joint Warfighting Cloud Capability, the follow-on to JEDI. That's deep in the middle of procurement, so I'm not going to offer details of where we are in the process, other than to say, the justification for it is to provide multi-cloud enterprise access for our enterprise all the way from the continental United States to what we call the ‘tactical edge,’ the very edge of the battlefield.
And then, lastly, another key priority is on C3; command, control, communications.
TR: You have a long career in government. Cyber is always changing, growing faster with new threats. What would you say to people who might argue, "John Sherman's been in government for decades, how can he know about what's happening today?”
JS: That's a great question. I think it comes into, as an executive leader, tapping into the broadest range of talent.
The individuals I have the privilege to work with and tap into ranging from NSA and CYBERCOM to here within the Pentagon right now, and then working with folks like Anne Neuberger on the NSC, one of my longtime colleagues and what she brings to the fight, Chris Inglis, Jen Easterly — who I've known for 20 years and was in the White House at the same time I was on 9/11.
Also very importantly, the outreach to industry. Every single day almost I'm meeting with key thinkers from industry, not only cybersecurity service providers but also technology leaders who provide large scale IT services, who provide telecommunications, who provide other services to get to what are the nature of the threats we're facing in areas like with Log4j, SolarWinds, threat vectors into industrial control systems and other areas.
So as a Department of Defense leader, yes, I've been in government. But it just really takes a team of teams. That's where I earn my money here is making sure we get the best out of this very rich ecosystem and not falling behind on this.
TR: You're also now the acting CDAO. Why is this office necessary? How will it help the Chief Data Officer, the Joint Artificial Intelligence Center and the Defense Digital Service underneath it?
JS: The creation of the CDAO is about decision advantage, getting ahead of these near-peer competitors, with the best insight and information that we can possibly have.
"So as a Department of Defense leader, yes, I've been in government. But it just really takes a team of teams. That's where I earn my money here is making sure we get the best out of this very rich ecosystem and not falling behind."—John Sherman, Defense Department CIO
This goes from [Defense Secretary Lloyd Austin] all the way to a combatant commander to the service members we have in the field conducting potential operations. That's the 50,000 foot view: better decision advantage to stay ahead of these very sophisticated potential adversaries.
To reach that, we have got to be a data-led organization. You look at some of the most successful companies in the world, it's about the data and how they make sense of it.
What we do on the data side with our Chief Data Officer and the Advana team, which makes sense of it, and bringing it together with the JAIC, which brings artificial intelligence, machine learning and other advanced analytics.
Look at it as a continuum, an ecosystem, all the way from data discovery and collection through how we're going to store, curate, make sense of that data, unlock that data, and then to run advanced analytics.
And then bringing the Defense Digital Service in as the department's digital fire brigade with employees who come from industry on special types of tours here, to inject that into the system with that rapid agility.
TR: The JAIC has existed for three years and hasn't really been able to scale up. Has there been any talk of adopting more civilian technologies? Then DDS is a completely different animal, how do you ensure they're a successful ‘fire brigade?’
JS: I'll give you a real world example just from this week.
The Advana team. It brings data together to bring insights that would've been very manual data input processes or very rote kind of things. They are, as we're looking at real-world operations I won't go into a whole lot of details here, supporting U.S. European Command with some of what we're doing there to be able to bring that data together.
I asked DDS just this week, ‘Let's see what we can do to bring your digital ninjas in here.’
I don't know what's going to come out of this yet, but I'm excited. I just heard about this at the staff meeting this morning. That's what a CDAO is going to bring to the fight.
TR: What does success for the CDAO look like in a year? In five years? And when DoD finds someone to fill this position permanently, does that diminish your CIO role?
JS: Let's say about three years, that the combatant commanders particularly and other key decision-makers here up to the secretary's level, we have tangible examples of where we have done amazing things and provided insights on geopolitical or geographic situations at EUCOM or INDOPACOM or SOUTHCOM, functional things we've started to be able to change with logistics and acquisition, things we've done for the women and men in the department in terms of making their life better.
To your second question about my relationship vis-à-vis CIO. One thing I found at the intelligence community side is when CDO was broken out from underneath CIO, I'll admit, at first I was like, ‘Well, is this going to work out? How are we going to be peers?’
It worked out not only well, I saw the value of having the data leader, being a peer to the CIO, because what I provide as CIO is the enabling technology, cloud, providing cybersecurity, transport — what needs to happen to make the CDAO successful.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.