Nickolas Guertin, who President Biden nominated to be the Department of Defense’s (DoD) next director of Operational Test and Evaluation (DOT&E), sees testing for cyber threats and building cyber testing into the test and evaluation process a priority for the next DOT&E.
Facing a Senate Armed Services Committee hearing Oct. 19, Guertin laid out his vision for the position in response to advance policy questions given by the committee. Guertin also expressed a need to build cybersecurity testing.
“The next DOT&E will be challenged to help the Department ensure that the way we test our systems accurately reflects the way we will use them to fight, Guertin wrote. “The adversary often tests, learns, and iterates faster than we do.”
“To win in conflict and to deter adversaries from initiating conflict, we must outpace them in every aspect of our developmental and operational investments and processes in every warfighting domain,” Guertin added. “We will be challenged to test, especially against cyber threats, and use next-generation technologies, such as autonomy and artificial intelligence-enabled equipment, in our warfighting systems.”
Guertin said, if confirmed, one of his policy priorities would be to make sure that software and cyber testing and evaluations happen “iteratively and incrementally throughout the life cycle,” rather than only during the initial testing and evaluation process.
When it comes to protecting the DoD’s commercial cloud services, Guertin said the DoD is currently at a disadvantage when it comes to assessing the security of those services and wants to be able to run cybersecurity tests on those products to be able to understand how secure are those products being used more and more to store classified or sensitive data.
“The only way to test whether a system can withstand an actual cyberattack is to conduct such an attack on the system in a test environment,” Guertin wrote. “The biggest limitation is that DoD’s current contracts with cloud vendors generally don’t allow DoD to independently assess the security of cloud infrastructure owned by the commercial vendor. Unless this burden is lessened, it is difficult to assess the security of those clouds.”