In the January 2014 Proceedings article, Time for a U.S. Cyber Force, Admiral James Stavridis, U.S. Navy (Retired) and David Weinstein argue for an independent branch of the armed services, dedicated to cyberspace.
A 5th military service dedicated to warfare in the cyber domain represents thinking that is critically important as information technologies (IT) continue to reshape how our world functions. However, just as the U.S. Air Force could not eliminate the need for Navy platforms to defend against missile and aircraft delivered warheads, a cyber military service will not eliminate the need for the Army, Navy, Marine Corps, and Air Force to maintain operational effectiveness in the face of cyber strikes directed at stopping, disrupting, or confusing ground, sea, and air operations.
Unfortunately the overly bureaucratic processes currently impeding DoD IT system modernization and life-cycle support, are even more damaging to the task of thwarting high-pace, high-dynamic, high-technology cyber attackers. Although significant DoD effort is currently directed at the implementation and certification of information assurance (IA), the results have proven to be more about additional cost and implementation time than real-world IA effectiveness.
In January 2013, the Defense Science Board (DSB) issued a report on cyber security titled Cyber Security and Reliability in a Digital Cloud. This graphic, taken from the report, depicts a useful cyber threat taxonomy.
Using this taxonomy it is easy to understand that tier I and II amateur hackers, exploit known pre-existing vulnerabilities and do it on budgets in the thousand dollar range. Tier III and IV organized hackers discover and exploit unknown vulnerabilities supported by budgets in the millions of dollars. Tier V and VI nation state hackers create and exploit new vulnerabilities funded by budgets in the billions. If the U.S. is to sustain credible global military deterrence, it must effectively address the full dimension of these attackers twenty-four hours a day, seven day a week, and 365 days per year.
From my DoD experience I believe that the DoD Services and Agencies continue to embrace three primary IT myths that are pushing DoD IT systems and capability backward even as commercial companies and some public organizations are moving forward.
- The first myth is that DoD can not protect critical information if it is not managed and controlled within DoD’s physical base infrastructure.
- The second myth is that DoD IT must be directly administered and managed by it’s bulging 170,000 person IT government workforce augmented by additional contractor personnel.
- The third myth is that because DoD is special and IT system and applications require long acquisitions timelines, it is OK that most IT equipment is old and often no longer supported by the commercial suppliers.
These DoD myths would be warranted if the track record could be held up credibly against commercial organizations like Google, Amazon, Microsoft, IBM, Intel, and hundreds more. Because for commercial companies cyber vulnerabilities are the difference between being in business or not, these companies make it a top priority to reliably mitigate the cyber vulnerabilities of tiers I-VI. To do so they minimizing the human operators accessing their IT infrastructures and by remaining on the leading edge of technology and IA processes. Unfortunately within the DoD, minimizing IT system operators and remaining close to leading edge technology is not possible using current DoD IT processes and practices.
By acknowledging and verifying this reality, DoD leaders could easily take advantage of commercial IT services for unclassified and low-sensitivity applications to achieve increased cyber security while saving human and budget resources. In turn, dollars saved on unclassified and low-sensitivity services could be invested into the classified systems to increased security and modernize IT systems that directly support front line military capability. DoD IT leaders could gain increased confidence in commercial IT service providers by understanding the FISMA (Federal Information Security Management Act 2002) certifications that have been granted to Google, Microsoft, Amazon, and others over the past two years.
Interestingly, the U.S. Intelligence Community through a newly awarded contract at the Central Intelligence Agency, is testing the ability of commercial IT services to provide secure, cost effective IT services to its classified users. This contract, provides IC physically protected locations where Amazon owns, installs, and operates Amazon Web Services (AWS) for IC users. This bold move by the IC has promoted new thinking within the DoD. Several leaders in the military Service CIO shops and DISA (Defense Information Systems Agency) are investigating commercial IT service options. In addition to potentially providing modern IT infrastructure, these actions could help bring front and center the significant challenge of fielding tens of thousands of DoD legacy applications on modern IT infrastructure components; a good subject for a future blog post.
DoD’s top IT leadership post has recently turned over with the departure of DoD CIO, Ms. Terry Takai. The current Department of Navy’s CIO, Mr. Terry Halvorsen has been named as acting DoD CIO until a vetted, aproved replacement is named. With this leadership doorway open, all of us beneficiaries of U.S. National Security can only hope that with new leadership will come a rapid transformation toward efficient and effective DoD IT services, cyber security, and application modernization that will keep our young soldiers, sailors, marines, and airmen fully supported during the international challenges that lie ahead.
Independent of the potential for creating a U.S. Cyber Force as a fifth branch of military service, effective IT capabilities and unparalleled cyber defenses will be required if DoD is to remain a credible military deterrent. By beginning to recognize the three myths described above, DoD IT leaders could move much more quickly toward the adoption of leading edge commercial services as an important augmentation to the aging DoD IT infrastructure and legacy applications in use today.