Thursday, September 9, 2010

Cyber Defenses and the DoD Culture

According to Air Force LTG William Lord, 85 percent of cyberoperations are in defense. That being the case, How should the Defense Department protect its network and computer assets? A 2009 RAND Corporation report on cyberdeterrence asserts “…most of the effort to defend systems is inevitably the ambit of everyday system administrators and with the reinforcement of user vigilance.” The report also states “…the nuts and bolts of cyberdefense are reasonably well understood.”

Such views encapsulate the current thinking about cyberdefense, that such activity is primarily a back office service or a compliance matter. But these views are pernicious. They accept existing systems as they are, other than advocating for improved implementation methods. RAND does not admit that the current hardware, software and networks within the Defense Department are obsolete and dysfunctional. The department continues to operate within a culture that does not acknowledge that its computer systems are not suited for the age of cyberwarfare.

Defense Department leadership appears to be viewing cyberdefense issues primarily as a matter of policy and strategy that can be fixed incrementally. That is not possible. Cyberdefense deficiencies have became deeply rooted as result of the defective ways in which the Defense Department acquired IT over the past decades. Cyberdefense flaws are inherently enterprise-wide and are mostly not application specific.

The Defense Department has not as yet confronted what it will take to make systems and networks sufficiently secure. According to DEPSECDEF William Lynn, the department operates over 15,000 networks and over 700 data centers. The total number of named systems programs in 2009 was 2,190 (Air Force 465, Army 215, Navy 972 and Agencies 538). Each of these programs was further subdivided into subcontracts, some of which are legislatively dictated. Hardly any of the subcontracts share a common data dictionary, or data formats or software implementation codes.

The IT environment at the Defense Department is fractured. Instead of using shared and defensible infrastructure, over 50 percent of the IT budget is allocated to paying for hundreds and possibly for thousands of mini-infrastructures that operate in contractor-managed enclaves. Such proliferation is guaranteed to be incompatible and certainly not interoperable.

Over 10 percent of the total Defense Department IT budget is spent on cyberdefense to protect a huge number of vulnerability points. The increasing amount of money spent on firewalls, virus protection and other protective measures is not keeping up with the rapidly rising virulence of the attackers.

Take the case of the Navy/Marine Corps Intranet, which accounts for less than 4.8 percent of Defense Department IT spending. The NMCI contains approximately 20,500 routers and switches, which connect to 4,100 enterprise servers at four operations centers that control 50 separate server farms. Since the NMCI represents the most comprehensive security environment in the Defense Department, one can only extrapolate what could be the total number of places that need to be defended. Vulnerability points include hundreds of thousands of routers and switches, tens of thousands of servers and hundreds of server farms. There are also over six million desktops, laptops and smart phones with military, civilian, reserves and contractor personnel, each with an operating system and at least one browser that can be infected by any of the 2,000 new viruses per day. From a security assurance standpoint, such proliferation of risks makes the Defense Department fundamentally insecure.

Defense Department leadership is aware that cyberoperations are important. JCS Chairman Adm. Mike Mullen said that cyberspace changes how we fight. Gen. Keith B. Alexander, the head of the Cyber Command, said that there is a mismatch between technical capabilities and our security policies.

Meanwhile, the interconnectivity of Defense Department systems is rising in importance. For instance, the Navy’s Information Dominance Corps views its information environment as being able to connect every sensor to all shooters. Information dominance makes no distinction between logistic, personnel, finance, commander or intelligence data because all of it must be available for fusing into decision-making displays. This calls for connectivity as well as real-time interoperability of millions of devices.

After decades of building isolated applications, the Defense Department has now arrived at an impasse with regard to cyberdefenses just as the demand for enterprise-wide connectivity is escalating. Unfortunately, nobody in top leadership has identified the funded program that will remedy the inherent deficiencies in cyberdefenses. Prior efforts to do that, such as the Joint Task Force for Global Network Operations (JTF-GNO) and the Joint Functional Component Command for Network Warfare (JFCC-NW) were disbanded. Right now, there are no adequate budgets in place for reducing the widely exposed “cyberattack vulnerability surface.” As yet there is no unified enterprise system design or architecture that offers cybersecurity that works across separate Defense Department components at an affordable cost.


Defense Department IT budgets are now fully mortgaged to support ongoing operations and maintenance, while most large development funds are still paying for continuation of programs that were started years ago. With regard to the concerns I’ve raised in my previous post, here are some ideas on what should be done:

The Defense Department should proceed with the rapid consolidation of its communication infrastructure to generate cash that will pay for the merger of costly applications. SECDEF Robert Gates observed correctly on August 9 that “…all of our bases, operational headquarters and defense agencies have their own IT infrastructures, processes, and applications. This decentralization results in large cumulative costs, and a patchwork of capabilities that create cyber vulnerabilities and limit our ability to capitalize on the promise of information technology.”Defense Department communications also cannot depend on the routers and servers that are a part of the public Internet. Instead, the department should switch to computing “on the edge” that utilizes government-controlled assets. Communication costs are the largest single component of the Defense Department’s IT budget and can be reduced materially.

The Defense Department should proceed with the consolidation of its servers and pack them through virtualization into a small number of fully redundant (and instant fail-over) data centers. Greater than 50 percent savings are available in operating costs, with payback periods of less than one year. Adopting platform-as-a-service cloud technologies will make that possible. Switching to network operated computing devices (thin clients) and to open source desktop software can also produce additional large savings.

The Defense Department should complete its data standardization efforts that were started in 1992 and mandate compliance with an enterprise-wide data dictionary. It should proceed with the standardization of meta-data definitions of all Defense Department data elements. The organization for accomplishing that is already in place.

The Defense Department should dictate the acceptance of an all-encompassing systems architecture that would dictate Program Executive Officers (PEOs) how to acquire computing services and contractors how to build new application software. The current Defense Architecture Framework (DoDAF) as well as the OSD published architecture directives have not been accepted by the Services and should be superseded.

From a cyberdefense standpoint, the Defense Department should set up network control centers that would apply state-of-the art monitoring techniques for complete surveillance of all suspect incoming as well as outgoing transactions. One-hundred percent end-to-end visibility of all Defense Department communications is an absolutely required capability for security assurance as well as for total information awareness.

The recent reassignment of the Network & Information Integration (NII) from the Office of the Secretary of Defense to the Defense Information Systems Agency (DISA) can be seen as an indication that a combination of policy and execution of enterprise-wide communications will be forthcoming. The Cyber Command now controls DISA. There is hope that DoD will finally have an organization that has the charter to deliver working cyberdefenses.

However, the combination of NII, DISA, NSA and the Cyber Command is insufficient. Cyberdefense inadequacies are embedded into the proliferation of the applications and into the fracturing of the infrastructure. They can be found in the absence of funding to launch a rethinking how to manage cyberdefenses in the decades to come.

A different cybersecurity culture needs to be diffused throughout the Defense Department. It will have to view cyberdefenses not as a bandage to be selectively applied to a patchwork of applications. The new cybersecurity must become an inseparable feature of every computer technology that enables our operations.

No comments:

Post a Comment

For comments please e-mail pstrassm@gmu.edu