Wednesday, February 9, 2011

Operating in Cyberspace

Cyberspace issues are receiving attention at the highest policy levels. The Deputy Secretary of Defense has published a ten-page article. * A deputy commander of the U.S. Cybercommand wrote a five-page article on how to operate in the cyberspace military domain. **

These articles deal with organization, doctrine and strategic concepts how to defend DoD. They do not address the issue what are the characteristics of what is to be defended. What is missing is a realistic assessment of the current status of DoD’s FY11 $36.3 billion spending for information technologies that constitute the cyberspace.

The current hardware, software and networks within the Defense Department are obsolete and dysfunctional. The department continues to operate with a culture that does not as yet acknowledge that its computer systems are technically unsuited for operations in the age of cyber warfare.

The existing cyber defense deficiencies are deeply rooted in the ways the Defense Department acquired information technologies over the past decades. The existing flaws are enterprise-wide and pervasive. Regardless how much money is spent on cyber security protection most of it is inadequate to make the existing proliferation of networks adequately secure.

The total number of DoD systems projects in FY10 was 5,300. *** Each of these programs is subdivided into subcontracts, many of which are legislatively dictated. The total number of DoD data centers was 772, which makes their defenses unaffordable. ****

The information technology environment in the Defense Department is fractured. Instead of using a comprehensive and defensible infrastructure, which presently consumes 57% of the total information technology budget, money is spread over thousands of mini-infrastructures that operate in separate silo-like structures, which are almost entirely managed by contractors. Such profligacy is guaranteed to be incompatible and indefensible.

Over ten percent of the total Defense Department IT budget is spent on cyber defenses to protect tens of thousands of points of vulnerability. The increasing amount of money spent on firewalls, virus protection and other protective measures cannot keep up with the rapidly rising virulence of the attackers.
Hardly any of the subcontracts share a common data dictionary, or data formats or software implementation codes.  As result, the systems are interoperable only with difficulty. Except for isolated cases, DoD systems cannot support the coordination of information in order to launch coordinated cyber countermeasures.  What is in place is not only vulnerable, but also inadequate in meeting operational requirements for 21st century information dominance, which are low latency (less than 200 milliseconds) and close to 100.0% availability.

Internet – the primary conduit for cyber attacks - is connected to the Department of Defense networks over hundred thousand of routers and switches, which connect to ten thousands of servers located in hundreds of separate locations. In addition there are over six million desktops, laptops and smart phones, each with an operating system and browser that can be compromised by any of the two thousand new infections per day. These are risks that make DoD fundamentally insecure. Such risks will persist unless the underlying information technology infrastructure is overhauled.

Unless the Pentagon’s cyber strategy also includes a re-design of its technology infrastructure, any approach that does not include efforts of first remedying the existing deficiencies will miss what needs to be done.

* Lynn, The Pentagon’s Cyberstrategy, Foreign Affairs, September/October 2010
** Leigher, W.E., Learning to Operate in Cyberspace, Proceedings of the U.S. Naval Institute, February 2011