Search This Blog

Staffing of Cyber Operations


General Alexander, the head of the U.S. Cyber Command, reported that DOD computers receive some six million threatening probes each day.[1]  These attacks are directed at 2,904 separately funded IT projects, each with multiple vulnerable programs.[2]   There are also over 15,000 separate networks in place, which offer a conduit for cyber attacks. The total number of DoD daily transactions can be measured in billions, each potentially a carrier of malware.

There is no question that DoD offers huge vulnerabilities that must be countered with defenses that cannot afford making errors. Can that be accomplished by adding more manpower?

According to the Conference Board, there were 15,900 open jobs in cyber security posted in May 2012. According to the SysAdmin, Audit, Networking, and Security Institute (SANS) the highly skilled cyber security staffers can be paid as much as $175,000/year. Booz Allen Hamilton is now trying to hire 1,000 cyber security experts as contractors.

DoD has 90,000 personnel involved with cyber security, with 35,000 to 45,000 in military positions. [3]  DoD is now calling for an additional twenty to thirty thousand cyber security professionals, but has difficulties in finding them as well as funding them. The increased sophistication and complexity of highly targeted cyber attacks have therefore increased acceptable qualifications for defensive cyber positions. DoD may not have in place qualified 90,000 cyber warriors.

Meanwhile, qualified cyber personnel are getting drained off to satisfy urgent needs to support a variety of new cyber positions under the nine geographic combatant commanders. The Secretary of Defense has ordered all unified commands to set up immediately Joint Cyber Centers (JCC) to serve as a link between combatant commanders and U.S. Cyber Command (CYBERCOM). That may require at least a few hundred openings for personnel with very high levels of security and skills to engage in the launching of cyber attacks.

SUMMARY
Even if we assume that all of the cyber security personnel are highly qualified, with high levels of security as well as efficiently deployed, that leaves us with only three to four persons pre IT project that are available per shift to guard each DoD program. However, such personnel cannot be deployed according to geographic commands because systems are organized by service or agency. Much of the personnel will have to be concentrated in DISA performing security assurance as an infrastructure service provided that the interoperability with a long list of aging systems can be established.

About half of all dollar spending is for a common infrastructure, which require highly automated monitoring to identify which one of the six million potentially hostile probes per day are an anomaly.  Cyber security staffs also must be organized for interception of incoming traffic according to the ways networks are structured. This would require making major investments in at least a dozen of well-staffed and well-funded network control centers that would be needed to amortize large investments in intellectual capital for cyber defense.

The scope of cyber operations calls for concentration of defenses. It calls for the adoption of rapidly evolving automated threat detection methods. Keeping cyber defense personnel and interception methods dispersed, as is currently that case, is neither effective nor affordable. At this point DoD needs to reconsider how to deploy its cyber defense talents for a greater concentration of efforts.



  [1] http://www.defense.gov/news/newsarticle.aspx?id=67713
  [2] http://www.itdashboard.gov/data_feeds
  [3] http://csis.org/print/21094


Microsoft Software Defects


Microsoft’s monthly batch of security patches, for June 2012, include critical fixes for security holes in a wide range of Microsoft applications.

Seven security bulletins address twenty-eight documented vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework. Three of the 7 bulletins are rated “critical”, especially with regard to the reliability of .Net.  The bulletin addresses flaws that could lead to remote code execution attacks with little or no user interaction. Four bulletins will carry an “important” rating and deal with vulnerabilities that could be exploited in code execution and privilege corruption.

Microsoft also released an emergency fix to block “active attacks” that use unauthorized digital certificates from the Microsoft Certificate Authority. This can lead to sophisticated man-in-the-middle attacks as part of the Flame malware, which has suspected links to sophisticated attackers.

SUMMARY
The highly distributed Microsoft software has created an industry dominant vulnerability surface for its offerings because.  Update of software must ultimately take place in millions of location after the announcement about the defects is announced.

Individual software packages, such as Windows, Visual Basic etc. manage software reliability through the largely centralized project teams at Microsoft HQ, which is time-consuming. The diversity of code, the large number of options, a persistent compulsion for maintaining upward compatibility and the organizational separation between hardware testing and implementation increased the number of defects. Once a software fix is identified, tested and then distributed it may take an additional indefinite amount of time before it can be actually installed as a protective measure.

In contrast, centrally managed software architecture and vendor distributed software can instantly update millions of devices and thousands of servers. There is no major gap in the time between the discovery of a “bug” and when it can be installed. With increased dependency by malware actors to take advantage of zero-day defects, the advantages of cloud-based software maintenance surpass methods currently deployed by Microsoft for maintaining software integrity.    

IT Acquisition to be Paced by Technology


The Administration has just announced plans to release guidance on modular contracting as a way of re-directing acquisition officials to find ways for dealing with the fast-paced world of rapidly changing technologies.

Many existing government processes cover a lengthy sequence from planning to budget preparation to procurement. Therefore the current approach favors large projects. Too many IT programs span several years beyond what is now accepted as best commercial practice. The Office of Management and Budget recommends that programs last no more than eighteen months to two years. This is in contrast with major IT programs now taking from ten to thirty years.

SUMMARY
The only way to increase the segmentation of systems into smaller components is to shift development efforts to cloud computing based on the separation of data, of information processing and of applications. In such approach, much of the time consuming effort to build infrastructures would be eliminated through the virtualization of computing services to support a multiple of projects simultaneously.

In the IaaS (Infrastructure as a Service) and particularly in the PaaS (Platform as a Service) developers will be able to start concentrating efforts on creating small-scale modular application components that will fit a shared enterprise infrastructure. If such components are constructed according to standard rules and if they offer uniform APIs (Application Program Interfaces), the total elapsed time for delivering new applications would be materially shortened to weeks instead of months or years. Such approach would be in compliance with the most recent memorandum from the Executive Office of the President. [1]

[1] http://www.whitehouse.gov/the-press-office/2012/05/23/presidential-memorandum-building-21st-century-digital-government

Digital Government Policies


The President has just signed a memorandum on "Digital Government: Building a 21st Century Platform to Better Serve the American People". It provides agencies with a twelve-month roadmap that focuses on priority areas. The strategy require agencies to establish goals for delivering digital services; encourage delivery of information in new ways and utilize mobile and web-based methods for delivery of information services. The new strategy requires agencies to establish consolidated online resources and to adopt new standards for making Government information machine-accessible.

We have now the first memorandum on IT directions that has ever originated directly from the Executive Office of the President. [1] It is guidance that warrants full attention.

The President as well as the Federal Chief Information Officer published a roadmap how federal agencies shall adopt and then prioritize digital technologies. Agencies were directed to take the following actions:
(1) Implement the requirements of the Strategy within 12 months; and
(2) Within 90 days, create an agency website to publicly report progress in meeting the requirements of the strategy.

Agencies will follow the established commercial conceptual model based on the following components:
1. The information layer contains structured information (e.g., the most common concept of “data”) such as census and employment data. It will also include unstructured information (e.g., content), such as fact sheets, press releases, and compliance guidance.
2. The platform layer includes all the systems and processes used to manage the information extracted from the information layers. Examples include systems for con¬tent management, web APIs (Application Programming Interfaces) and application development that supports IT customers as well as the hardware that is used to access and then deliver infor¬mation.
3. The presentation layer defines the manner in which information is organized and then pro¬vided to customers. It represents the ways to deliver gov¬ernment information (e.g., data or content) digitally, whether through websites, mobile applications, or other modes of delivery. These services will be delivered regardless of the user’s device, e.g. the technology that views it.

Applications are constructed in three layers that separate information creation from information presentation. This allow¬s the creation of content and data only once, to be reused for the presentation of results in different ways. It is a model that represents a fundamental shift from the way the government manages digital services at present, where the $74.1 Billons of total Federal IT spending is subdivided into 6,810 investment silos, implemented by means of 3,924 separate contracts, which each integrate data, platforms and application presentations in stand-alone vertical constructs.

Instead, the new strategy proposes that the total IT spending will be divided into a limited number of separated structured data layers. These will be then processed by means of a limited number of separate platform organizations, such as data centers. A very large number of presentation layers will be then extracted, on demand, for the delivery of information services to the users.

 The Federal silos would be ultimately subdivided into a horizontal structure of hundreds of data layers that would be processed by dozens of information platform “utilities”. These utilities would offer shared services on demand by customers.

The foundation of digital government policies will be built on data tagged by a Federally mandated metadata process, which describes all attributes of digital information needed to support the retrieval of original data before it can be disseminated in formats that meet user needs.

SUMMARY
The new strategy outlines a completely new Federal model how to manage the creation and distribution of information technologies to citizen and employees. The new model is a radical innovation in the Federal business. It will affect how the Department of Defense will be guided in its future architecture, because all Agencies in the federal government must ultimately be able to interoperate.

The most important departure from current methods is the separation if data into a layer that is managed on technical platforms that are devoted to the processing of all data. In this way application (the presentation layer) are separated from from the data as well as from the platform layers.

Instead of the Federal IT being cut vertically into 6,810 separately funded silos, it will be subdivided horizontally into layers so that the management of databases and of the processing platforms can be reduced. The existing duplications of effort in each of the thousands of silos will be eliminated. Large savings will be realized.

The greatest gains will accrue from a streamlining how security is deployed. The consolidation of data will enable the placement of improved countermeasures against malware. Consolidation of platforms will concentrate security methods to a limited number of points of exposure and reduce the vulnerability to attacks.

[1] http://www.whitehouse.gov/the-press-office/2012/05/23/presidential-memorandum-building-21st-century-digital-government

Status of Business Systems Modernization in DoD


DoD has requested $17.2 billion for its business systems environment and related IT infrastructure investments for fiscal year 2013. That represents close to half of total DoD IT spending.[1]  Business systems are composed of about 2,200 business major programs, which include 310 financial management, 724 human resource management, 580 logistics, 254 real property and installation and 287 weapon acquisition administration systems.

According to GAO business systems are overly complex and error prone. They are characterized by (1) little standardization across the department, (2) multiple systems performing the same tasks, (3) the same data stored in multiple systems, and (4) the need for data to be entered manually into multiple systems. [2]

In May 2001 GAO recommended that the Secretary of Defense establish the means for effectively developing a corporate, architecture-centric approach to investment control and decision making for successful systems modernization program. Congress has included provisions in the National Defense Authorization Act (NDAA) for Fiscal Year 2005 objectives such as (1) a business enterprise architecture (BEA) and a transition plan for implementing the architecture [3] , (2) identify systems information in its annual budget submission, (3) establish a systems investment approval and accountability structure along with an investment review process, and (4) certify and approve any business system program costing in excess of $1 million.

DOD’s business systems modernization is a high-risk area, while continuing as an enabler for other high-risk areas. For example, business systems continue as the entry points for access of malware into the DoD networks.

The Deputy Chief Management Officer (DCMO) is accountable for developing and maintaining a department-wide plan for business reform, manages modernization. The DCMO was appointed on October 17, 2008.

 SUMMARY
DOD lacks the governance mechanisms for implementing business systems modernization objectives:

1. The BEA had yet to be extended to the programs that constitute business missions.
2. Budget submissions omitted key information about business system investments.
3. The supporting business system proposal data were of questionable reliability. The military departments have not defined policies and procedures related to project-level management.
4. Business system modernizations costing more than $1 million continued to be certified and approved, but not based on complete information.
5. Certification and approval decisions were approved even though prior reports had identified program weaknesses that remained unresolved.
6. Lacks the staff needed to perform business systems modernization responsibilities.  41 percent of DCMO positions were unfilled.

DoD’s progress in modernizing its business systems is limited by continued uncertainty about governance mechanism as well as questions about roles and responsibilities of key organizations and senior leadership positions.

Until DoD fully implements methods that address long-standing institutional modernization management controls, business systems modernization will remain a high-risk program and also an increasing major gap in assuring information security.

 [1] DOD’s unclassified systems not defined as national security systems. 
 [2] GAO-12-685, Governance Mechanisms for Implementing Management Controls Need to Be Improved.
 [3] An enterprise architecture, or modernization blueprint, provides a clear and comprehensive picture of an entity, whether it is an organization (e.g., federal department or agency) or a functional or mission area that cuts across more than one organization (e.g., financial management). This picture consists of snapshots of the enterprise’s current or “as-is” operational and technological environment and its target or “to-be” environment, and contains a capital investment road map for transitioning from the current to the target environment.