DOD's future security, info sharing will ride on the cloud
CIO Terry Halvorsen tells Congress that a virtual cloud environment -- attainable in five years -- could improve security and allow cooperation with traditional and non-traditional partners.
The Defense Department’s push toward a stronger cybersecurity posture—one that will also allow coalition partners and others to take part—will largely ride on the cloud.
DOD CIO Terry Halvorsen this week told lawmakers that in five years DOD might nearly have a complete virtual cloud environment.
“We’ll have private clouds, which are completely private within segments of DOD, we’ll have private clouds that are just DOD – you know, inside it – we’ll have private clouds that are DOD and other parts of the federal government and then we’ll have hybrid public clouds because of the size of DOD and the federal government we ought to be able to move into where we would have government hybrid clouds hosted in commercial centers,” Halvorsen said during a March 22 hearing on DOD’s fiscal 2017 IT budget. “It would give us the best combination of mission security and value.”
Halvorsen discussed, both in prepared and oral testimony before the House Armed Services Committee, the need to ensure secure data when working with traditional and non-traditional allies within a “commercially based, robust mission partner environment or capability”—known as the Mission Partner Environment - Information System—that can enable combatant commanders to “safely, reliably, affordably share the data needed to complete the mission” while “securely separate the information that needs to stay offline, or make it available to a separate set of partners so those partners who need data, have access to it when and where they need it.”
Noting that the MPE will have to be commercially based because allies would not agree to a U.S.-only network, Halvorsen provided a hypothetical example of how such an environment could work with non-traditional allies. “Let’s say we had a natural disaster that had allies now like the Chinese, the Cubans, us – they’re not traditional allies. We could actually stand up a network once we get some of the technologies in place that would allow data to be shared and let’s say we want to share data with China, we want to share data with Cuba, but not exactly the same data. We could do that on a network with the right protections to protect the data that we need, using almost commercially available technology today. There’s a few pieces that have to be done but [I have] no doubt they will be done by the end of this year,” he said.
Commercial providers such as Unisys are in the process of being approved by the government to provide similar capabilities, with government networks protecting data from unauthorized personnel. A team working on information regarding the ISIS, for example, can create a community of interest, and all information pertaining to the project would be shared within that community. Unless one has been granted access to the community, the files and folders for it are not visible on the network, fostering more secure information-sharing while protecting against insider threats.
Securing communications has been a difficult task for many commanders. “The biggest challenge we have right now is, when we fight a war, we fight it across top secret information, secret information and unclassified information,” Lt. Gen. Robert Otto, deputy chief of staff for Intelligence, Surveillance and Reconnaissance with the Air Force, said recently—noting that he was offering a personal opinion.
The challenge of getting highly classified information to warfighters on the frontlines, Otto said at a Feb. 19 AFCEA NOVA event, is twofold. First, coalition partners often are operating alongside U.S. soldiers and, while they might be allies, they do spy on U.S. activity. Defense officials want to limit the amount of top secret information viewed even by coalition partners.
Second, Otto described the challenge of “getting up and down” through the levels of classification. At the Top Secret level, he said, the Intelligence Community Information Technology Enterprise, or ICITE (pronounced “eyesight”) is moving forward because “it’s all controlled by the director of national intelligence—he has the power to say you’re all going to play and we all play,” as opposed to DOD’s Joint Information Environment, which deals with secret and unclassified information. The JIE has large legacy data pools, Otto said, which will be a harder problem to solve. “So without kind of the overall czar empowered to drive that change it’s going to be very difficult and it’s going to take a lot of work,” he said.
Halvorsen also pushed back on the notion that DOD is behind on cloud. “We’re actually slightly ahead of most of the Fortune 50 in the use of cloud. We are now embarking on doing more but I don’t think DOD is behind,” he said, adding that DOD has taken many of the same steps as the financial sector, thought to be one of the premier leaders in cybersecurity.
Halvorsen also told the panel how DOD is hardening its networks. One example is the transition to Windows 10. “I cannot stress the criticality of us getting that done,” he said. Windows 10 will enable greater visibility for DOD, especially considering it’s the first system built with security in mind from the start, he said. The move will also posture DOD to go to the next step in using cloud computing technology to improve security.
The other big initiative to harden networks, he said, is to complete the Joint Regional Security Stacks, which provide the security foundation for JIE. “In its simplest forms, what that does is lower our footprint. Today we’ve got a thousand points that you can come in,” Halvorsen said. “When the Joint Regional Security Stacks are done, we’ll have less than a hundred points – that’s a lot easier to defend.
“We are not where we want to be in all of the areas. We are measuring ourselves through extremely high standards,” Halvorsen said. “One of the things that I just want to say up front – when you look at cyber, you could hit 80 percent and a lot of people would think that would be good, in cyber that’s not good enough. So when you see that we’re in yellow and in some cases in red, it’s because we’re trying to get above in almost every category 95 percent to be green.”