Pentagon to Merge Information Networks in Effort to Thwart Hackers and Leakers
Defense Department leaders have decided that the best way to protect sensitive information from cyber criminals and from internal Snowden-like leaks is to consolidate its 15,000 networks into a single “joint information environment.”
The centerpiece of the joint network — known as JIE — is a set of security protocols — which the Pentagon calls a “single security architecture” — that presumably would make it easier to detect intrusions and identify unauthorized “insiders” who might be accessing a network.
The push for an integrated network comes from the very top. Chairman of the Joint Chiefs Army Gen. Martin Dempsey has made it a priority.
“We are transforming our information architecture,” said Vice Chairman of the Joint Chiefs of Staff Navy Adm. James Winnefeld.
The JIE will make networks more secure and also will save the Defense Department billions of dollars by eliminating redundant, overlapping systems, Winnefeld said Sept. 12 at an Armed Forces Communications and Electronics Association conference in Vienna, Va.
Each branch of the military, defense agencies and overseas commands currently maintain separate networks. “That makes little operational or financial sense in today's environment,” said Winnefeld.
When they go to war, the military services come together as one force, so the same thinking should apply to information networks, he said.
He cautioned that JIE is no “panacea.” Breaking down the bureaucratic walls around military networks will not be easy, Winnefeld acknowledged. “We are making JIE real despite a little bit of institutional resistance,” he said. “It's not just a set of lofty expectations.”
Although the JIE is not a “program of record” with its own funding line, it will be financed under the Pentagon’s $23 billion cybersecurity budget. The “single security architecture” would allow U.S. Cyber Command to better defend networks from attacks, Winnefeld said.
Leading the massive network integration effort is the Joint Staff, U.S. Cyber Command, the Defense Information Systems Agency and the Pentagon chief information officer.
The head of DISA, Air Force Lt. Gen. Ronnie D. Hawkins Jr., warned that JIE is pushing the Defense Department into unchartered territory. He characterized the venture as the digital equivalent of the Lewis and Clark expedition to the Western United States.
The stove-piped network structure that the military services now operate has served the Defense Department well and has created “silos of excellence” in information technology, he said in a speech at the AFCEA conference. But it is now time to move in a different direction, he said. “As we chart the new course within the new information environment, we believe we are going to need some pioneers to help us get there.”
Worries about cyber attacks and increasing fears of “insider threats” — government employees or contractors who might disclose classified information — are instilling a sense of urgency to transition to the JIE as soon as possible, Hawkins said.
“We are very concerned from a security perspective,” he said. “Do we really know the vulnerabilities? The insider threat concerns are huge.”
The notion that 15,000 networks can coalesce into a common environment seems daunting, but officials believe it can be done.
“We need to collapse the security boundaries that we currently have,” Hawkins said. He touted the recent successful installation of a single security architecture at U.S. European Command, based in Stuttgart, Germany. “We are building increments,” he said.
Although the initiative has been dubbed “single security architecture,” this is in fact a misnomer, Hawkins explained. “It will not be a single architecture,” he said. “But we started out with that name and we do not want to change it midstream as we go through the budget process.” A better descriptor would be “standard security architecture,” he added.
DISA has been assigned as the “synchronizer” of the JIE effort. Hawkins said he has top-level support from across the Defense Department. “We know we have the services 'on board.’ We just have to build it [JIE] out and get it going.”
To foil insider leaks, the JIE will track network activity using “identity access management” technology, said Hawkins. This will apply to fixed computers and mobile devices. Government workers and contractors will be subject to “no notice inspections” to ensure their organizations are in compliance with the security standards, he said. “It's not that we want to put the fear of anything in anybody, but we let them know there is one standard and we expect everyone to adhere to that.”
Supervisors will look for warning signs of a potential insider threat, he said, such as “whether people are authorized to be where they're at, and whether they have the administrative privileges they are supposed to have. … We are working that as we start building the JIE.”
Hawkins said he is confident that the Defense Department has the resources to “get this done,” although he predicts it will be an uphill climb. “In many regards, we are laying this out as we go.”
Shifting from compartmentalized network management to a massive centralized system could be too big a cultural shock for many agencies, he said. “We have trained a generation of cyber warriors and operators to work in the silos that they work in.” Now, “we have called an audible at the line of scrimmage and many of the folks don't know what the new play is. We've got to work to change some of that culture. That is a big piece of what we have to do.”
Some cybersecurity experts do not expect JIE to be a silver bullet.
“I believe a single security architecture would weaken, not strengthen the system,” said J. Thomas Malatesta, founder and chief operating officer of Ziklag Systems, a company that specializes in security for mobile devices.
“How will you take a huge amorphous organization and implement an enterprise wide solution across the board?” he asked. That seems a bridge too far, he told National Defense. Even if multiple networks are consolidated, that alone will not ensure greater security until workers are retrained to think and operate differently, and that could take years, Malatesta said. He applauds the Pentagon for wanting better security, but the Defense Department has to be realistic about its plans. “We have to develop the workforce,” he said. “This is a big problem in this country.”
The government does not have enough skilled workers to carry out mammoth efforts such as JIE, he said. This is a problem that will persist as younger generations of cyber warriors are shunning the defense sector. “Most defense contractors are laying off cybersecurity personnel, he said. “They overstaffed over the past two to three years in anticipation of a lot of work.” Now that sequestration budget cuts have hit the federal government, contractors have more capability than business, said Malatesta. “What is the incentive for young people to go into this business?” he asked. “I don't think the Defense Department has the bodies to do JIE quickly.”