Twitter Facebook Google RSS
 
National Defense > Blog > Posts > Pentagon to Merge Information Networks in Effort to Thwart Hackers and Leakers
Pentagon to Merge Information Networks in Effort to Thwart Hackers and Leakers
By Sandra I. Erwin



Defense Department leaders have decided that the best way to protect sensitive information from cyber criminals and from internal Snowden-like leaks is to consolidate its 15,000 networks into a single “joint information environment.”

The centerpiece of the joint network — known as JIE — is a set of security protocols — which the Pentagon calls a “single security architecture” — that presumably would make it easier to detect intrusions and identify unauthorized “insiders” who might be accessing a network.

The push for an integrated network comes from the very top. Chairman of the Joint Chiefs Army Gen. Martin Dempsey has made it a priority.

“We are transforming our information architecture,” said Vice Chairman of the Joint Chiefs of Staff Navy Adm. James Winnefeld.

The JIE will make networks more secure and also will save the Defense Department billions of dollars by eliminating redundant, overlapping systems, Winnefeld said Sept. 12 at an Armed Forces Communications and Electronics Association conference in Vienna, Va.

Each branch of the military, defense agencies and overseas commands currently maintain separate networks. “That makes little operational or financial sense in today's environment,” said Winnefeld.

When they go to war, the military services come together as one force, so the same thinking should apply to information networks, he said.

He cautioned that JIE is no “panacea.” Breaking down the bureaucratic walls around military networks will not be easy, Winnefeld acknowledged. “We are making JIE real despite a little bit of institutional resistance,” he said. “It's not just a set of lofty expectations.”

Although the JIE is not a “program of record” with its own funding line, it will be financed under the Pentagon’s $23 billion cybersecurity budget. The “single security architecture” would allow U.S. Cyber Command to better defend networks from attacks, Winnefeld said.

Leading the massive network integration effort is the Joint Staff, U.S. Cyber Command, the Defense Information Systems Agency and the Pentagon chief information officer.

The head of DISA, Air Force Lt. Gen. Ronnie D. Hawkins Jr., warned that JIE is pushing the Defense Department into unchartered territory. He characterized the venture as the digital equivalent of the Lewis and Clark expedition to the Western United States.

The stove-piped network structure that the military services now operate has served the Defense Department well and has created “silos of excellence” in information technology, he said in a speech at the AFCEA conference. But it is now time to move in a different direction, he said. “As we chart the new course within the new information environment, we believe we are going to need some pioneers to help us get there.”

Worries about cyber attacks and increasing fears of “insider threats” — government employees or contractors who might disclose classified information — are instilling a sense of urgency to transition to the JIE as soon as possible, Hawkins said.

“We are very concerned from a security perspective,” he said. “Do we really know the vulnerabilities? The insider threat concerns are huge.”

The notion that 15,000 networks can coalesce into a common environment seems daunting, but officials believe it can be done.

“We need to collapse the security boundaries that we currently have,” Hawkins said. He touted the recent successful installation of a single security architecture at U.S. European Command, based in Stuttgart, Germany. “We are building increments,” he said.

Although the initiative has been dubbed “single security architecture,” this is in fact a misnomer, Hawkins explained. “It will not be a single architecture,” he said. “But we started out with that name and we do not want to change it midstream as we go through the budget process.” A better descriptor would be “standard security architecture,” he added.

DISA has been assigned as the “synchronizer” of the JIE effort. Hawkins said he has top-level support from across the Defense Department. “We know we have the services 'on board.’ We just have to build it [JIE] out and get it going.”

To foil insider leaks, the JIE will track network activity using “identity access management” technology, said Hawkins. This will apply to fixed computers and mobile devices. Government workers and contractors will be subject to “no notice inspections” to ensure their organizations are in compliance with the security standards, he said. “It's not that we want to put the fear of anything in anybody, but we let them know there is one standard and we expect everyone to adhere to that.”

Supervisors will look for warning signs of a potential insider threat, he said, such as “whether people are authorized to be where they're at, and whether they have the administrative privileges they are supposed to have. … We are working that as we start building the JIE.”

Hawkins said he is confident that the Defense Department has the resources to “get this done,” although he predicts it will be an uphill climb. “In many regards, we are laying this out as we go.” Shifting from compartmentalized network management to a massive centralized system could be too big a cultural shock for many agencies, he said. “We have trained a generation of cyber warriors and operators to work in the silos that they work in.” Now, “we have called an audible at the line of scrimmage and many of the folks don't know what the new play is. We've got to work to change some of that culture. That is a big piece of what we have to do.”

Some cybersecurity experts do not expect JIE to be a silver bullet.

“I believe a single security architecture would weaken, not strengthen the system,” said J. Thomas Malatesta, founder and chief operating officer of Ziklag Systems, a company that specializes in security for mobile devices.

“How will you take a huge amorphous organization and implement an enterprise wide solution across the board?” he asked. That seems a bridge too far, he told National Defense. Even if multiple networks are consolidated, that alone will not ensure greater security until workers are retrained to think and operate differently, and that could take years, Malatesta said. He applauds the Pentagon for wanting better security, but the Defense Department has to be realistic about its plans. “We have to develop the workforce,” he said. “This is a big problem in this country.”

The government does not have enough skilled workers to carry out mammoth efforts such as JIE, he said. This is a problem that will persist as younger generations of cyber warriors are shunning the defense sector. “Most defense contractors are laying off cybersecurity personnel, he said. “They overstaffed over the past two to three years in anticipation of a lot of work.” Now that sequestration budget cuts have hit the federal government, contractors have more capability than business, said Malatesta. “What is the incentive for young people to go into this business?” he asked. “I don't think the Defense Department has the bodies to do JIE quickly.”

Photo Credit: Thinkstock

Comments

Re: Pentagon to Merge Information Networks in Effort to Thwart Hackers and Leakers

It is good that DISA will serve as the Joint Information Environment development hub, with associated accountability.

However, I noticed that the head of DISA, Air Force Lt. Gen. Ronnie D. Hawkins Jr., mentioned this:
'To foil insider leaks, the JIE will track network activity using “identity access management” technology...'

I am familiar with a certain cloud services vendor, AWS, who uses the same terminology, IAM. AWS was granted a special government contractor credential (fedRAMP maybe?) in June of this year. I truly hope that thr Joint Information Environment project will be implemented by U.S. Dept. of Defense staff or civilian employees of the federal government, rather than being outsourced to Amazon Web Service's cloud.

Something as vitally important as our national defense deserves to be handled internally, watched over by government employees and military servicemen whose loyalties and steadfastness is unwavering. Congress should put aside sufficient funds. I can't think of any other government initiative that is more worthy of being done right!
Ellie Kesselman at 9/23/2013 11:27 AM

Re: Pentagon to Merge Information Networks in Effort to Thwart Hackers and Leakers

It is not surprising that some of the first "naysayers" for JIE are self-proclaimed "security experts" working for commercial vendors who prioritize "sales" above workable solutions. Had those same vendors been providing legitimate security products for DOD that actually worked, DOD would not now be forced to move in the direction of JIE. Perhaps if commercial vendors started working on ways to "PREVENT" malicious code and intrusions instead of waving the white flag and trying now to sell the idea of "Big Data" tools that will help us all discover "who did it" after the fact, we would not now be in the position of having to look in-house for solutions. The refreshing aspect of this transition will be DOD's surprise when they discover they have countless security personnel on the "inside" who can recommend and implement far superior solutions for security issues than the salesmen DOD has been listening to thus far. I've always held that "certifications don't stop malicious code."
Leon Schlossberg at 9/25/2013 3:46 PM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Name: *

eMail *

Comment *

Title

Attachments

Name: *


eMail *


Comment *


 

Refresh
Please enter the text displayed in the image.
The picture contains 6 characters.

Characters *

  

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

 

 

Bookmark and Share