Pentagon Cybersecurity Efforts Target Mobile Devices
One of the biggest challenges in protecting the IT infrastructure is having visibility over the thousands of computers and smartphones that soldiers use daily, said Michael J. Jones, chief of emerging technologies in the cyber division of the Office of the Army Chief Information Officer.
“You can’t defend what you can’t see,” he said June 1 at an Association for Enterprise Information conference in Alexandria, Va. “That’s why we’re spending a lot of effort and energy in getting asset visibility,” he told National Defense.
The goal is to develop an "information technology asset management system" that would give cybersecurity officers the ability to see every node in the network and to screen each one, in order to prevent intrusions, he said. “When you’re talking about one out of the 900,000 assets out there and figuring out which one poses vulnerability or which one could have a bad day, it makes it a daunting task."
The State Department has a program called iPOST, a continuous monitoring and risk reporting application for the agency’s IT infrastructure. The Army is looking to adopt that same model by leveraging current "asset visibility tools," said Jones. Cybersecurity officials can pull that information back and “score” each of the devices on the network to quantify the risks that exist in cyberspace. “This allows us to then quickly identify what the next problem device is going to be so that we can get after it and then patch it,” he said. “As we look at adding more mobile electronic devices, we’ve got to make sure we have visibility of those devices. How can we make sure we control those devices? Continuous monitoring will help us — we call it ‘see, know and do.’”
Jones expects a working system to be in place by next spring.
“I’m pretty confident that within nine months to a year on the outside, the repository that we’re looking for would be at a minimum at an initial operating capability,” he said in the interview.
While pursuing these efforts, the Army also is experimenting with commercial tablet computers for battlefield use. Among the devices being tested is the PlayBook, made by RIM, which also manufacturers the BlackBerry smartphone. “We went with that device because we already had the management infrastructure in place,” said Jones. The same servers that maintain control over Defense Department BlackBerry devices are being used in a pilot program on how to employ PlayBooks. Jones said that he plans to brief Army Chief Information Officer Lt. Gen. Susan S. Lawrence on the results of the project by December.
This is just the beginning of the mobile computing revolution in the Army, he said. “Defense Department officials have been looking at how we’ve been evaluating the PlayBook and others. We’re not alone out there — other services have efforts. But the fact that we’re the 800-pound gorilla within the Department of Defense, I think we’ll get a lot of attention,” Jones said.
Regardless of how things pan out with the PlayBook, the Army’s intent is to continue evaluating other devices. “We’re going to look at trying to get the other platforms and operating systems certified to where we can provide those as a resource,” he said. “We’re looking at having a variety of things to pick from that meet the standards. We definitely encourage the competition out there in industry to provide these type of capabilities.”
The accreditation process for such commercial technologies is often a cumbersome and expensive process. The Army is looking to shorten that time frame. “Ninety days, flash to bang, ought to be a goal for us,” he told the conference. “We’re not building tanks or weapon systems here.” Industry can help by incorporating "information assurance" components into their mobile products. Doing so will add costs that some companies may not be willing to bear — at least, not initially, he said. But with hackers and spies increasingly attacking networks through smartphones, that reluctance is likely to change as organizations outside the federal government clamor for secure mobile gadgets.
“I think gradually even private companies will be more inclined to have those extra secret ingredients to secure their devices,” said Jones.