Defense Department's Achilles' Heel Targeted for Heightened Protection
Study of security, interoperability and culture finds department behind information superiority curve.
The U.S. Department of Defense is not fully exploiting information technology in military operations and departmental procedures. For an organization that relies on information superiority and technological capabilities to put U.S. national defense at an advantage, the department is lax in thwarting potentially devastating threats to its information systems.
Many of the organization’s information technology goals are unachieved. The department faces daily threats and security breaches, both from internal and external causes, and the effects of a failure to protect easily compromised commercial systems are exacerbated by a lack of training. Because the department’s culture is one that does not foster taking the issue of security seriously, existing processes hamper the organization’s strength.
These are the conclusions of a report on Defense Department command, control, communications, computers and intelligence (C4I) released early this year. Commissioned by the U.S. Congress as part of the Defense Authorization Act for fiscal year 1996, the report analyzes the current and planned servicewide and defensewide C4I programs, focusing on issues within and across the different services.
The analysis suggests that, throughout the department, employees need more training to maximize the capabilities of advanced protection technologies. Experts agree that the department must begin assessing its strengths and weaknesses regularly, realizing that there is no one-time solution for maintaining information superiority.
Investments in technology and current acquisition procedures must be closely tied to technology advancements and operational requirements. The department must foster research and development that will advance current systems.
Experts who studied the department believe the organization needs a clear vision and must back up that vision by leading a proactive rather than reactive reform of current operations. They agree that strength and continuity of leadership are key to implementing widespread changes to organizational processes that currently hinder full system protection.
Accepting the findings in the report, Defense Department officials readily admit that there is a need for change. They point out that the department has already begun to implement new policies and form task forces to address many of the issues defined as problematic in the report. Several members of the defense community have been briefed on the findings, and they contend that measures to improve operational security and proficiency began long before the report was released.
In 1997, the National Research Council began examining the department, and within the group’s computer science and telecommunications board, a committee was formed to explore Defense Department C4I plans and programs. The council is a private, nonprofit organization chartered by Congress to further knowledge and to advise the government on science and engineering matters. Members of the committee represented both the private and government sectors. Military experts, including previous senior commanders or defense technologists, served on the committee to provide context and operational experience from the military standpoint. Nondefense industry experts were also on the committee to provide the commercial perspective.
Beginning by reviewing previous studies, the committee next observed operations at various locations. In 1997, they watched the Joint Warrior Interoperability Demonstration in Tidewater, Virginia, and Ulchi Focus Lens in Korea. Committee members went to Fort Hood, Texas, and Eglin Air Force Base and Hurlbert Field, Florida, to watch experiments. They also witnessed operations at the National Security Agency, Fort Meade, Maryland, and Electronic Systems Command, Hanscom Air Force Base, Massachusetts. At each of these sites, the committee looked at operational processes and how seriously forces were taking vulnerability to cyberattack.
The committee’s strategy for examining Defense Department C4I focused on three issues—security, interoperability, and process and culture. Of these issues, security has received, by far, the most attention from the public. As the Defense Department uses C4I systems more and more for military leverage, incentives for an opponent to attack those systems increase. The study concludes that the department’s response to the information systems security challenge has been “inadequate.”
The Defense Department detects 80 to 100 questionable activities daily related to its information systems, according to Deputy Secretary of Defense John J. Hamre, speaking before the U.S. House of Representatives Armed Services Committee’s subcommittee on procurement and research and development. About 10 of those potential threats require detailed investigation. “As we have improved our ability to monitor network activities, the number of probes, intrusions and cyberevents we can observe continues to increase,” Hamre discloses.
The report states that “the Department of Defense is in an increasingly compromised position. The rate at which information systems are being relied on outstrips the rate at which they are being protected. Troops in the field did not appear to take the protection of their C4I systems nearly as seriously as they do other aspects of defense,” the report asserts. “Furthermore, in many cases, [the Department of Defense] is prohibited by law and by national policy from taking retaliatory action against a cyberattacker that might deter future cyberattacks.” The question of whether the department should be given the authority to retaliate against such attackers was hotly debated in the committee, where they concluded only that the issue needs to be addressed.
“On the technology side, information systems security has been hampered by a failure to recognize fully that C4I systems today are heavily dependent on commercial components that often do not provide high levels of security,” according to the study.
Authors of the report contend that the department must recognize the inherent weaknesses in a passive defense. Weak points in departmental systems should be found and addressed to defend against cyberattackers. The culture within the department should promote information and systems security throughout the entire organization.
To support security measures and education, the committee suggested that all tests and exercises that involve Defense Department C4I systems should be conducted as if they are connected to a compromised network. People within the organization must be trained to use information system security tools and to place a high value on their use. The department should invest in research and development to further security efforts.
Both the department and the committee recognize that threats to defense information systems exist both inside and outside of the organization. “We are increasingly concerned about those who have legitimate access to our networks—the trusted insider,” Hamre says.
Jim McGroddy, chairman of the committee that produced the report, reveals that, in studying the department, the committee found a culture that does not focus on security. The committee witnessed no comprehensive audit procedure or use of advanced authorization technology such as biometrics. “The red team has readily been able to penetrate systems and people did not know systems had been penetrated,” McGroddy disclosed.
However, Defense Department officials claim that efforts already underway encourage information systems security. “We are increasing our deployment of more sophisticated intrusion detection and monitoring technology,” Hamre says. The department is teaming with industry to make sure commercially available products have a security framework. Research and development money is being spent to create highly assured products and systems. “We are instituting a real-time network monitoring and reporting structure,” Hamre adds, noting the department is increasing vulnerability assessment efforts as well.
The department has established a defense joint counterintelligence program to focus on critical defense systems and their protection from foreign intelligence operations and terrorist attacks. A joint counterintelligence evaluation office will keep leaders informed about threats to Defense Department systems. And, a defense computer forensics laboratory that works in close cooperation with the National Security Agency and the Federal Bureau of Investigation will provide computer investigation training for information assurance specialists and will process evidence related to criminal and fraudulent computer acts. The Defense Department also examined the organization’s Internet sites and instituted stringent procedures to avoid access via the public domain to classified or sensitive information.
The committee emphasized the importance of interoperability of the department’s systems and noted gaps and shortfalls in the department’s current strategy. Interoperability must be achieved throughout the system’s life cycle, and the department should develop a system to measure the interoperability of C4I systems, the report offers.
The notion of a broad interoperability strategy at the department should be replaced with interoperability goals to be met within particular mission “slices.” The committee suggested that the department establish processes to assess C4I interoperability on a regular basis such as using “interoperability scorecards” to manage C4I interoperability. In addition, C4I interoperability should be incorporated into readiness reporting at a higher level and should reflect a joint perspective as is already done when measuring combat readiness.
The report also calls for cooperation between the department’s offices to resolve architectural and system-level issues that determine interoperability, and it notes the need for a specific entity to provide the central point of focus for interoperability issues.
McGroddy says the committee found that the Department of Defense deals with interoperability in large task forces, relying too much on obtaining a consensus instead of managing the issue as would a business in the private sector.
Steps have already been taken to boost interoperability efforts, according to John B. Buchheister, special assistant for requirements analysis, Office of the Deputy Assistant Secretary of Defense for Command, Control, Communications, Intelligence, Surveillance and Reconnaissance, and Space. Buchheister served as the department’s liaison to the committee. As an indication of how seriously the issue is being taken, he notes that joint staff procedure is already being revised to include interoperability as a key performance parameter, and a joint command and control interoperability and integration group was established in November 1998 to address the issue as well.
However, some experts argue that the biggest problem is the department’s culture and its inherent web of processes. This, they say, will be difficult to change, and accomplishing any cultural shift would require long-term efforts from top-level leadership down.
The culture needs to change, McGroddy says. Within the department, the culture does not compare to that of private industry, he adds. Too many people and too many processes are required to implement action. Processes are “very adversarial. They are extremely bureaucratic, and the result is they are very slow,” he says.
The report states that operational processes within the department have not been tooled to achieve the maximum benefit of C4I technology. Current processes for acquisition of new technology must be adapted to promote the flexibility needed to keep pace with rapid advances. The study also suggests that the return on investment for C4I spending should be measured to assess its contribution to military effectiveness.
Existing methods of contract negotiation need to be modified to allow contractors to fulfill functional specifications instead of technical specifications, which usually drives up cost. Committee member H. Gregory Tornatore from the Johns Hopkins University Applied Physics Laboratory says this “80 percent solution” will enable the department to speed acquisition processes and cut costs.
The report also recommends the creation of an Institute for Military Information Technology, which would serve as a forum in which various levels within the military could discuss innovative ideas. This institute would facilitate training and education as well.
Better career opportunities for personnel and C4I specialists need to be promoted throughout the department, and it should increase its efforts to identify and retain well-trained personnel, according to the report.
“A culture has to be developed that places information technology in the lead,” Tornatore says. In the near future, he believes the focus on test and experimentation at the department should be increased to promote future technologies. “It’s an evolving process.”
“The issues that they [the committee] raised are cross-cutting,” Buchheister says about the findings. “These problems do not have simple solutions. They are going to take some thoughtful consideration.” But, Buchheister acknowledges that many of the problems the committee found are not unique to the Defense Department. “It’s pervasive across government.”
Buchheister summarizes the attitude at the department regarding the report, stating that it offers a fair representation of expert opinion from across the nation addressing the right issues. He says the committee did more than make “recommendations of the moment.” Instead, they made observations whose validity will likely endure—enough so to call for a systemic resolution.