He continues:

Ten years later, the NMCI contract has expired and the continuity of service agreement is in place, so the Navy and Marine Corps are moving toward NGEN. It is interesting now that these services are struggling to find that same government talent to implement the transfer of the exact same system from the hands of industry back into the control and management of the government. It seems like an extremely expensive drill that was just completed in the opposite direction.

The Navy spent the first three to four years of the NMCI program changing the desktop from control of the government to the management of industry. Now it appears that it is on the verge of spending a few years shifting the desktop back to the other side of the desk, from industry management to government control.

Is this a good use of taxpayer money? I think not. Sometimes we get it just about right, and the NMCI approach may be one of those times.

For more on the history of the NMCI and the implications of the NGEN, read With NGEN, It’s Déjà Vu All Over Again and let us know your thoughts below.

At our home, we planned for years and hired a general contractor experienced in managing large renovation projects. However, he never could know everything about the house, nor could he anticipate the legacy changes and problems left over from multiple owners, previous renovations and earlier decisions. He may have been good, but he could not possibly foresee all of the idiosyncrasies that exist in a historic structure or the issues that we would face. Every opened wall would be an adventure. How do you budget for unknown factors of these types?

Once again, I was amazed at how very similar this process was to our maintenance and upgrading of government information technology systems. The government issues requests for proposals (RFPs) and hires experienced contractors. What security risks are embedded? Who wrote and owns the original code? Do our upgrades affect new requirements and policies? What happens if we shut down this system; what and who is affected? Do we have the budget? Do the defense contractors “know all of the idiosyncrasies that exist in a legacy system?” How could they possibly understand years of business rules, modifications and home-grown upgrades?

He relates the story of how, while renovating his home, he discovered a French Quarter fireplace behind plaster that changed his plans for a new master bathroom–but in so doing, made the location of a bulky air conditioner unit problematic. Since he’d invested quite a bit of money in placing that A/C unit, he was very stubborn about having to move it again. But doing so was the only way to make everything work. That, he says, is often a problem in government IT procurement:

What is the proverbial air conditioner in our government and business systems that we are not willing to move, even though it would make everything work? Did we invest in a technology a few years ago that now doesn’t scale, but we are not willing to move from our previous decision and continue to throw good money at a wrong decision? For the Military Health System, perhaps it is TRICARE On-Line. For the U.S. Department of Veterans Affairs, maybe it is VISTA. For the Navy, perhaps it is the Navy/Marine Corps Intranet (NMCI) or the Integrated Shipboard Network System (ISNS). Maybe they all work well, but just need to be updated and “moved” to make things work.

Read What Is the What Is the Air Conditioner We’re Not Willing to Move? and share your own ideas on what technology we need to stop paying for and move on to better solutions.

In the early 1970s, the music industry was transformed by the arrival of a practical solution to mobile music—the 8-track player. The world embraced this technology, which infected car stereos, home entertainment systems, portable players and lifestyles. While transformational, this technology soon was replaced by the cassette, followed by CDs and audio DVDs until Apple came out with the iPod—another game-changing technology. The market has created many forms of iPod docking stations for cars, clock radios, entertainment systems, airplane seats, pillows and every possible application. Uses include photos, FM radio, podcasts, videoconferencing and Wi-Fi. This technology is significantly smaller, faster, more comprehensive, more capable and inherently more user-friendly than its 8-track progenitor. The same lessons from this progression can be applied to command, control, communications, computers and intelligence (C4I) and government information technology.

Unfortunately, long budget and acquisition cycles, poor funding strategies and feed-the-beast mentality abound. Combine this with constantly changing leadership, burdensome safeguards, oversight, overhead, multiple audits, reviews and just overwhelming red tape, and it becomes almost impossible to deliver cutting-edge, agile technology development within government acquisition rules. Users exploit this technology every day in their outside lives but struggle to bring a similar capability into government—which still is stuck with the equivalent of 8-track technology.

Capt. Grace offers his own suggestions in this month’s Incoming column, “Time for Government to Dump Its 8-Tracks,” noting that while the 8-track player is “now DIACAP-certified, ruggedized, encrypted and able to be thrown out of the car window at 60 miles per hour unharmed,” it’s still obsolete. And the only way to correct that deficiency, he says, is to improve the acquisition process:

A good starting point would be to shorten the cycle for agile procurement; and remove overhead, processes, delay and the huge personnel costs supporting these processes. Shorter, less-costly sales cycles for the vendor community could reduce costs significantly. We need to stop funding older systems that in M.B.A.-speak represent a “sunk cost.” Good acquisition decisions take courage, intelligence and a full understanding of requirements, the technology at hand and underlying need.

So if that’s what *what* we need to do, how do we do it? What else is missing that holds government back, technology-wise?

We rarely promote deep levels of expertise in almost any area of the service. Most of our talent in information technology, cyber, program management, information assurance and acquisition is home-grown success and is subject to the luck of the draw, the shifting winds of assignments and permanent change of station orders. An officer who specializes in any one of these areas is unlikely to be promoted past O-5. Our senior program managers may have been great pilots, super ship drivers or tremendous tankers, but rarely are they subject matter experts on the project for which they are assigned. We consistently manage large programs with senior leaders who in many cases do not have the required levels of knowledge to be effective.

As the chief information officer for Navy Medicine, I relied heavily on the expertise of our staff and the officers who knew everything there was to know about information technology within military health. We relied on the input of doctors and nurses who had strong business skills and knew medicine and their processes. We relied on senior leadership for support. As a reserve line submarine officer with a strong business background in information technology, I may have known business and information technology—but they knew how it applied to the medical field. Without them, we would have failed. Yet their constant concern was that no career path was available to them as information technology experts in the medical world. The same is true in most disciplines within the services. In many cases we do not appreciate nor promote those whose expertise is critical to our success. If we are to continue to be successful as a nation and as a military power, this must change.

How can the military avoid cheating itself out of good personnel who leave for greener pastures?

Attacks will occur not just in the cyber domain, and nonmilitary activities—such as the protection of critical infrastructures—can have a profound effect on the outcome of an engagement. Lynn’s article recognizes this and provides a framework not only for implementing mission assurance but also for defining the military’s role within the broad national framework.

Clearly, many other public and private components will have to be engaged to provide a full national capability. But the strategy articulates a role for the Defense Department while the rest of the national—and international—discussion is underway. It also helps to frame the discourse in terms that are consistent with other military usage. The organization of U.S. Cyber Command with military service components—the Army Forces Cyber Command, 10th Fleet, 24th Air Force, Marine Corps Forces Cyberspace Command—is one example. The use of terms such as “part sensor, part sentry, part sharpshooter” to describe active defense systems is another. Some people doubtless will see this as a militarization of cyberspace. But it will be important to differentiate roles as the broader debate plays out, and the article clearly describes its focus as “the Pentagon’s cyberstrategy.”

However well formed the strategy, how it is implemented will be crucial. Several approaches exist. Since 2003, DOD Instruction 8500.2 has defined a set of mission assurance criteria, ranging from “Vital” to “Needed.” The MITRE Corporation, Booz Allen Hamilton Incorporated and others have outlined ways to operationalize mission assurance that align well with the new strategy. More work remains to be done, but because this cyberstrategy probably will be subject to extended debate, there will be chances to refine the processes.

How can the private sector do a better job of meeting the requirements of the new cyberstrategy?

In the end, it all comes down to people. When Lou Gerstner was chief executive officer of IBM, he asked how he would know if his organization had a good information assurance program. The answer was: “Walk down the hall. Find a random employee. Ask them three questions: ‘Would you know if your computer was being interfered with?’ If yes, ‘Would you know whom to call to get support?’ If yes, ‘Would you care enough to call?’” Unless you can answer “yes” to all three of these questions for each of your employees, you can spend all you want on technology and still fail on the people side.

As the gap between functionality and security continues to grow, how can organizations develop security policies that people will understand and follow?

In last month’s SIGNAL, Wells noted that “the U.S. government—and others—consistently have failed to treat information and communications as either a critical infrastructure or as an essential service in Afghanistan.” He continues that theme this month, pointing to UnityNet as a much-needed resource for that conflict:

As the strategy in Afghanistan has shifted away from counterterrorism and toward counterinsurgency, stabilization and reconstruction, the emphasis on the ground has shifted to a population-centric approach. This generates a need for previously neglected “white” information about the Afghan people. Sensitive intelligence, surveillance and reconnaissance approaches may be needed to obtain information about “red”—Taliban—targets, but much of the population-centric information is available from open sources. These include the Internet and nontraditional partners such as NGOs and PVOs.

The ISAF-led coalition thus must engage more effectively in this environment, and this is where UnityNet is focused. Part of this is knowledge management, but bandwidth also needs to be increased because Internet access in the field is limited for ISAF, Defense Department and intelligence units as well as for civilian players. Facilitating communications among civil and military government entities, as well as with civilian and Afghan partners, requires an integrated information and connectivity initiative.

In this context, UnityNet can encourage a self-sustaining, open-sharing environment that can help connect economically disadvantaged populations to the global community via the Internet. The underlying tenets are straightforward: First, open information empowers and informs populations to take action on their own behalf. Second, an informed populace, supported by an informed international community, is more likely to make better choices for its cultural, socio-economic and governance challenges.

Be sure to read the entire column here. Linton traces the path from how technology helps with relief efforts in Haiti to how it can be used in Afghanistan. Most importantly, he says, these initiatives “help move the population-centric information that is in people’s minds, notebooks and disconnected computers onto the Internet so that it can be discovered and shared for maximum benefit.”

He then challenges readers: “Now think of how you can support UnityNet-like approaches.”

We have now a comparable situation in the Department of Defense. New policies and guidance have been issued that declare, in effect, that well-behaved gentlemen and gentlewomen should abstain from reading potentially toxic attachments to social computing messages.

Such policies and guidance do not promote the security of defense networks and should be therefore modified.

The Deputy Secretary of Defense Memorandum
The Deputy Secretary of Defense issued a policy for guiding the uses of Social Networking Services in a Directive-type Memorandum of February 25, 2010. The memorandum acknowledges that “… SNS capabilities as integral to operations across the Department of Defense using the Non-Classified Internet Protocol Router Network (NIPRNET).” There are at least five million computing devices connected to the Department of Defense networks.

This policy is deficient in that it does not address the danger of allowing access to web services, such as social computing, that can insert malicious software attachments to any message. Such insertions from the Internet, if opened, can then compromise the security of computing devices on numerous networks.

The DEPSECDEF generic policy states that: “commanders shall defend against malicious activity” and “commanders shall deny access to sites with prohibited content, such as pornography, gambling, hate crime activities.” Unfortunately, none of this can be executed with the existing manpower. It cannot be enforced using the available technical means.

Browsers exist in every personal computer. They can connect to millions of web pages without anyone in the DoD having the capacity to restrict access to every potential source of malware. Without enforcement there will be always web pages from where a military or civilian person can download computer code that subsequently trigger attacks that can be launched from the inside of the NIPRNET.

Even with firewall and anti-virus protection, which is always imperfect, there will always be web pages capable of delivering malware to DoD. This is because the malware will always be technically superior to any institutional defenses, which are administered by overworked, understaffed and under-resourced personnel. Therefore DoD cannot and should not depend on blocking of known sites and certainly not on malware protection safeguards managed by error-prone people.

The Air Force Public Affairs Agency Guidance
In November 2009, the Air Force Public Affairs Agency released Version 2 of the guidance for using LinkedIn, YouTube, Flickr, Facebook, MySpace, and other social media sites.

The Air Force offers rules for gentlemanly conduct in posting social media entries:

• Do not post classified information
• Replace all errors
• Readily admit mistakes
• Use best judgment in whatever your post
• Avoid offensive language
• Abstain from violation of privacy
• Never, but never lie.

The problem with the Air Force guidelines is that they do not acknowledge the danger of picking up code that is toxic. Although an attachment may appear to be harmless, it can contain harmful code. A click will unpack a hidden program that can be lodged where it can do the greatest harm either immediately or eventually whenever it becomes unleashed.

Clever “social engineering” of incoming messages will aggravate such perils. Social media reveal much information about sources. Private information makes it possible for an attacker to construct a plausible message that will be opened without further examination.

The existing DoD policies that promote the use of social media may continue, but must also include enhancements that provide for the complete separation of secured NIPRNET desktops from the capacity to access the unprotected Internet without acceptable restrictions.

Offering to the military and to the civilians separate but different desktops, displayed on an identical computing device by means of virtualization is now feasible and represents mature commercial practices. This approach is also affordable, especially in the case of thin clients where such approach offers opportunities for achieving quick as well as major cost reductions.

There is no reason why the existing DoD policies should not be revised through the introduction of more advanced technical means that will manage automatically how the general access to social computing can be achieved with assured safety.

Paul A. Strassmann is a Distinguished Professor at the George Mason University. He is the former Director of Defense Information, Office of the Secretary of Defense.

To see Strassmann’s recommendations for implementation of social media practices using virtual computers, see his follow-up to this post, Cases in How to Practice Safe Social Computing.

The views expressed by our guest bloggers  are their own and do not necessarily reflect the views of AFCEA International or SIGNAL Magazine.

Networking on the move is the wave of the future in the complex physical environments where ground forces operate. Such environments may be urban or rural, broad- maneuver battlefields or terrain around forward operating bases. As communications shift from circuit-switched to packet-switched, line-of-sight connections with one radio in a network can provide connectivity to all radios in a cluster. Unified capabilities—voice, video and data—along with more classified information are moving closer to the tactical edge. Future systems will be modular; reconfigurable to meet the changing needs of mission, enemy, troops, terrain and time (METT-T); and scalable to task and purpose. Future radios will be upgradeable as technology advances. And, radios increasingly will be agile enough to adapt spectrum use to local circumstances.

So what’s not to like? Consider a few important challenges: weight and power, spectrum availability, satellite access, coalition interoperability and balancing the cost and capabilities of software-defined radios to user needs.

Wells expands on these challenges in the article, which you can read here. But it leads to an interesting question, one which we’d like to hear from SIGNAL readers on. How can industry rise to meet these challenges?

Responsible unclassified information sharing offers huge benefits in virtually all operations in which we’re likely to be involved. There always will be security concerns—often legitimate—but the benefits of a responsible sharing environment need to be weighted heavily against visceral inclinations to protect. The underlying point remains that the United States and its partners cannot achieve their social, political and economic goals without effective ways to engage outside the wire.

Do you agree with his assessment? Do you think the potential security concerns outweigh the benefits of sharing unclassified data? Is there another way to make efforts in Afghanistan successful?

To share your thoughts, read the full article or leave a comment below.