A New Approach Is Needed to Protect Defense Department Cybersystems
Less is not more when budget cuts constrain effective cyberdefense.
Budget cuts and rapidly improving information technology are forcing the U.S. Defense Department to confront increasing cybersecurity demands without commensurate increases in available resources. Cybersecurity costs are increasing with both the complexity of new technologies and the worsening threat picture. However, solutions to this challenge do exist—if the Defense Department opts for new approaches.
One way of characterizing the current Defense Department situation is to view it as an inability to meet rising demands for systems without having adequate funding for cyberdefenses. Meanwhile, the costs of cybersecurity are rising. The progress in meeting increased cyberthreats is lagging, which is not acceptable.
The department needs to anticipate that the defenses against cyber attack incursions will be growing both in scope and in complexity. At present, the costs of cyberdefense are reaching levels that are not affordable. Therefore, the immediate step in managing the information technology budget for 2015 and beyond is to start reducing the costs of cyberoperations. This calls for the formation of a unified joint cyberdefenses overlay that is based on virtualization of security services and a centralization of defenses.
According to the Office of Management and Budget (OMB), the $35.4 billion Defense Department 2015 information technology budget represents a decline of 6 percent. Such cost reductions will offset the budget gains made by all other agencies. The Defense Department now is in a position to fund all other federal government information technology spending increases. Clearly, the reductions in 2015 defense information technology expenses will require the application of unprecedented solutions.
Cyberdefenses largely are the reason that has occurred. Defense Department information security spending for fiscal year 2013 is now $7.1 billion, or 19.4 percent of the total defense information technology budget. That share of total costs represents the single largest share of available money to be used for protection. Spending for security is likely to rise again in fiscal 2015. So far, cyberdefenses are incomplete. To reach the mandatory 100 percent compliance will be costly because the capture of all of the remaining inadequacies is increasingly difficult.
Cyberdefense comprises three categories: Prevent malicious cyber activities ($2.5 billion); detect, analyze and mitigate intrusions ($1 billion); and organize the cybersecurity environment ($3.6 billion). And, most likely, these costs are understated. Cybersecurity related to the organization, as well as training expenses, are incurred in the military services and with contractors, where these costs are not accounted for directly.
A list of indicators (see box, bottom of this page) suggests that large amounts of work must be done to reach an acceptable security condition. Attackers may leverage the slightest omission in defenses to penetrate their chosen targets.
A fifth of the Defense Department’s total information technology spending now is committed to security, which is by far the largest share of expenditures in the records. The department also must expend more than 60 percent of its information technology budget on maintaining ongoing operations. Consequently, less than 10 percent of the money is available to bring in innovative information technologies that would satisfy the rapidly evolving new demands for an armed force that is undergoing a major transformation on how to carry out its missions. The Defense Department information technology budget is underfunded unless new approaches can be found to alter how increasingly scarce funds are spent.
Security spending is mandatory and cannot be changed, because in the age of information, warfare insecurity can be fatal. Unfortunately, improved security does not deliver economic benefits. It should be seen as nonproductive overhead and not as a contribution to business value.
At present, the Defense Department finds itself unable to deploy its information technology to meet the needs required for supporting information operations. The department seems to be stuck in advancing its information technology capabilities at the critical time when second-generation systems are starting to be replaced by third-generation solutions, which offer enormous expansions of processing capacity at a much lower cost. The department must determine how to advance from the current dearth of funds to making many innovative investments.
An immediate reduction in security spending will be necessary to help the Defense Department escape from its current insufficiency of innovation funds. Plunging into modernization of the existing inventory of diverse applications is not feasible. Legacy systems consist of thousands of applications, each with their own programming codes that are operated with incompatible databases, each with their own noninteroperable architectures. Retrofitting security capabilities for every situation cannot be accomplished because the wide diversity of contract vehicles would make such acquisitions difficult to execute.
Replacing legacy systems to improve performance is too costly. It would take years to do that if the Defense Department lives with the current limitations in development funds. The need for protection is now.
The only workable solution is to leave existing applications in as-is conditions except for overlaying information security into a shared security platform on top. Security should not be an attachment to individual systems but instead a part of a shared infrastructure platform. Such an approach will eliminate fragmented procurement and development practices. It will assure consistent deployment of cybersecurity technologies.
This type of shift will require strong leadership from the Office of the Secretary of Defense. Defense Department components would have look to support from a shared security infrastructure for all new projects rather than procure new security solutions for each project. Meanwhile, application enhancements and maintenance for legacy systems can remain as a component asset. Only the security infrastructure layer would assume the characteristics of a joint environment.
Cyberattacks do not discriminate between Army, Navy or Air Force targets. In the era of cyberwarfare, targeted attacks will enter an Army system and then penetrate a Navy application. Therefore, components must share the ownership of common security countermeasures instead of creating multiple points of vulnerability at security interfaces currently located for each separate server.
This type of architecture will require setting up a central support organization to proceed with the adoption of joint security services. Particular attention should be given to the strengthening of governance, so that implementation could proceed without further delay.
The technical solution for finding a consistent approach to offering a broad spectrum of security features is to impose an add-on hypervisor overlay on all hardware facilities. Software-defined communication servers then can operate as virtual machines. Such virtualization would allow a collection of servers to operate as if it were a single virtual operating platform. In this way, multiple instances of operating systems for separate applications can share the virtualized hardware resources under identical security controls.
The creation of shared cybersecurity services in turn will require the creation of several network control centers (NCCs) where scarce personnel, including counterintelligence staffs, would be placed. NCCs should be housed in high-security buildings, and each should be set up as a fail-over site for every other NCC. How the NCCs should be managed becomes a policy matter. The NCC facilities also would become the hubs for managing the communications infrastructure for the entire Defense Department.
Placing cybersecurity countermeasures into an all-encompassing infrastructure will require operations to be controlled by a comprehensive suite of security software to update security features from multiple control consoles in real time. These central controls should be performed rapidly to reduce the gap between the initial detection of potential security breaches and the capability of the NCC responders to invalidate unprecedented attacks.
Transforming individually managed security capabilities to joint operations then can be accomplished through the virtualization of all servers. When the newly added network security layer is overlaid, the Army, Navy and Air Force no longer will face the laborious efforts involved in providing security features for each separate application. Instead, server security will be managed centrally as an enterprisewide joint service. This arrangement would simplify the modification of new security capabilities in seconds and minutes rather than in hours or weeks.
The virtualized joint security service would leave the individual services with full control over applications without interfering with their existing features or functions. Legacy applications would remain in place, and only the top virtualized layer would take over the security protection missions. All of its savings would be realized in the form of a steep reduction in cybersecurity costs to a target of less than 10 percent of the total information technology budget. Commercial firms, particularly well-protected financial services enterprises, already have managed to concentrate security services across all applications into top-level layers where the countering of all cybersecurity penetrations is mostly encountered. The Defense Department can learn from them.
Paul A. Strassmann, a retired vice president of Xerox, is the former director of defense information, Office of the Secretary of Defense.