The days of the United States’ stature as a force without equal appear to be over. The threat of near-peer competition with increasingly sophisticated adversaries is growing. As Secretary of Defense James Mattis says in the National Defense Strategy, "America has no preordained right to victory on the battlefield."
The Department of Defense (DOD) has long been at the tip of the spear when it comes to successfully melding IT security and operations (SecOps). Over the past few decades, the DOD has shown consistent leadership through a commitment to bringing security awareness into just about every facet of its operations. The growing popularity of hybrid IT poses a challenge to the DOD’s well-honed approach to SecOps.
Cybersecurity evolves daily to counter ever-present threats posed by criminals, nation states, insiders and others. To address the changing threat landscape, the National Institute of Standards and Technology (NIST) periodically updates its Risk Management Framework (RMF), a standards-based, security-by-design process that all IT systems within DOD agencies must meet.
The Defense Information System Agency’s Joint Regional Security Stack (JRSS) initiative is driving and delivering solutions to network defenders and operators across the department, answering a call placed three years ago when the Department of Defense (DOD) cyber strategy established as one of its goals the need to “defend the DOD Information Network, secure DOD data and mitigate risks to DOD missions.”
From an industry perspective there are many advantages to moving aspects of any organization to the cloud. In theory, cloud is more efficient and easier to manage, but organizations like the Defense Department need to make sure they are not bringing along their bad habits and old baggage with them. Legacy networks are hard to understand and have grown out of control in the last few decades. Cloud is as complex as legacy networks, but the difference is who or what is really maintaining them.
The U.S. military is exploring ways to make virtually everything—from the uniform on a soldier’s body to the engine contained within a vehicle—connected and mission ready. Troop movements are being monitored, as are soldiers’ health statuses. Aircraft and other assets are providing real-time insight into enemy movements and other potential threats. Decisions are being made based on this information, which has the ability to flow in an unerring stream. Indeed, the Internet of Things (IoT) has further elevated the military’s reputation as a well-oiled machine.
But, what if the machines that power that machine break down? What if heavy transport machinery stops running, or advanced weapons systems fail?
Defense computing systems need to operate in a highly disparate range of environments. Depending on the program’s requirements, ruggedness is a function of the environment each system will be deployed in. A system that operates just fine in a pressurized aerospace application, such as a wide-bodied aircraft, may have issues in a marine application, and may be completely unacceptable in a vehicle being driven through a hot and sandy desert. Even within airborne applications, the environment might be a wing-mounted pod that is completely unpressurized. Computing systems for each of these environments must be ruggedized to match requirements.
When rugged ... isn’t
U.S. Army stakeholders are working together to steadily modernize the network that reaches from the home station to the tactical edge. To understand this effort, one needs to understand the changing mission requirement for the command element at home station to maintain a consistent, secure, and reliable connection with dispersed, tactical teams maneuvering on the battlefield.
I have an entirely new appreciation for the U.S. Army. On a recent project, service officials broke the government’s often too-slow acquisition model, and instead worked together with us, the contractor, to define its needs, develop the right hardware and software, and then support the Army’s internal development and integration. This experience represents a significant change in the Army’s typical way of doing business, and it taught us both a few lessons.
The cloud and data security go hand-in-hand. While cloud computing provides valuable IT architectures and solutions for government agencies, it also requires them to relinquish data security to public cloud service providers.
The executive order signed by the president in May to strengthen the nation’s cybersecurity policies is evidence that the federal government has recognized and is going to take significant steps to address increasingly frequent and sophisticated cyber attacks. This order is a great first step, but must be supported by more innovative and flexible acquisition and procurement strategies and processes.
The National Institute of Standards and Technology's (NIST) benchmark for encryption modules has seen recent innovation, opening the playing field for competition.
For years, NIST’s Federal Information Processing Standards (FIPS) 140-2 validation list read like a Who’s Who of Fortune 100 technology vendors. Only those products that leverage cryptographic modules shown on the list were eligible for federal agency deployment. Until recent changes, only the deepest pockets could absorb the costs of development, testing and expensive consultants to facilitate introducing solutions into the federal marketplace.
Some government leaders still hesitate to make the move to public cloud services, citing security concerns, a lack of familiarity with cloud-based applications or the perceived need that employees must be educated on the cloud. Things have changed. Commercial cloud offerings are part of the modern technology arsenal that all agencies should be considering.
While I might not go so far as to pen an open letter to President Donald Trump, consider this a note for anyone with a need to know how the procurement process works for defining and moving ahead on military expenditures. It’s safe to say the behemoth process borders on the absurd and wastes millions of taxpayer dollars.
There are two types of government procurement issues many might find infuriating and prevent warfighters from getting the best industry offers. The two problem areas include the small business set-aside and the absurdity of asking for revolutionary capabilities but telling businesses how to do it using an evolutionary process.
Both procedures just get in the way of progress.
As the Defense Information Services Agency (DISA) knows, a network that complies with standards is not necessarily secure. DISA’s new evaluation program, the Command Cyber Operational Readiness Inspection (CCORI), is designed to go beyond standards. Its goal is to provide site commanders and federal agencies an understanding of mission operational risks.
In spite of an outcry from the federal work force for heightened access to wireless networks, U.S. government spending that would extend the service into offices reached a five-year low of $820.2 million in fiscal year 2015, a decline of 21 percent from its peak three years earlier, according to market research firm Govini.
SDN, BYOA, VDI. This alphabet soup of technologies and approaches has complicated U.S. Defense Department networks.
Trends such as bring your own device (BYOD), bring your own application (BYOA), software-defined networking (SDN) and virtual desktop infrastructure (VDI) have dramatically increased network vulnerabilities, where failures, slowdowns or breaches can cause great damage. For the military, specifically, such occurrences can be serious and mission altering, exposing incredibly sensitive data.
Much anticipation surrounds the U.S. Defense Department's transition to Windows 10, primarily because of the promise that the software update is a significant upgrade from its predecessor, and perhaps Microsoft's best operating system yet.
Nevertheless, a software overhaul can be intimidating. For agencies facing the Windows 7 to Windows 10 migration, the challenge often lies in the preparation—or the lack thereof. With Windows 7 nearing the end of its extended support timeline, it is crucial to have the proper training and migration plan in place to eliminate unexpected roadblocks and ensure a smooth deployment.
As the nation deals with intelligence reports of Russian hacks of the U.S. presidential election, some of us in industry are pondering how President Donald Trump will tackle cybersecurity issues.
He already has a good road map. In December, the Commission on Enhancing National Cybersecurity issued its “Report on Securing and Growing the Digital Economy.” Kudos are in order. It is high time the executive branch dug deeply into cybersecurity issues.
Do you work for a cyber company with federal government contracts? If so, hold onto your hat, because $210 billion in government information technology contracts will expire this year and be re-competed.