Innovating Military Management Systems To Mitigate Hardware-Related Vulnerabilities
Second Place in The Cyber Edge Writing Contest
The U.S. military urgently needs to change the current systems and processes for information technology (IT) inventory, compliance and account management to include a means for the two systems to communicate.
Approximately three of every four service members rely on a government computer to complete routine tasks, improve readiness and achieve unit goals. Many military systems are receiving innovations, so why shouldn’t information technology and related logistics management programs be next for consideration? Management and maintenance of this equipment are vital to defending national security, and the IT automations equipment that manages or maintains the digital readiness of the force is a metric reported fewer times than that of vehicles and weapons systems.
During the monthly readiness review of the Unit Status Report and the command and staff meetings, there will be a line-by-line level briefing on the readiness of Humvees and M4 rifles (for example). Still, one would rarely hear topics such as the status of installing the most recent Windows OS monthly patch to defend against the latest vulnerabilities discovered or the status of execution of the required 20% Annual Life Cycle Replacement (ALCR) of automations equipment. This automations equipment consists of devices found in nearly every Department of Defense unit, including laptops, monitors, phones, networking equipment and printers that can “quickly” reach end-of-life or end-of-support without notification to the owner or user.
This decreased state of digital readiness reporting is partially due to the disconnect between the inventory management system and IT management systems, more specifically, the lack of integration between Global Combat Support System-Army, Microsoft Active Directory, Assured Compliance Assessment Solution, Computer Hardware Enterprise Software Solution (CHESS), IT Approval Service and Army Portfolio Management Solution. Overhauling these systems to create an integrated IT Inventory as a Service (ITIaaS) management system would ensure that updates are completed promptly, and that life-cycle management of IT automations equipment is maintained on schedule, preventing threat actors from zeroing in on the susceptible end of support equipment.
20% ALCR was implemented to ensure that equipment remains compliant with the required hardware security updates to mitigate threats against these systems and that they remain on schedule with vital software updates. Threat actors are constantly attempting to disrupt the U.S. military decision-making processes, and these automations systems are an extension of the attack surfaces as well as a main proponent of the decision-making tools. These automations tools are an essential component against cybersecurity attacks, such as the Russian attack against Ukraine’s critical IT infrastructure as well as the Hamas attacks against the communications infrastructure of Israel.
Currently, many units are unaware that they have outdated equipment on the verge of being end-of-life or support.
IT Approval Service and Army Portfolio Management Solution are tools for achieving approval for IT-related purchases, which include the required annual purchases. There is currently not a system that tracks the status of a unit’s ALCR of their automations equipment that assists the IT managers with the equipment that is eligible for ALCR, what was recently replaced, what needs to be removed from the unit’s inventory (end of life) or what should be placed on order for the current year. This lack of visibility decreases operational readiness due to outdated, mismanaged or poorly functioning equipment. A system designed to integrate the previously mentioned IT and logistics databases would provide enhanced inventory control systems (minimizing gaps in the supply kill chain) that integrate the IT management systems, improving the unit’s ability to command and control vital systems and processes during contingency operations.
There are numerous systems and management tools that were previously mentioned that do not communicate with each other for the common purpose of providing the oversight of Army automations equipment. Logisticians view a computer as just another piece of property. They don’t keep up with cybersecurity requirements and are unaware if the computer will be installed on the Non-classified Internet Protocol Router network or Secret Internet Protocol Router network. Global Combat Support System-Army is a system that integrated previous maintenance and inventory management systems for all Army equipment. This system often does not provide or include the metadata associated with a computer in the accountability paperwork, such as the make, model, manufacturing date, date of warranty expiration and training credits that were associated with this purchase. This metadata is not tracked in Microsoft Active Directory either, which means IT managers cannot track the key data points previously mentioned that drive life-cycle replacement and digital readiness for a unit.
Active Directory implements a mandated naming convention that depicts identification specific to the unit and base that computers have been assigned, a universal system across the U.S. Army. Active Directory also reports the users assigned and the latest security patch update for that computer. This is also a tool that units use to identify the location of computers assigned to the unit during routine accountability checks when verifying the location of computers that have recently been connected to the local Army network. However, the means of accountability through Global Combat Support System-Army is the manufactured serial number, but Active Directory uses the uniquely assigned computer name for tracking, which is the cause of hours or days of frustration for numerous commanders, executive officers and Signal officers throughout the Army formations due to dynamic nature of the ownership and locations of these computers.
Three main components of the IT purchasing system are CHESS, IT Approval Service and Army Portfolio Management Solution, with CHESS being completely disconnected from the others and related workflows. IT Approval Service is the approval and staffing process that sends a workflow through the levels of command ending at Army G3/5/7 for final approval, confirming that the requesting unit is using its funds for authorized readiness-improvement purchases for IT equipment. IT Approval Service also ensures that government-approved vendors, such as those found on CHESS, were used for this purchase. Army Portfolio Management Solution is the funding approval and staffing system for the unit’s IT purchases, which is combined with IT Approval Service and has control points that feed into the IT Approval Service IT purchase packet for progression to the final approval. On average, this process takes approximately 30 days to get final approval, followed by another 30 days of staffing the purchase through the local contract purchase management office. Once that stage is complete and the purchase is made, there is likely a wait of another 90 days or more for the manufacturer to produce and ship the ordered equipment. Once the order is placed, there is no status update or estimated arrival date available to the IT manager or S6.
Creating an ITIaaS management system would solve the conflicts and vulnerabilities created by the existing systems not communicating. The proposed system would communicate between Global Combat Support System-Army and Active Directory, replacing IT Approval Service, CHESS and Army Portfolio Management Solution. It would prompt the IT manager/S6 to execute the ALCR purchase with a preformatted package option aligned with the current assigned inventory. Executing this function would let vendors know that a purchase is pending. The system would then conduct the functions currently found in CHESS, IT Approval Service and Army Portfolio Management Solution by creating a quote that reflects 20% of current inventory with approved vendors to be processed through a user-friendly workflow staffed through appropriate channels with the target time for completion of one week. The standard for the user experience would be similar to what customers find on commercial e-commerce websites such as Amazon.
Previously mentioned metadata would be included in all components of the purchase process to include the assignment to the unit. Once the order is shipped to the unit, the logistics manager and S6 will get a notification 96 hours from arrival with a user-friendly workflow to confirm receipt of the order and then have this equipment added to the unit inventory in Global Combat Support System-Army with the associated metadata. This new equipment would then be tagged as part of the unit ALCR equipment to be replaced in four years. This batch of computers would then be assigned to the unit in Active Directory with associated metadata. This allows the unit to produce a commander’s visualization product that could portray the unit’s digital readiness for addressing the monthly patch requirements and progress of the ALCR purchases through an easy-to-digest dashboard integrated with a program like Vantage for reporting tools. This system would also include a “find my” type of service to play a sound to a connected laptop during accountability checks.
ITIaaS management system would better allocate service member hours that could be used to do other tasks to further improve the unit’s readiness. This service would be intended for all units with computers, a significant impact on the entire force, automating many crucial yet time-consuming tasks that the S6 should be doing each year for the ALCR for their unit, yet might not be accomplished because the process and steps required are not often common knowledge.
When it comes to IT inventory, compliance and account management systems, the Army must implement a change to increase readiness across the force. Several databases should be connected or merged into one so units can maintain accountability and cyber compliance much more easily. ITIaaS could solve this problem by implementing artificial intelligence/machine learning to gain visibility of the current inventory and the target of the ALCR unit program to keep 20% of the equipment refreshed each year to ensure digital readiness. The threats against the U.S. government are real and having unprotected older equipment could be the vulnerability that threat actors are looking for. U.S. military leaders should work with their industry partners to implement this solution. These leaders need to shift a portion of their focus to the force’s digital readiness, such as the amount they give weapons systems and vehicles. Computers are the weapons of the warfighting staff that will be critical in the next conflict, so a management system should be implemented that ensures the highest state of readiness against our adversaries to protect the American way of life.
Maj. Jonathan Harbin, USA, is a graduate of the University of South Carolina Upstate, has 22 years of service and currently serves as the future operations officer in charge for the 35th Corps Signal Brigade. His previous assignments consisted of leadership roles at levels of operations ranging from Platoon Leader to Theater Staff.
