Why DHS Is Merging Cyber and Physical Security

Why DHS Is Merging Cyber and Physical Security

As hackers steal data from political campaigns, health insurance giants and even the CIA director’s personal email account, agencies and businesses are becoming hyper alert to cyber defense. But physical breaches may pose even more risk to government computer systems than cyber intrusions, because physical access opens so many more channels of attack.

That’s why the Department of Homeland Security (DHS) is now rethinking its cyber strategies and looking for ways to better link cyber and physical defense. DHS expects to begin merging the two by creating a Cybersecurity and Infrastructure Protection Agency in 2017. Doing so will require Congress’ approval, but legislation to create the new agency is already working its way through the House of Representatives.

The new agency would focus on defending the nation’s critical infrastructure against both cyber and physical threats, DHS wrote in a March report to Congress.

Physical attacks can affect cyber networks and cyber attacks can have serious physical consequences, the report says. By merging defenses, it continues, “we can detect physical manifestations of cyber events as well as physical events that may impact information and communication technologies, systems, and networks.”

Indeed, Peter Giannoulis and Stephen Northcutt write in a paper published by the SANS Institute, “Physical security breaches can result in more issues for an organization than a worm attack.”

Thumb drives or other devices connected to a network can infect other users. Wireless keyboard sniffers plugged into electrical sockets can surreptitiously “slurp” up logons, passwords and other valuable data. And rarely are security personnel even faintly aware of these risks.

At DHS, security capabilities have “grown up in stovepipes,” the agency acknowledges, but the two realms of defense can no longer afford to be so distinct.

DHS isn’t alone, according to Peter Romness, a cybersecurity programs lead at Cisco Systems. Many organizations “are merging their physical and cyber security infrastructure,” Romness said. “The availability of the technology and the economies of combining the networks are driving adoption.”

By linking cyber and physical, security departments can gain greater insight into employee behavior and patterns, and put that information to work to better protect systems. After all, video cameras, motion detectors, audio sensors and card key or biometric access controls are already in place. The difference is that now it’s possible to align all that data to gain a fuller picture of what’s really happening in a facility and across its networks.

With discipline and tougher controls over cyber access, managers can greatly improve defenses, says Ayal Vogel, vice president for business development at the cybersecurity firm Radiflow.

Consider the case of on-site contractors hired to maintain cyber systems, he says. These vendors often have unfettered access to buildings and the computer systems inside them. “They can walk right in through the front door and have access to the whole facility,” Vogel said. And yet cyber system managers “have no idea what they’re doing on the network.”

That’s a vulnerability.

Integrating physical security with cybersecurity enables agencies and businesses to overcome that weakness, Vogel said. So Radiflow integrates positive identification at the door with access to the network. Now, instead of letting in an outside vendor and trusting that he won’t stray from his assigned mission, security mangers can strictly limit his access to only the specific physical spaces and networked equipment he needs to touch. Everything else is off limits. Access can be determined in advance and spelled out in a work order.

If the technician deviates from the work order, such as connecting an unauthorized device, say a thumb drive, to the network, or issuing unauthorized system commands, the security system detects, blocks and reports it. In addition, physical security devices, such as video cameras, swipe cards and biometric identification systems track the technician’s whereabouts while he is inside the facility.

Expensive? “Relatively expensive,” Vogel conceded. “But a lot less expensive than a data breach.”

‘Micro-Segmentation’
Networking giant Cisco Systems encourages its customers to adopt similar multi-layered defensive measures. It’s “what we call micro-segmentation,” Romness said. It “allows access to resources based not only upon who the user is, but on how they’re connected, where they’re connecting from, the time of day and many other factors. This way, someone with access to the heating and air conditioning could be prevented or detected as they attempt to access point-of-sale data.”

Security is augmented when cyber and physical defenses are linked, Romness said. For example, when someone tries to log into a computer, it would be odd if they haven’t already swiped into the building.” Linked systems would spot that.

Concerned that cybersecurity professionals aren’t paying enough attention to physical security, Douglas Jacobson, chairman of the Information Assurance Center at Iowa State University, added physical protection elements to his center’s annual “Cyber Defense Competition.”

The competition, which helps prepare students for cybersecurity jobs, historically focused on protecting websites, email servers, logins, credit card information and other elements “you would think of as normal cyber security,” Jacobson said.

Last winter, Red team attackers threw a wildcard into the contest. They targeted an electrical power substation and Blue team defenders moved to block the attack. While most defenders struggled in vain to discover the digital vulnerabilities attackers had exploited, “the smart teams dispatched someone to the substation,” where they discovered the break-in had been a physical assault, Jacobson said.

Gaining physical access to power substations, which are typically unmanned and often in remote locations, can give intruders access to servers and the computerized control systems that keep electricity flowing. That means they can shut off power.

Like the electric grid, water and sewer lines, transportation systems and oil and gas pipelines are all potential attack targets, Jacobson said. And students studying cybersecurity need to understand that in the working world, attackers won’t play by predetermined rules limiting them to websites and business networks. Instead, they’ll target vulnerabilities wherever they can find them.

Digital Divides
Hand-Security
For managers planning new facilities, the interconnectedness of physical and digital security has never been more clear. New campus and building facilities today are built around network backbones that support information technology requirements as well as building operations – everything from controlling utility usage and heating, ventilation and air conditioning to on-site security. It’s essential that both chief security officers and chief information security officers are involved in making those decisions, says Chris Burns, vice president of cloud computing and cybersecurity services at General Dynamics Information Technology.

“Involving the chief security officer in the design stage is obvious,” Burns said. “But making sure your chief cyber defender is there too is not. People think of data security like they think of software – something you can always change later. But involving the CISO early on is essential to making sure operations networks are properly protected.”

Physical and information security are completely intertwined in modern buildings and campuses, Burns said, and both parties must be involved in planning and operating those systems.

Still, noted CISCO’s Romness, there’s still “a large discrepancy in security maturity throughout the industry,” and many organizations are not ready to connect information and physical security.

There are institutional rivalries to deal with, as well. In many organizations, cybersecurity has a larger budget than physical security – and wants to keep it that way, Vogel said.

“Big organizations have problems breaking down barriers because they have so many levels of authority,” he said. Managers resist change when they stand to lose influence during organizational makeovers. As for small organizations, they “often lack resources” to build effective defenses, he said. In either case, “they need a strong executive at the top who understands how to look at security holistically.”

ISU’s Jacobson agreed. The two branches of security “are different enough that there is some desire to keep them separate, especially in large organizations,” he said. “But clearly they should be in close communication,” perhaps even reporting to a single security chief.

At a minimum, organizations should “get the physical and cyber people in the same room” to war game security together, Jacobson said. “Brainstorm about how you would break in – nothing’s too crazy,” he urged. “Those sorts of discussions may not happen as much as they ought to.”

Cisco’s Romness sees that happening today as chief information security officers (CISOs) and chief security officers (CSOs) discover they can help each other.

“We are oftentimes seeing formal organizational relationships between the CISO and the CSO, with one working for the other or with the two reporting to the same manager,” Romness said.

“Cybersecurity is a boardroom issue now,” he added.  “Mature organizations share resources and realize that they must work together for the safety and security of all.”

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
Unpacking DoD’s Cyber Strategy and $6.7B Spending Plan

Unpacking DoD’s Cyber Strategy and $6.7B Spending Plan

Congress will likely approve Defense Secretary Ash Carter’s $6.7 billion cyber budget request for 2017 – a 15.5 percent increase over 2016 – but lawmakers want more detail on future spending requests.

The Defense Department’s five-year spending plan calls for an additional $7.2 billion in cyber funding, bringing total cyber spending to $34.6 billion from 2017-2021.The House Appropriations Committee report accompanying the 2017 defense appropriations bill expresses concern “over the lack of detail and clarity regarding how requested funding will be spent.” It seeks two reports on cyber spending in the year ahead. Due next year by April 1 and October 15, the reports must detail cyber obligations and expenditures down to the line-item level.

Ash CarterCarter told Senate appropriators in February that his cyber budget “puts a priority on funding our cyber strategy,” and “also reflects our efforts to make a fundamental shift toward a culture of accountability in cyberspace, from instituting a DoD-wide cybersecurity scorecard to monitor our progress to increasing individual knowledge about practical ways to defend against cyber intrusions.”

And in a speech to the Economic Club of Washington, Carter said increased cyber spending “will help to further improve DOD’s network defenses, which is critical; build more training ranges for our cyber warriors; and also develop cyber tools and infrastructure needed to provide offensive cyber options.”

When it comes to specifics, Carter’s April testimony before the Senate Appropriations Committee lays out plans for the next five years to invest:

  • $336 million “to support more capable [military] network perimeter defenses.”
  • $378 million “to train and strengthen DoD’s Cyber Protection Teams … grow our cyber training and testing ranges and support tool development.”
  • $454 million to develop alternative sources for advanced “trusted microelectronic components needed in our weapon systems.”
  • $347 million to help provide cyber tools and support infrastructure needed for offensive cyber options.

That adds up to a little more than $1.5 billion – of a total $34.6 billion plan. Carter described two additional areas of focus, but did not signal how much investment each would need:

  • “An advanced capability to disrupt cyber attacks of significant consequence” to American infrastructure, which could include non-military targets, such as the banking system, telecommunications networks or the electrical grid. The Defense Department defines significant consequences as the loss of life, significant property damage, major economic damage or a serious impact on U.S. foreign policy.
  • Cyber deterrence, including building potential military response options aimed at “our most active cyber aggressors.”

Those priorities build on the cyber plan the Defense Department charted one year ago. In its five-year defense plan for 2016-2020, the Pentagon indicated it would invest roughly $5.5 billion annually, broken out into five broad categories:

  • Cyber operations: $2.5 billion
  • Information assurance: $2 billion
  • Science and technology: $500 million
  • Cyber Command: $250 million
  • Cybersecurity initiative: $250 million

The House appropriators stated that much of the proposed cyber budget “is encompassed within larger programs and funding lines,” limiting lawmakers’ ability to see and track detail. The numbers are confusing. Adm. Mike Rogers, director of the National Security Agency and commander of Cyber Command testified in March that Cyber Command’s budget is $466 million, including $259 billion for command headquarters and $209 million cyber mission forces support.

The House Appropriations Committee report noted that classified budget data helps fill in the blanks, but still concluded: “the lack of clarity in the justification material limits proper congressional oversight.”

Strategy Behind the Numbers
Additional detail can be gleaned from the 2015 cyber strategy document.

The strategy expands DoD’s role beyond defending its own networks to also “be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyber attacks of significant consequence.”

Cyber-Graphic

Where once DoD saw the nation’s cyber infrastructure as beyond its responsibility, Carter told Congress in April, today it assigns the military three main cyber tasks: “First and foremost, [to] defend our networks, systems, and information. Second, help defend the nation and our interests from cyber attacks of significant consequence.” Third, provide cyber options “that can augment our other military systems.”

Carter said his proposed cyber budget “will help us continue to develop, train, and equip our growing Cyber Mission Force, and also make new technological investments to strengthen our cyber defenses and capabilities.”

As of June, 46 of 133 planned Cyber Mission Force teams were deemed fully operational and 59 more had achieved initial operating capability, according to the Defense Department. The teams included 4,684 members and are ultimately planned to include 6,187 cyber warriors.

The cyber strategy also calls for accelerating research and development into “leap-ahead” cyber technologies, continued construction of the defense-wide Joint Information Environment, and building a layered defense around the defense industrial base to counter intellectual property theft from defense companies. And it stresses cooperation with civilian agencies, private sector companies and research institutions to develop new defensive and offensive cyber technology.

On June 22, Thomas Atkin, acting assistant defense secretary for homeland defense and global security, told the House Armed Services Committee that the United States continues to pay particular attention to four cyber outliers: Russia, China, Iran, and North Korea.

“Russia and China are both very capable cyber operators, while Iran and North Korea represent lesser, but still significant challenges to U.S. interests,” Atkin said.

“If malicious cyber actors gain access to DoD networks, they can potentially manipulate information or software, destroy data, harm computers that host data, and even impair the functioning of systems that computers control,” Atkin warned House lawmakers.

Lt. Gen. Kevin McLaughlin, deputy commander of Cyber Command, told the committee in June: “The threat today is diverse. It includes “organizations like ISIL [the Islamic State] and criminal or hacker organizations,” he added. “The barrier to entry is not that high.”

Thus a key element in the cyber strategy is deterrence, which depends on convincing adversaries that success is unlikely and costs will be high. In the cyber strategy, counter-attack capabilities must be effective enough to deter attacks, defensive capabilities must be good enough to block attacks and resilience within networks and systems must be strong enough to withstand attacks.

That’s where the new investment comes into the picture. Each of the major investment thrusts, addresses one or more of those requirements: science and technology to develop better offensive and defensive tools, information assurance to protect networks and cyberspace operations and training funds to enable the Cyber Mission Force to fend off or respond to attacks.

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
IoT Investments Will Save Money – If Focus Doesn’t Stray

IoT Investments Will Save Money – If Focus Doesn’t Stray

Add rifles to the growing list of items on the “Internet of Things.”

The Army has tested computerized sniper scopes that calculate the trajectory of a bullet, factoring in wind, temperature and the weight of the bullet and then allowing the shooter to fire only if the barrel is aimed perfectly at the target.

The scope also records, so commanders can review what the soldier saw after the fact.

So firearms join the swarm of devices, from smart thermostats and meters to on-board sensors and computers that control buildings, monitor engine performance and track wear and tear on machine parts. Indeed, the Internet of Things (IoT) is not some brand new phenomenon that’s taking the world by storm. IoT leverages well-established technologies and already represented a substantial market five years ago.

Between 2011 and 2015, federal spending on the Internet of Things amounted to $35 billion, with $10.7 billion spent on device-based apps, $4.5 billion on wireless devices, and $4.1 billion on sensors and data collectors, according to a new, downloadable report from Govini, the market analysis firm. The Defense Department spent 88 percent of the total, Govini says.

The numbers continue to rise. Govini says Federal investment in IoT topped $8.6 billion in 2015 alone, up from 7.4 billion up 16 percent over 2014.

But don’t think the U.S. government or the military in particular just started plugging in to IoT, notes David Gagliano, vice president and chief technology officer with General Dynamics Information Technology’s Global Solutions Division. The military actually helped invent IoT, he says.

“The Internet of Things is about intelligent connected devices that increase situational awareness, enhance training, keep track of supplies and aid – or substitute for – human decision-making,” Gagliano says. “The U.S. military has not only been an early adopter, it has been a long-time driver.”

The military developed the sensors that gather the targeting information used by smart munitions, the unmanned aerial vehicles that stream battlefield video to troops on the ground, the satellites, sensors and communications gear that enable Blue Force Tracking and logistics systems that keep track of a global supply chain more mission critical components.

Each of the military services is using IoT technology.

Over the past five years, for example, the Navy has installed “tens of thousands of meters on thousands of facilities,” devices that help improve energy efficiency and control water use, says Robert Baker, the Command Information Officer and Enterprise Information Technology Officer for the Naval Facilities Engineering Command in Washington, D.C.

The meters help keep heating and air conditioning systems operating within set parameters and alert technicians when the parameters are exceeded, Baker said.

They are essential pieces in a plan to turn at least 50 percent of Navy and Marine Corps installations into “net zero” facilities by 2020. Net-zero buildings consume only as much energy as they can produce, Baker says.

Both the Navy and the Air Force use sensors to monitor motor vehicle fleets, alerting mechanics when maintenance is needed – and putting off maintenance when it’s not needed, Baker says. Having begun with ground vehicles, this “condition-based maintenance” approach is now being applied to aircraft and ships.

In fact, the military’s most ambitious IoT project is the Air Force’s Autonomic Logistics Information System – ALIS – a system of sensors, analytical software and communications capabilities designed to support the F-35 Joint Strike Fighter. The $16.7 billion system supports maintenance and supply-chain management, operations and mission planning, predicting when maintenance will be required and which parts need to be on hand.

But ALIS also illustrates the challenges with such complex systems. Back in 2001, the Defense Department predicted ALIS would help reduce the number of F-35 maintenance personnel by 20 to 40 percent, and increase the number of combat sorties by 25 percent.

But so far it hasn’t worked out that way, according to the General Accountability Office. ALIS is struggling with high rates of false positives, sluggish performance and requires access to computer servers and power supplies that make it hard to deploy to austere locations. Its centralized data processing system also lacks redundancy, GAO says.

In a memo last December, the Pentagon’s office of Operational Test and Evaluation wrote that ALIS “continues to struggle in development with deferred requirements, late and incomplete deliveries, high manpower requirements, multiple deficiencies requiring work-arounds, and a complex architecture with likely [but largely untested] cyber deficiencies.”

Cyber Concerns
IoT’s potential cyber vulnerabilities are a major concern across government and industry. Remember that internet-connected rifle that caught the Army’s eye? Turns out it was susceptible to hackers. A clever adversary could feed it erroneous data, throwing off the wind, temperature or bullet weight to send bullets flying off course.

Such vulnerabilities threaten many Internet-connected systems.

“The single most important challenge for IoT implementation across the military is security,” wrote Denise Zheng and William Carter in a September report for the Center for Strategic and International Studies. “The value of IoT is derived in large part from ubiquity of IoT devices and applications and the connections between them. This creates a massive web of potential entry points for cyber attackers.”

The report notes DoD’s pioneering work in developing many of the technologies that make IoT possible, but points out that the Pentagon is falling behind in “deployment of IoT technologies for everyday operations that have the potential to increase efficiency, effectiveness, and deliver immense cost savings across the Department.”

The Congressional Research Service warns that hackers “might gain access first to a building thermostat, and subsequently to security cameras or computers connected to the same network, permitting access to and exfiltration or modification of surveillance footage or other information.”

One doesn’t even need an Internet connection, CRS notes, citing the infamous Stuxnet virus, which caused Iranian centrifuges to self-destruct, CRS notes, even though the system governing those centrifuges was not connected to the Internet.

But wireless connectivity is nevertheless a favored route into many systems. Hackers have demonstrated they can break into wirelessly connected medical devices, automobiles, appliances and even toys. Many of these devices were developed without strict attention or even concern about security, leading manufacturers to scramble for solutions long after products have been released and sold.

Information Weapons?
Information and deception have always been vital in battle. Commanders feint one way before attacking from another direction, seek to fool adversaries into thinking they’ve massed greater forces than they really possess, use misinformation to undermine enemy intelligence. IoT lends itself to all those strategies – and raises the stakes for those who come to rely on its technology: While IoT offers the potential to gain greater and more granular insight about one’s troops and supplies, it also opens up unparalleled risks should an enemy penetrate the network’s security.

The Defense Health Agency’s scientists are working on wearable “biosensors” that will keep track of troops’ health. If a service member is injured, the sensors will automatically report the type and severity of injuries to medics, even as the member is being transported to the hospital. But biosensors also must be secure.

In 2013, former Vice President Dick Cheney’s doctors modified his wireless heart monitor to prevent hackers from accessing it. They feared an enemy could use the device to try to assassinate him remotely, Cheney disclosed on TV.

“Yes, security is a problem,” GDIT’s Gagliano concedes. “But it’s a solvable problem, and it’s being addressed.”

Baker offers one solution: “The first thing we do is not have [building and vehicle sensors] connected to the Internet; they are connected to an isolated network that has multiple boundary controls and strong defense in depth,” he said. In addition, “we monitor all of the end points for anomalous activity.”

Strict controls must be in place to prevent users from connecting unauthorized devices, such as USB memory sticks or mobile phones, that can introduce hidden malware.

Information Overload
In addition to security, IoT poses other challenges, especially with what to do with all the data generated by all those systems and sensors. With so many connected things – cameras, infrared sensors, radars and others –data volumes exceed what human analysts can actually absorb. For the collected data to be useful, machines must be able to rapidly identify what’s important and only flag essential information to human analysts. That includes tracking data and performance over time to generate new insights and understanding.

“The number of data points coming off an aircraft engine in real time is so enormous that you don’t want a man in the loop,” Gagliano said. “Sensor systems must be smart enough to alert human operators only when they detect something important.”

CSIS’ Zheng and Carter say that poses another challenge: funding. “Significant investments in infrastructure and analytical software are needed to handle the enormous volume of data generated from IoT devices,” they write. Without automated processing, “the sheer volume of data is overwhelming.”

But funding in today’s post-sequestration military is difficult to come by – even if investments promise long-term returns. Managers prioritizing which programs to fund inevitably have to focus first on short-term paybacks. “Many IoT solutions generate significant long-term savings, but have up-front costs,” Zheng and Carter write. The military has been reluctant to invest today for “hypothetical future savings.”

Gagliano sees the same dilemma. Much of what IoT promises is cost savings, he said, “so the faster we can adopt it, the faster we can save.”

That’s why it’s essential that decision-makers focus on the short-term opportunities posed by IoT, rather than get mesmerized by sexier, but longer-term opportunities posed by wearable technology. By focusing first on simple and practical solutions – things like building controls and maintenance monitoring, enhancing security by networking devices and other ideas that can leverage existing network connectivity – which can yield real savings immediately.

Save the fantastic concepts for later, Gagliano says. “They will always have appeal,” he says. “But don’t let them distract you. Focus on what’s here and now.”

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
DISA Pushes Enterprise Office Software into the Cloud

DISA Pushes Enterprise Office Software into the Cloud

When Defense Enterprise Email (DEE) launched in 2011, it offered the ultimate in collaboration: Users could share attachments even if they didn’t have the same software. It was a major step forward.

Five years later, as advances in commercial communication and collaboration technology make DEE almost a cyber relic, the Pentagon is aiming to replace it with something bigger, broader and far more capable: DEOS, the Defense Enterprise Office Solution.

“There are so many ways now to collaborate that simply weren’t possible when DEE 1.0 was introduced,” said David Gagliano, chief technology officer for global solutions at General Dynamics Information Technology. “Today, I can run a meeting online with a chat going in one window, voice over IP on audio, and deliver data via text-to-speech technology. These collaboration capabilities are already common in industry, but will be a dramatic leap forward for DoD users.”

Defense Information Systems Agency (DISA) wants to bring that new generation of tools to defense users through DEOS. The agency had planned to simply upgrade DEE to a cloud-based commercial email product this year. But when it took that idea to market, 18 vendors came back with bigger ideas.

“Based on user demand and the technology available, there were solutions out there that were more effective and efficient,” said Kristin Brown, an information technology specialist in DISA’s Enterprise Wide Services division.

“We determined that we would have to re-scope the effort to include a more robust suite of collaboration tools,” Brown said in an interview.

Instead of DEE 2.0, DEOS was born. It will include phone services, video teleconferencing and web conferencing, along with chat, instant messaging, white boarding, desktop sharing and more. And, yes, it will also include email and calendar features.

The aim: cloud-based software-as-a-service (SaaS) solutions that are more effective and less costly than the current collection of “one-off, stovepipe, legacy solutions” most defense users are employing today, Brown said.

DEOS will employ commercial software delivered to users via a commercial cloud, Brown said. That cloud could be SaaS housed in government facilities, commercial data centers or in a combination of the two. “All deployment models – on-premises, off-premises, or hybrid – are being considered,” she said.

DISA is putting a premium on “seamless integration” – the ability for DEOS collaboration functions to work smoothly together, Brown stressed. “Right now a lot of our enterprise offerings are not integrated,” she said. “We want seamless integration in future offerings.” That’s “critical.”

To get disparate software programs to work together, DISA will rely on “advances in infrastructure and SaaS technology,” Brown said. And “DEOS will leverage various application programming interfaces to allow integration flexibility across the DoD.”

For example, “integration with EVoIP [enterprise voice over internet protocol phone service] will allow the DEOS client to provide point-to-point voice and video through the backend of the current EVoIP infrastructure to allow video teleconferencing integration,” Brown said.

There may be other ways to improve integration, as well. “We welcome creative solutions provided by industry,” she said.

Following Commercial Practice
With DEOS, DISA is following many commercial, federal, state and local government agencies, said Jennifer Saha, national director of public sector councils at CompTIA, the industry trade group.

Agencies at all levels of government are migrating to commercial cloud-based services, and demand for those services by government workers is exploding, Saha said. “It allows for a mobile workforce, and it saves time and money,” she said. “Staff and employees all over the world can collaborate with the online tools. The private sector is already there, especially large companies.”

Younger, more mobile workforces find cloud-based services especially attractive, Saha said. Millennials “are always on their phones” and cloud-based services untether them from their desks.

The promise is substantial productivity gains, she said. “You’re really at a disadvantage if you don’t have” cloud-based collaboration tools, Saha said.

That doesn’t mean DoD will instantly open up work files to mobile users. But DISA and the military services recognize that demand, and are running tests and pilots to develop mobile access plans, security and protocols. By the time DEOS is ready, those initial pilots should be proven and DoD will have the tools in place to enable wider mobile access where appropriate.

DISA faces unique challenges ranging from DoD’s enhanced security needs to the sheer scale of the enterprise. With 4.5 million potential users, DISA’s customer base is many times greater than even the largest commercial sector entities, notes GDIT’s Gagliano.

So while the software applications themselves may be mature, the engineering and implementation of these programs on a defense-wide scale are considerable. For example, defense performance requirements don’t allow for slowdowns when demand peaks. On the contrary, in times of crisis, both access and performance demands will actually increase.

Gagliano says that means both cloud infrastructure and software service providers will “have to guarantee services will be available under the most stressful loads.”

Customer Base
For DISA, the looming question is who will sign up for DEOS? DISA has 1.7 million DEE users, less than half the 4.5 million potential across the Defense Department.

The Army, the single biggest DEE user, foresees DEOS in its future – but not immediately, according to Army Chief Information Officer Lt. Gen. Robert Ferrell. In an email response to questions, a spokesman said the Army plans a “transition toward Unified Capabilities” that will include “software-based solutions with integrated voice, video and data.”

Unified Capabilities, or UC, will provide more user capability, improved mission effectiveness and stronger cybersecurity, Lt. Gen. Ferrell said. “UC will also reduce costs, allow us to divest ourselves of legacy circuits, telephone and network switches and improve our ability to collaborate.”

Once UC is in place, the spokesman explained, “the Army’s plan for enterprise services includes ultimately transitioning to DISA’s Defense Enterprise Office Solutions.”

The Air Force is less committed. Unlike the Army, which adopted DEE across its user base, the Air Force only employs Defense Enterprise Email “at a few select locations,” such as the Pentagon, said spokesman Ed Gulick.

“The Air Force is participating in numerous working groups to ensure a collaborated effort that enables DoD-wide migration from legacy stovepipe solutions,” Gulick said. The goal is to provide “voice, video, e-mail, content management and an office productivity suite to support interoperability with current and future enterprise services.”

But that might or might not be DEOS. The service is already “engaged in a Cloud Service Offering pilot with Microsoft,” he said.  “The initial services offered consist of Microsoft Exchange Online, Microsoft Office SharePoint Online and Microsoft Skype for Business.”

Both the Navy and Marine Corps are on the fence. Each opted out of DEE, but remains open to what DISA might offer with DEOS.

“Over the next couple of years, the Navy is planning use of cloud-provided enterprise productivity services, like email and conferencing capabilities,” a Navy spokesman said. Those services could be provided by “commercial offerings such as Microsoft Office 365, or DoD-provided solutions like Defense Enterprise Services,” he said.

DISA’s Brown says DEOS will prove hard to beat, with “cutting edge technology, improved automation of daily business functions, increased productivity and efficiency,” plus seamless integration into defense networks and all the cost savings of cloud, she said.

Brown said DISA hopes to award a DEOS contract in the fourth quarter of 2017.

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250
DISA Aims For Big Cost SavingsWith MilCloud 2.0

DISA Aims For Big Cost Savings
With MilCloud 2.0

U.S. sailors assigned to Navy Cyber Defense Operations Command man: photo by Petty Officer 2nd Class Joshua J. Wahl

Cloud computing is turning the data information technology marketplace on its ear, driving down costs and speeding up application development. But many government agencies continue to hold back, concerned about security, migration and cost worries.

Defense Information Systems Agency (DISA) officials believe they can overcome those concerns by building a commercial-grade private cloud exclusively for defense customers. Call it MilCloud 2.0.

John Hale Chief of DISA’s cloud portfolio

John Hale
Chief of DISA’s cloud portfolio

“Why is MilCloud 2.0 important? Cost,” said John Hale, chief of DISA’s cloud portfolio, addressing a large industry audience at the AFCEA Defensive Cyber Operations Symposium on April 21. By leveraging commercial cloud services, DISA can offer cutting-edge commercial services at a lower cost than it can for its own cloud-like offerings.

Hale said MilCloud 2.0 aims to get more of the military to adopt cloud computing, while at the same time reducing the number of defense agencies creating separate cloud services.

MilCloud 2.0 would turn the bulk of military cloud computing over to the commercial sector, but with a twist. Like the CIA, which hired Amazon Web Services in 2014 to build an Amazon cloud for the intelligence community, DISA hopes to build a similar shared military cloud for its customers that will meet security requirements and also save the military money.

How secure is it? That’s the beauty of the approach, said Chris Burns, a vice president and technical director with General Dynamics Information Technology.

“The big advantage of building a commercial cloud inside a DISA Data Center is the fact that it lives inside DoD’s network security perimeter,” Burns said. That perimeter will be guarded by a set of Joint Regional Security Stacks that will control access to the entire Joint Information Environment. “By building the cloud inside JRSS, DISA drastically simplifies the business of connecting cloud service to DoD’s NIPRNet and SIPRNet networks and ensures a faster route to getting an Authorization to Operate (ATO).”

NIPRNet is DoD’s non-classified internet protocol network, while SIPRNet is its counterpart for secret communications. Tying into those two critical networks gets around the biggest hurdle to defense agencies adopting commercial cloud alternatives: Trust. Conventional commercial clouds reside outside the Department of Defense’s “trust” boundary, but MilCloud 2.0 won’t have that problem.

With the trust issue solved, potential cost savings should follow. How much money might MilCloud 2.0 save? Hale isn’t ready to say. “We don’t have a business case analysis” yet, he conceded in an interview. But the analysis DISA has completed so far indicates MilCloud 2.0 will be the least costly of the military’s cloud options.

DISA’s existing cloud offering, MilCloud 1.0, is also an infrastructure-as-a-service offering. It hosts more than 100 virtual data centers for 55 DoD organizations, according to Jason Martin, chief of DISA’s Services Directorate.

As DISA transitions into MilCloud 2.0, the agency hopes to substantially increase that number by driving down costs and passing the savings onto DISA’s government customer base.

Incorporating commercial cloud services promise a bundle of benefits, according to the Institute for Defense Analysis (IDA), which studied the matter for the Defense Department in 2015. These include:

  • Custom cloud: DoD can build its own massive data centers on military property. This may be more secure, but it lacks the ability to leverage the scale and expertise of the biggest, most efficient commercial cloud providers.
  • Shared cloud: Military agencies can pool resources to gain scale and efficiency by sharing cloud infrastructure. But while this can be less costly than running individual data centers, it still lacks the efficiency and scale of massive commercial operations.
  • Commercial cloud. By spreading costs among a multitude of customers, these offerings are inevitably the least costly, Hale said.

MilCloud 2.0 would be something else again: A commercial cloud, built, operated and maintained by commercial cloud service providers on DoD property, used exclusively for DoD data and users.

That’s a major shift from today’s MilCloud 1.0, built, operated and maintained by government employees on government property using commercial off-the-shelf technology.

Like MilCloud 1.0, MilCloud 2.0 will offer infrastructure as a service, meaning it will house servers and storage, for a use-based charge, Hale said.

By centralizing infrastructure, customer agencies can gain a number of benefits from commercial cloud models, IDA’s study found:

  • “Rapid improvements to infrastructure, services, and technology” that would not be possible for government-operated systems operating government-owned equipment.
  • Instant access to new services. “When commercial cloud providers add new services, the provider’s customers can immediately use those services. When providers add new processing or storage capacity, consumers across the entire cloud infrastructure can see those speed improvements.”
  • “On-demand elasticity in IT services.” Commercial cloud services are designed to manage rapid fluctuations in user demand.
  • Mission focus. Switching to commercial cloud services would allow defense agencies to focus on their core military missions and leave IT services to commercial experts.
  • Cloud providers’ prices are decreasing. Between 2008 and 2014, for example, Amazon Web Services announced 42 price reductions. Commercial vendors are better situated to continue to wring greater savings out of every upgrade.

That gets back to the cost question. With commercial cloud providers, “you only pay for the compute you use,” Hale said, or as others at DISA say, “pay by the drink.” However, when the military owns and operates its own equipment, it pays for computing capacity that is often not fully used. Commercial clouds leverage that excess capacity by spreading the infrastructure across a larger user base. The result? Hale said: “You can save a lot.” But the reverse is also true, he added. Cloud users can end up paying more if they fail to control their usage.

More important still: security.

“Security and privacy of the data in the cloud is a critical issue,” the IDA reported. “Cloud promotes a shared environment in which multiple cloud tenants leverage the same infrastructure. Technical controls create virtual separation of data and applications for different tenants, but there are concerns that some users could [find ways to] access data across the virtual boundaries.”

DISA’s solution, like that of the CIA, is to ensure its data doesn’t mingle with anybody else’s. By letting a vendor build and operate MilCloud 2.0 on a military facility, and limiting access to its computing resources of networks, servers, storage and the like to military customers only, it gains the best of both worlds.

Even then, it is almost certain that some highly classified data will be deemed too sensitive to be allowed on MilCloud, Hale said. “Nuclear command and control” data, for example, will not be sitting on a shared server. Anywhere.

DISA spelled out its requirements for commercial cloud providers in a 213-page Cloud Computing Security Requirements Guide published in March.

As of late April, DISA had assessed some 45 commercial cloud providers for their ability to meet security requirements, Hale said. Of those, he expects four or five to be certified as suitably secure providers by late 2016 or early 2017.

MilCloud 2.0 is to be built in two phases. Phase 1 (to begin late this year when a single commercial cloud provider) is selected to begin assembling the cloud in two military data centers. In this phase, the cloud will handle only unclassified data. DISA’s main focus will be “to figure out the business of hosting a DoD workload on a commercial cloud,” Hale said.

Later, during Phase 2, the cloud will expand to more Defense Department data centers and will begin handling classified and unclassified data, he said. At that point, military customers will be able to buy MilCloud 2.0 services through DISA’s catalog, Hale said.

MilCloud 2.0 will not begin to replace the current MilCloud 1.0 until Phase 2, Hale said. How soon that will happen isn’t clear. Indeed, the Phase 2 acquisition strategy has yet to be determined, he said.

What is clear, is this: MilCloud 2.0 will have to compete for business, said Jason Martin, chief of DISA’s Services Directorate. No one will be required to use MilCloud 2.0.

“Cost will drive their decisions,” Martin said. “Our belief is that we will offer the most cost-effective portfolio.”

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Nextgov Newsletter 250×250