Lexington Institute: DOD cybersecurity isn’t cutting it, and here’s why

U.S. enemies won’t hesitate to exploit chinks in DOD’s cyber armor if the agency’s efforts to create a centralized, secured, next-generation data management system continue to lag, the Lexington Institute argues in a report released Monday.

“Military power in the 21st Century will not be denominated according to the traditional units of account, tanks, planes and ships, but in terms of the breadth, sophistication, speed and security of the networks that empower a nation’s or group’s armed forces,” said the report, titled “Securing DoD Networks for the 21st Century.” “Secure networks are vital to U.S. military operations at all levels and are a source of tactical, operational and strategic advantages.”

Officials scrambled to boost the country’s cyber defenses earlier this year when a string of government breaches — particularly the catastrophic Office of Personnel Management hacks that compromised the personal information of 22.1 million government background check applicants and federal employees — placed cybersecurity in the national spotlight and raised concerns about the government’s ability to safeguard critical data.

Daniel Gouré, vice president of the nonprofit public research organization and author of the report, puts forth a comprehensive analysis of the DOD’s current cyber fortifications and prompts officials to accelerate plans that would further bolster data security. Specifically, he offers details from the Defense Information Systems Agency’s “Strategic Plan 2015-2020,” which envisions a DOD network with “authorized, authenticated user access and freedom of maneuver to cloud, collaboration, and command and control capabilities without impact from rogue entities, hacktivists, nation states, or insider threats.” DOD’s current network lacks these features.

“These are all good words,” Gouré writes of the strategy. “Now there must be action.”

Gouré’s portrait of DOD network security as it stands leaves much to be desired, and the experts quoted in the report tend to agree. Former National Security Agency Director Keith Alexander, a retired four-star Army general, cites the DOD’s large number of data management systems — 15,000 across the entire department — as a specific barrier to fortification.

“The consequence of [running multiple systems] is that each one of those is patched and run like a separate fiefdom. The people who are responsible for defending them cannot see down beyond the firewalls,” the report quotes Alexander. “… practically speaking, Situational Awareness is non-existent.”

The Pentagon is not ignorant of these flaws. In May 2014, DISA released a report titled “Enabling the Joint Information Environment,” which announced a DOD plan for a master platform “designed to provide greater standardization, economies of scale, end-to-end visibility and a new, single security architecture.” The program, called the Joint Information Environment, has not yet come to fruition.

The task is an onerous one — Gouré likens it to “creating a ‘single pane of glass’ for the purposes of surveillance, threat detection and response at network speed.” As a Defense Science Board memorandum titled “Final Report of the Defense Science Board Task Force on Resilient Military Systems” said in 2012, “There is no silver bullet that will eliminate the threats inherent to leveraging cyber as a force multiplier, and it is impossible to completely defend against the most sophisticated cyber threats.”

The issue is further complicated by the fluctuating nature of the cyberscape, with Internet of Things devices and widespread cloud innovation promising to permanently alter the way we interact with technology, as well as the extent to which hackers might be able to infiltrate sensitive systems. Retired Navy Adm. James Winnefeld, a former vice chairman of the Joint Chiefs of Staff, was quoted in the report saying that the proliferation of players in cyberspace is also an obstacle.

“This is a Big Data problem that connects data, analytics, placement and visualization within a complex ecosystem of ISPs, cyber security firms, software providers, hardware manufacturers, and data storage companies,” he said in the report.

If the bar for a new platform is high, the stakes are higher. In an address to Stanford University in April, Secretary of Defense Ash Carter revealed that DOD systems are under attack as frequently as 250,000 times per day, with perpetrators ranging from amateur hackers to advanced malware users. In a report, Georgia Institute of Technology researchers issued their own warnings about the state of cyber conflict.

“Based just on recent successful attacks on U.S. public and private networks attributable to foreign countries, it is easy to conclude that this country is in an ongoing, low-intensity war, albeit a virtual one, with a number of nation-state adversaries,” they wrote in “Emerging Cyber Threats Report 2015.”

The report notes that DOD has made progress toward cybersecurity goals, and particularly lauds the JIE as a platform with the potential to become “a skeleton around which DOD will be able to build the entire living IT enterprise.” Ultimately, though, Gouré says the success or failure of a next-generation DOD system will hinge on a fundamental shift in mindset.

“To date, organizations, including governments, have approached cyber security as an add-on to traditional IT functions,” the report says. “It is time to re-imagine cyber security as an inherent element of all network operations.”