The Defense Department’s top IT officials told House lawmakers this week that sequestration would put off DoD’s network modernization plans by two-to-three years, impacting everything from cybersecurity upgrades to day-to-day training activities.
In the Army alone, a return to the statutory caps Congress enacted in the 2011 Budget Control Act would mean a $400 million cut from the $9.1 billion the service has programmed for IT spending during fiscal 2016. The other services did not provide precise figures, but said they would see similar impacts.
“Sequestration will delay our modernization, and delaying the modernization comes along with a lot of other things. We will be more vulnerable; we won’t support the warfighters. They will be at risk,” said Terry Halvorsen, DoD’s acting chief information officer.
In testimony before the House Armed Services Committee, officials said the reduced funding level would affect day-to-day network operations and could lead to significant impacts on military training, readiness and business operations and the overall size of the military’s IT workforce.
“Our biggest concern is people,” said Brig. Gen. Kevin Nally, the Marine Corps CIO. “If we have to reduce funding and let people go, that’s our biggest concern. If I don’t have the people to operate and defend the network, the network is worthless.”
But Halvorsen said BCA-level spending is particularly worrisome because of the delays it would impose on the department’s cybersecurity modernization plans. He said the cyber capabilities of other nation-states and terrorist groups have grown markedly over the last three-to-five years, and that a modernization delay for DoD would make the military more vulnerable even to relatively unsophisticated hackers.
“For now, I think we’re in a good position in terms of having a technological edge, but in IT, that edge can disappear so very quickly,” he said. “The Chinese, the Russians, and other groups are making investments in all of these areas. If we’re not able to continue our plan, we will lose some of that edge and they will gain capability.”
50 shared cyber gateways planned
The timing of the 2016 BCA cutbacks coincides with a key transition point in the department’s overall plan for network modernization: the Joint Information Environment (JIE). For several years, JIE has been an ethereal concept with vague promises to integrate the military’s disparate networks, but the Pentagon now is able to point to some concrete deliverables.
The first of them is Joint Regional Security Stacks (JRSS), DoD’s push to collapse thousands of service- specific security monitoring points into roughly 50 common, shared gateways serving specific geographic locations around the world.
The department views the system as vital, not just because it will cut costs, but because it will let defenders at U.S. Cyber Command see what’s happening on the thousands of military networks they’re supposed to be protecting.
JRSS hardware and software has been installed at 10 sites so far, Halvorsen said in his written testimony. One such site — at Joint Base San Antonio — now is operational, and last year, became the first JRSS site to take over security monitoring functions that had previously been handled separately by the military services.
“We’re now passing Army and Air Force traffic over the same network,” said Lt. Gen. Robert Ferrell, the Army’s CIO. “We’re doing that both at San Antonio and at Montgomery, Alabama. That’s the first step toward physical progress in this effort. We’re going to take lessons learned and incorporate them in the follow-on sites.”
DoD is planning a significant JRSS ramp-up in 2015 and in 2016, the same year in which the budget caps would kick back in. It intends to bring one of the security stacks online in Europe during this fiscal year and add three more in southwest Asia sometime in the next nine months.
The Army and Air Force will provide most of the funding for the JRSS migration in 2016 and 2017, Halvorsen said, because they are beginning the departmentwide security consolidation from different starting points compared to the Navy and Marine Corps.
“When we look at what the current condition is, the Department of the Navy collapsed their systems first around the Navy-Marine Corps Intranet and now NGEN,” he said. “So in some cases, they are in a better position to see their networks. The Army and Air Force are moving very rapidly in that direction, and the reason they are the first to move behind JRSS is that it will give them the same level of capability the Navy and Marine Corps enjoy now. When we go to version 2.0 of JRSS, that will give everybody an increased capability, and everybody will move on that.”
Army, Air Force targeting 2017
DoD expects the Army and Air Force to collapse most of their networks behind the joint security stacks by the end of fiscal 2017. The Navy and Marine Corps will make a more gradual transition, largely using technical refresh money available within their existing NGEN contract to integrate their security gateways with the JRSS architecture by 2018.
“It’s an aggressive schedule, but I think it’s one we cannot let slip,” Halvorsen said. “I briefed the Joint Chiefs of Staff two weeks ago, and they’re all committed to making sure that we do not miss that date.”
In the early stages of JRSS, funding is coming not only from the Army and Air Force’s IT budgets, but also from the Defense Information Systems Agency, partially as a result of a scrub of DoD IT and business process spending the department initiated last year.
The Business Process Systems Review, co-led by the offices of the DoD CIO and the deputy chief management officer, began with the office of the secretary of Defense and the Defense agencies. And when it came time to examine DISA, the review found $20 million in agency spending that wound up being reallocated to JRSS from existing DISA contracts.
The first round of reviews, focused on DoD’s “fourth estate,” is expected to wrap up within the next few weeks. From there, it will move on to look at the business processes and IT expenditures of the three military departments.
“We’re also asking the question, ‘What IT businesses should DoD be directly in, and at what level should we be in it?’ I think that’s a key question, and we may need your help in changing the business model in certain areas,” Halvorsen told lawmakers. “We need to look at how we can expand private-public partnerships, particularly in data distribution. How can I take maybe a DISA data center, realign it, and get more value out of commercial rate improvements? I think we will need to work on some legislation to make that easier.”
In Wednesday’s hearing, Halvorsen did not elaborate on the legislation he’d like to see — and none of the sparse group of committee members who attended it asked him to do so.
But in past discussions with reporters and with industry, he has floated ideas like allowing private providers who are cleared to host DoD data to set up shop on military bases, while simultaneously selling hosting services to commercial clients who also have high security concerns, such as the financial services industry.
“I have still not taken off the table that at one point we might have a data distribution center that is mostly contracted, but inside a government installation where we provide the physical security,” he told reporters last month. “We have some advantages there: most physical security people can’t roll tanks up to your building to help out. We can do that.”