As it increases its capabilities in cyber warfare and cyberspace defense, the Defense Department has established a concept it calls the Joint Cyber Warfighting Architecture. It’s supposed to govern investment decisions and make sure systems across the military services work together. But does it? That’s what the Government Accountability Office took a look at. For what they found, Bill Russell, the GAO’s director of Contracting and National Security Acquisitions Issues, joined Federal Drive with Tom Temin.
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
Tom Temin: Mr. Russell, good to have you on.
Bill Russell: Thanks for having me Tom.
Tom Temin: And welcome to your first time here on the Federal Drive. This architecture, what in your estimation does DoD expect to do with it? What do they say about it?
Bill Russell: Really, the joint cyber or fighting architecture is a concept at this point to take a number of existing systems that are under development within some of the military departments. So there are a couple in the Air Force, a few in the Army, other applications as well, and put them together into a integrated system of systems, if you will, where cyber forces can go into one platform and do everything from training to access the command and control decision making aspects, find sensors and tools that they might need for the operation and make that into one coherent system. That’s the goal.
Tom Temin: In some ways, it’s parallel to what they’re trying to do with their weapons platforms, have them all interoperate or inter-communicate.
Bill Russell: Exactly. That’s the watchword here is interoperability, coordination, collaboration.
Tom Temin: And of course, interoperability sounds like one of those really big technical words. But when you think about it, it’s not that precise. And your report says that as of August, this whole concept of the joint cyber warfighting architecture was a series of diagrams.
Bill Russell: That’s correct. So Cyber Command has come up with the vision of what this could look like. But it hasn’t yet put it into practice. And there are some challenges around that going forward that we point out in the report. One of those is defining the interoperability goals. So how do you want these existing systems to be modified, change in some way so that you achieve that bigger picture vision. There’s a lot of thought around adjustments to those programs, maybe new requirements, that’s what Cyber Command will need to do going forward but hasn’t gotten there yet. And then the other piece of it really has to do with the governance, who does what. You’ve got the military departments that are managing some of these individual components. Cyber Command is responsible for coming up with the acquisition requirements for this larger concept. But how is all of that going to work? And it hasn’t been determined yet.
Tom Temin: And of course, they mentioned this is an acquisition related type of program because they want the acquisitions to comply or to somehow fit in with this architecture. Do you get the sense that some of their acquisitions and cyber warfare are getting ahead of the architectures ability to rein it all in?
Bill Russell: Well, certainly, this is a dynamic environment. Everything having to do with cyberspace, cyber operations, there are new tools and techniques that come up all the time. So that has been a challenge as Cyber Command has tried to set up this concept and this vision is just keeping up with the technological change, and then trying to envision an architecture that would be able to accommodate what is going to continue to be a dynamic environment. So how do you feed in the new sensor, the new cyber tool to fit into this framework so that the cyber forces can access it and use it?
Tom Temin: So it sounds like the danger is that they could buy products and then try to have to backfill them, or somehow modify them afterwards, to fit the architecture, rather than the architecture being baked into the requirements. Is that a good way to put what the potential here is?
Bill Russell: That is a good way to think about it. Let’s take for example, the Army has a persistent cyber training platform. So how do you want to adjust what the Army requirements already are for that program in order to meet the interoperability standards for this new architecture. That’s what needs to be sorted through. The Air Force in another example, has developed a unified platform or is working to develop that. That’s really going to be the hub of all these systems where the data gets integrated, tagged, o it can be used for different applications. Well, what’s the standard that you want to use for tagging that data? And is that what the Army’s already doing? Is that what the Air Force is already doing? So there’s a lot of pieces there that need to be worked out to really make this suite of programs a seamless experience for the cyber forces that are going in and trying to use them to accomplish their mission.
Tom Temin: And the architecture itself, who owns it within DoD? Where does it belong in the hierarchy there?
Bill Russell: So right now, it’s division was created by Cyber Command. And that’s one of the things that they’re going to need to work out with the governance structure, better defining some of the roles and responsibilities of key offices going forward. And that was one of the recommendations in our report. To their credit Cyber Command recently stood up a couple of offices, an integration office and a capability management office that are going to help with both that integration challenge and operability challenge, and then some of these governance issues, but more to come. They’ve set up the offices, but they haven’t done the next step of really defining some of these key details that are going to be important going forward.
Tom Temin: And what are your principal recommendations then in having looked at this?
Bill Russell: Two key recommendations. One is really to document the interoperability goals for the larger cyber architecture. And then the second is to specifically outline the governance structure in terms of roles and responsibilities of the key offices between Cyber Command — what the military departments are already doing in their individual acquisition programs, and really put a lot of detail around that so everyone’s clear, who’s doing what and how their piece is going to fit into accomplishing this larger cyber architecture concept.
Tom Temin: I guess as arcane as this might sound a lot is riding on it because cyber, the Cyber Command, the whole cyber domain is really important to the military future as a whole, isn’t it?
Bill Russell: Absolutely. Cyberspace has become as important as traditional land, sea, airspace warfighting domain. So getting this right will really help cyber forces to be able to conduct their missions in a more seamless way.
Tom Temin: And did they generally agree with your recommendations? Are they working on them?
Bill Russell: They did generally agree. They’ve already set out on working through the interoperability goals through that integration office. They partially concurred with the recommendation around governance. It wasn’t entirely clear what they may have partially disagreed with. But what was conveyed in terms of continuing to develop that governance structure, including appropriate roles and responsibilities, is in line with what we were hoping they would do.
Tom Temin: Bill Russell is director of Contracting and National Security Acquisitions issues at the Government Accountability Office. Thanks so much for joining me.
Bill Russell: Thanks for having me.