With the Defense budget on its way down, the Defense Information Systems Agency is making the case that the enterprise information technology services it’s trying to provide aren’t just more cost-effective, they’re also more secure.
That proved true just this past week, DISA officials said, when the enterprise email system it built for the Army allowed them to put the kibosh on an email-delivered malware attack that had begun to make its way into the DoD private cloud email service. It could have spread elsewhere in military networks if DISA hadn’t found and quickly squashed.
“Where we used to be is that we had all these individual email servers with a little piece of the picture. Each network sensor had a little piece of the picture,” Mark Orndorff, DISA’s top IT security official, said in an interview. “Now, the thread we’re able to pull is that we can see the pattern of those attempts. We can pull together a picture of the entire attack technique. Those attacks would have been essentially undetected if you just had little pieces of that picture scattered around the DoD cyber workforce.” Orndorff, who officially assumed the role of chief information assurance executive at DISA with a Pentagon announcement Tuesday, said he could not provide further specifics about the attack or what DISA did to stop it. But he said the security lessons of a common operating picture were translatable to other IT functions, not just email.
“I think the same logic applies, whether it’s email, Sharepoint or across the board,” he said. “But it’s not just a given that moving to the cloud will improve your defense. It gives you the opportunity to improve your defense. You can choose to exploit that opportunity or not.”
Developing and providing secure enterprise IT services that serve the entire Defense Department is DISA’s number one focus, officials said at an AFCEA D.C. event Tuesday.
Private cloud best path forward
The agency believes its DoD private cloud approach to technology is the best path forward to improving a DoD network infrastructure that Gen. Keith Alexander, commander of the U.S. Cyber Command, called “not defensible” in a speech last week.
“To use Henry Ford’s quote, some people say don’t put all your eggs in one basket. I say put all your eggs in one basket and watch that basket very closely,” said David Mihelcic, DISA’s chief technology officer. “Today what we have is a very uneven architecture. It’s very distributed, and we don’t have any good centralized oversight of it. What we’re trying to do is standardize and focus on those things we think are important.” To focus its enterprise IT efforts further, the agency is undertaking a miniature reorganization this week: DISA is dissolving its Computing Services Directorate and its Program Executive Office for Enterprise Services and is consolidating them under a new enterprise services directorate, led by DISA’s Alfred Rivera.
Rivera said the development of other enterprise services is well underway, even as the Army, DISA’s primary email customer, works through a Congressionally-mandated pause in its transition to the cloud. For example, all 14,000 members of the Army’s Network Enterprise Technology Command around the world are using DISA’s cloud-based Sharepoint service, which still is in an initial test phase.
Rivera said DISA also is working to develop the infrastructure to offer platform-as-a-service to DoD customers.
“This will push standardization to the next level,” Rivera said. “We think it’s going to provide the economies and the IT efficiencies that have been a mandate from the Secretary of Defense for a year now.”
But DISA’s creation of those services is one thing. Getting the vast maze of decision makers in the DoD and in Congress to adopt them is another matter. Tony Montemarano, the agency’s new director of strategic planning who formerly served as its top acquisition official, said the military services’ top IT officials were working together like never before, but there’s a lot more work to do.
“If I had one wish, I would have the Army, Navy, Air Force, Marine Corps and DISA unite-not physically-but in their approaches to IT,” he said to applause from the industry crowd. “I wish we could have one IT infrastructure instead of five or seven.” With regard to funding, Montemarano said DISA has fared relatively well in DoD budget cuts to date, though he warned IT service contractors were more at risk going forward than are vendors who provide products to DISA.
“If I need three contractors to help me do a job, tomorrow it’s going to be two,” he said. “But from a financial perspective, we’re feeling pretty good. If sequestration arrives, we’re all out of luck. But until that comes, we’re fairly comfortable that we’re spending the money in an appropriate manner.”
Montemarano said DISA’s recent completion of a successful audit on its working capital fund was evidence to Congress of its responsible stewardship of public money. But he said the agency needs industry’s help to revive the message that IT is a force multiplier for the U.S. Military.
“I haven’t been hearing that message lately,” he said. “In a time of reduced funding, we need to show that the stuff you all provide is more efficient in fighting the fight than buying another airplane or another ship. If they hear it from DISA, it’s not going to mean anything. They need to hear it from you all.”