Key congressional committees have signed off on an Army request to spend $175 million to significantly restructure the way the service secures its computer networks.
The Army will begin with nodes in the U.S. and in the Middle East, which officials said is one of the first major leaps ahead toward DoD’s eventual Joint Information Environment (JIE).
The four key Defense committees which oversee DoD reprogramming requests gave the go-ahead last week to spend fiscal 2011 funds that otherwise would have expired to build what the Army calls joint regional security stacks.
Instead of having the Army’s networks secured at the local level by each individual post, camp and station, the service will elevate and consolidate those responsibilities at 11 regional centers in the continental U.S. and four more in U.S. Central Command and Europe.
“Right now, we have 400 points of presence where we have major security architecture that interfaces with the Internet, external networks and the DoD dot- mil networks. Those are all a surface area that can be attacked, and so right now they have to be defended,” Richard Breakiron, the network capacity domain manager in the Army CIO’s office said in an exclusive interview with Federal News Radio. “Reducing that down to 11 gives us much greater capability at each one of those locations and it allows us to focus our attention. Our best trained personnel will be able to work at those locations. Our cyber forces will really be able to work the data at those locations.”
Officials said the change will help solve one of the military’s biggest network defense challenges. Currently, U.S. Cyber Command, Army Cyber Command and the other military service cyber components don’t have visibility down to the individual military bases and the thousands of computer terminals that populate them. The regional approach, based on common network standards, will begin to change that.
It’s also much more cost-effective, Breakiron said. The Army currently estimates that its various components rack up a bill of $1.2 billion every five years just to replace equipment in the current disjointed security infrastructure, not counting the cost to operate and maintain it.
The regional security stacks are a sub-part of a larger network modernization the Army already is in the middle of, with installations officially beginning this month. It began with a large bulk purchase of multi-protocol label switching routers (MPLS) at the end of 2012, also through a Congressional reprogramming.
The MPLS technology, increasingly common among private-sector network operators, is designed to dramatically increase the performance and efficiency of a network, and the Defense Information Systems Agency had been planning to start implementing the system across DoD as part of the department’s transition to a common computing infrastructure under the JIE plan. The Army said its project, which the Air Force now has joined, effectively moves the timeline up by almost four years.
“What it does for the Army is that I’m changing a business process,” Mike Krieger, the Army’s deputy CIO told AFCEA’s DC chapter last week. “There’s a GS-13 who works at Fort Huachuca, and today, if you need more bandwidth at your post, you have to justify it to him. So at Fort Hood, Texas, a core installation of the U.S. Army, they have a total of 650 megabytes per second that he’s approved. This MPLS cloud will give us 10 gigabytes at every single installation without anybody having to individually validate the requirement. My argument from the CIO shop is we need to make bandwidth go away as a constraint. It’s just a huge upgrade for the Army.”
Army officials argue the upgrade represents a huge culture change in the way the U.S. military has historically handled IT.
For one thing, the Army will not own the hundreds of millions of network technology it just bought — instead, it will immediately hand it over to the DISA, which will operate the network as part of its role as the main enterprise technology provider for the JIE.
Breakiron said the Army and DISA had to work out some complex and creative arrangements to stay within federal law surrounding the authorities and responsibilities of the military services.
“DISA is going to accredit the equipment, they will handle operation and maintenance lifecycle replacement of the equipment, and they will administer the vast majority of the routing and traffic management of the network with these routers,” he said. “But the Army, the Air Force, the other services that have legal requirements to defend their networks will be delegated some administrative rights to our network operation and security centers. The same thing will happen with the security stacks. DISA will take ownership, but again, they’ll delegate administrative rights to the services, because each of our mission areas are all just slightly different.”
On the culture change front, the Army is exercising its relatively strong centralized IT governance authority to wrest away control of technology and its associated spending from individual commanders and bases. But it also believes it has a compelling case to make that that shift is in those commanders’ best interest: IT dollars are shrinking, and centralization across the Army can deliver more capability to the local level with less money if it does so as an organized enterprise.
“You can see what we’re doing with all this,” Krieger said. “When we went to enterprise email, we took [Microsoft Exchange administration] off of an installation. When we’re going to MPLS and regional security stacks, we’re taking a whole lot of security duties off the installation. There’s a heck of an effort going on right now between DISA, Army Cyber Command, the Air Force and [Army Network Enterprise Technology Command] on developing the exact concepts of operations. But it’s all about where you’re doing the work in the enterprise. It equates to more security, more effectiveness and saving money.”
The Army is beginning the first installations of the MPLS system in its southwest region this month, beginning at Fort Hood. It expects the entire infrastructure, including the regional security stacks, to be up and running at full capability by the end of calendar year 2014.