The Defense Department is moving ahead with a major upgrade to the cybersecurity posture of its installations in Europe, moving from a base-centric approach to one that encompasses the entire region, including U.S. European Command and U.S Africa Command.
While the fundamental plan is not new, increased cyber threats and tighter budgets provided added incentives for the military to accelerate its strategy by two years.
The upgrades take the form of what the Defense Department calls Joint Regional Security Stacks (JRSS), an important building block of the department’s Joint Information Environment (JIE). The idea is to remove the responsibility for network security from the individual, service-specific military installations that currently handle those tasks and move to an enterprise model in which a handful of centers handle security for an entire region.
Lt. Gen. Mark Bowman, the Joint Staff’s director for command, control, communications and computers, said DoD originally planned to make the Europe upgrade in 2016, but officials have decided they can and should complete the job by the end of 2014.
“In this environment, the cultural barriers that used to make people think they have to protect all of their data on their own are not there anymore,” he said. “In Europe, people are agreeing that, ‘Yes, we can stop doing it the way we’re doing it, and we can push forward.’ It replaces the top-level security architecture we have now, and the teamwork that’s happened between the Army and the Defense Information Systems Agency to make that happen is phenomenal.”
The Defense Department sees the JRSS construct as inherently more secure because it will press its most capable cybersecurity personnel into service at the relative few sites that will defend the network, all following the same protocols, and managing networks that DoD hopes will eventually all adhere to the same common technical standards under JIE. The primary defenders will be the Cyber Mission Force that U.S Cyber Command is currently building as one of three groups of cyber teams.
“It also does away with some of the seams we have today, because when tasking orders come down from Cyber Command, they tend to get interpreted by different people in different ways,” Bowman said at the AFCEA Army IT Day Tuesday. “When that happens, it causes security gaps that are easily exploited. It also causes us to spend more in the form of both people and money. We duplicate security stacks, we duplicate labor hours. We’re able to overcome that with JRSS.”
The Europe security plan follows similar upgrades DoD has already begun to make to its U.S.-based network infrastructure under JIE. DISA, the Army and the Air Force announced late last year that they would pool their resources to make major network upgrades, including a move to joint security stacks and multi-protocol label switching (MPLS) routers that will provide massive boosts in the bandwidth available to military bases.
“Right now we have over 700 security stacks across the world, and that’s really crazy,” said Lt. Gen. Robert Ferrell, the Army’s chief information officer. “That means we have over 700 doors open to our house, and that’s too many entry points to defend. So we’re drastically reducing our footprint to 23 worldwide and 11 in the continental U.S.”
The Army, the Air Force and DISA are testing the concept first at Joint Base San Antonio, a shared installation that encompasses the former Fort Sam Houston, Lackland Air Force Base and Randolph Air Force Base.
And the U.S.-based implementation of the security stacks is ahead of DoD’s original schedule for putting JIE into practice: overseas locations were supposed to go first, but Bowman said the department now is implementing JIE concurrently in different locations around the world.
Europe served as DoD’s first testbed. There, another key component of JIE, the Enterprise Operation Center construct reached its initial operating capability last summer.
Menu of enterprise services
Bowman said there’s no established timeline for when the Europe portion of JIE will be completed and when the next formally-scheduled part of the project, centered in the Pacific, will get up to speed. But the Pacific increment of the project already has started, with IT experts conducting site surveys in order to determine which portions of the service-specific networks there can be transitioned first into a joint construct.
U.S. Pacific Command already asked to sign up for DoD’s first enterprise service: a common email system. Under JIE, the entire Defense Department is supposed to coalesce around numerous other shared services as well, including “core data centers”, Defense Connect Online, the Defense Enterprise Portal and a common directory of identities.
But Bowman said the Pentagon wants the military services to migrate their IT to enterprise-level services on a schedule that makes sense for their missions.
“We like to look at JIE as a menu, and we still think everyone should have to consume everything on that menu,” he said. “Some people are concerned that we’re not all consuming it at the same time. But what we look at is what makes operational sense for the users out there. If they can demonstrate that it will cause adverse effects on operations if they move to a particular item associated with JIE, they’ll get a bye. Other than that, they’re all gonna do it. The order they do it in doesn’t matter. It has to be a coordinated effort, but operations [are] important, and ops counts.”