A major Defense Department initiative to protect the military services’ computer networks with a shared system of regionalized cybersecurity centers will face new scrutiny in 2017, both from Congress and from the department’s inspector general.
A provision in the massive 2017 Defense authorization bill, passed by Congress earlier this month and signed by the President last week, bars the department from declaring full operational capability on any of the 12 Joint Regional Security Stacks (JRSS) it’s planned around the globe over concerns that Pentagon IT leaders haven’t done enough to demonstrate that the $1.6 billion system is effective.
The bill orders the department to conduct a formal operational test and evaluation (OT&E) process to “determine the effectiveness, suitability, and survivability” of JRSS and places limitations on its full deployment until DoD does so, although Pentagon leaders would be able to sidestep the OT&E requirement if they can certify that the system is vital to national security and can show Congress other evidence that the system works as intended.
The Defense Department first began building the security stacks in 2013, arguing that the prior practice — particularly in the Army and Air Force — of protecting DoD networks mostly with locally-managed hardware and software at hundreds of military bases was inefficient and ineffective. Officials view JRSS as the first major deliverable in a broader vision of shared IT known as the Joint Information Environment.
The Army and Air Force have already begun to rely on the “stacks” of commercial-off-the-shelf network appliances and other monitoring tools to protect their bases in the southeastern U.S., and deployments are well underway in Europe and the Middle East as well. The Army expects to migrate the rest of its networks behind JRSS installations over the coming year, followed by the Air Force. The Navy and Marine Corps intend to start moving their large, existing enterprise networks to a “2.0” version of JRSS in 2018.
At a Dec. 13 AFCEA conference in Tysons Corner, Virginia, Maj. Gen. Sarah Zabel, the vice director of the Defense Information Systems Agency, said the tools DISA and the military services have deployed in the new security stacks to monitor network traffic and provide better situational awareness were working well, but the military services’ own cyber personnel needed more time to become comfortable with the shared infrastructure.
“Where we are now is making it useful for the military services,” she said. “The stacks are stood up, the traffic’s flowing, but we need to make it so that their defenders know how to use it. The services have developed their own tactics, techniques and procedures over time, and now they have a different set of tools to work with. That’s the new challenge.”
DoD expects each of the military services to have most of their systems behind the defensive barrier by 2019 or 2020, though Terry Halvorsen, the department’s chief information officer, recently emphasized that the Pentagon will need to continuously improve JRSS. In the short term, DISA is planning procurements in fiscal 2017 to upgrade the stacks by, for example, adding hardware that can automatically “break” the secure sockets layer (SSL) encryption employed by modern web browsers so that it can monitor traffic to and from Defense users’ computers even when it’s encrypted.
Also last week, the Defense Department inspector general announced via its annual oversight plan that it intends to begin the first of what officials said will be a series of audits on whether the various initiatives in DoD’s Joint Information Environment are actually improving the military’s cybersecurity posture.
“Specifically, [we will] determine whether the implementation of Joint Regional Security Stacks reduces DoD’s exposure to internal and external cybersecurity threats,” IG officials wrote.
Cyber defense was also a focus area in a separate report the office issued a few days earlier assessing the department’s top 10 management challenges for 2016.
Describing its reasons for including cybersecurity on the list, the IG cited a July Government Accountability Office report that concluded DoD still has not fully defined the cost and scope of the JIE project and some of the IG’s own recent audits, including severalclassifiedreports which found “consistent and systemic weaknesses” in the security of the military’s Secret Internet Protocol Network.
“In sum, although the DoD has taken steps to increase cybersecurity through offensive and defensive operations and build its Cyber Mission Force, significant challenges remain,” the IG wrote. “The DoD needs to continue to focus in areas such as maintaining a skilled cyber workforce, developing and using cyber capabilities, and integrating cyberspace operations into command plans.”