As part of the response to two massive data breaches involving systems at the Office of Personnel Management, the federal government decided to put the Defense Department in charge of building a new information technology backbone to house and process all of the data involved in security clearance investigations, one that would be safer from foreign attacks.
As one way to achieve that goal, the Defense Information Systems Agency, the lead agency in charge of the IT development, is considering opening up the National Background Investigation System’s underlying source code to the general public as soon as it’s fully baked. The theory is that it’s far better for white-hat hackers to find and help squash security bugs before the new system comes online than for bad-guy hackers to discover and make use of them to steal yet another batch of data.
Maj. Gen. Sarah Zabel, DISA’s vice director, said the idea was first proposed to her agency by the Defense Digital Service.
“I’ll confess, I was horrified when I first saw the suggestion,” she said. “My reaction was, ‘No, you can’t tell everybody about the business logic in our systems.’ Then I started thinking about it. Why not? The business logic isn’t the secret, it’s the underlying data, so let’s put the source code out there,” Zabel said last week at AFCEA NoVa’s annual Air Force IT day. “We’ve identified a couple of programs within DISA where as soon as the software development is done, we’ll publish the source code and we’ll do a bug bounty on that.”
One of those IDIQs specifically provides for a managed service in which an outside company will vet good-guy hackers to hunt for vulnerabilities. The same contract allows DoD to give access to some of its more sensitive systems so that security experts participating in the program can search for security holes both in systems that are already up and running and in the source code of programs that haven’t yet been brought online.
“We know the black-hat hackers are already looking at whatever we have — now we’re going to get the support of the white-hat hackers. I think we were pretty fixed in our ways, and we had to have somebody from the outside come in and tell us, ‘Why don’t you try this?’ Zabel said, referring to the Defense Digital Service. There’s a lot more out there, and we’re interested in hearing a lot more outside ideas.
Separately, Zabel said DISA has just finished a small reorganization of sorts to overhaul its approach to running the 11 large data centers it runs on behalf of the rest of the Defense Department. Those Defense Enterprise Computing Centers, she said, have been somewhat autonomous until now, each with “boutique” responsibilities they’d inherited from other DoD organizations over the years.
“They were very brick-and-mortar, very specialized in the customers they served,” she said. “What we’ve done is changed to one standard ecosystem with different lines of business. If you get server services from any of our DECCs, that’s managed as the server line of business. Mainframes are one line of business, cybersecurity is one line of business. It’s make it so we can standardize how we do business, neck down the tools, and that leads to greater automation, fewer errors and the ability to be more efficient.”
Zabel said Tony Purvis, currently the director of the Oklahoma City DECC, will take on the task of overall management of the ecosystem. Other existing DISA officials will lead the individual lines of business. The new command and control structure has already been established, but the agency doesn’t expect to declare the new management construct to be at initial operating capability until January at the earliest.
“Once the ecosystem is done, you still have 11 different data centers all behaving differently, so it’s kind of hard to say you’re at IOC at that point,” she said. “So we decided that when every line of business has been able to get an assessment of the tools in their particular area and establish control over their particular area in every data center no matter where it’s located, that’s when we’re IOC.”