wfedstaff | April 17, 2015 4:16 pm
The Defense Department and the intelligence community share a common challenge over the next several years: breaking down thousands of stovepiped technology systems and building coherent IT enterprises. And both organizations say they’re working together to do it.
Two factors motivated both intelligence and Defense to start making their IT spending more efficient: the need to share information at different classification levels across organizations, and the fact that their ever-increasing budgets suddenly stopped increasing.
Though the two huge organizations begin from different starting points, the goals are roughly the same. They need to build shared technology environments and turn off legacy IT systems.
Rob Carey, the Defense Department’s deputy chief information officer, said the Pentagon and the intelligence community are sharing a lot of notes these days.
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
“We’ve gone past, ‘Hey, you guys attend each other’s meetings.’ We’re actually partners in crime,” he said. “We’re participating in each other’s environment and we’re actually bringing ideas back and sharing at the design level. I think it’s driving faster responses and faster answers to acting like an enterprise. The relationship that the IC and the DoD has is stronger than ever.”
Carey spoke at the annual GEOINT conference in Orlando Fla., where Director of National Intelligence James Clapper made the earlier announcement that the cloud IT system for the intelligence community, the Intelligence Community Information Technology Enterprise (ICITE), will come online in March of next year.
Seamless data sharing
Al Tarasiuk, the ODNI’s and the intelligence community’s CIO, said the collaboration with DoD isn’t just about sharing lessons learned. As DoD and the IC build their respective enterprises, they’ll need to make sure data can be seamlessly shared between them, he said.
“Very specifically, we each jointly chair a standards committee that determines the standards we’re going to use for data sharing, access control, identity and access management, all the points of intersection that are important for interoperability to be able to make sure our systems can read data across the divides, those are the real working-level details that are being worked jointly,” he said. “It’s the stuff that will endure after we’re all long gone.”
In Clapper’s address earlier this week, he listed clamping down on disclosures of classified information in a post-WikiLeaks environment as a key priority.
“We’re trying to stop the hemorrhaging, and I feel very strongly that we in the IC should try to set the example for the entire government,” he said.
Clapper promised reforms to the security clearance process, more regular monitoring of the behavior of cleared personnel and a continuous, more careful auditing of classified networks.
Both departments say they’re doing that by introducing attribute based access control to their IT systems. The idea is to not just regulate whether users can access a particular network, but whether they can access discrete pieces of data based on who they are and where they are.
“Fine-grained attribute-based access control is really critical to us sharing information with the kind of cyberattacks that we’re seeing,” Tarasiuk said. “I think the only way to fundamentally know who you’re sharing with. You have to associate the attributes of a system or a person with the attributes of data. I think at the end of the day, it will give our data stewards in both departments a better sense of where there information is going and that it’s under control. Today, many data stewards release information without really knowing who’s seeing it or what they’re doing with it.”
JIE to get attribute based access control
As DoD continues on the multiyear path toward its IT enterprise goal, the Joint Information Environment (JIE), Carey said attribute-based access control will take advantage of DoD’s existing database of people, called DEERS, which hosts identity information about military members, civilians, family members and retirees. It’s been used for authentication before, but only for more rudimentary purposes like gaining access to DoD websites.
“As we collapse the infrastructure, it will make it even easier to create a [global address list] across the entire DoD that will allow us to protect information better by affording us attribute-based access control as part of JIE,” Carey said. “It’s something we talked about for many years, but now it’s something that we’re doing and we actually have an end state in mind. Identity will in fact be the only way you get access to information, and absent that, you’ll only be able to see completely unclassified information. We’re really excited about having the bedrock in place and having the path to go forward to reduce our cyber risk through the introduction of identity management.”
While both organizations expect to see security and information sharing benefits from more centralized, interoperable IT environments, the cost savings won’t come until old legacy systems are taken away from their owners and turned off.
Carey said there are a lot of those systems.
“We’re the product of about 25 years of innovation inside of stovepipes,” he said. “In many of my past jobs, I created those little cylinders of excellence because I could, because my boss tagged me with solving a problem and I did. Rarely did any of us look up and see if anyone had already built the same thing we wanted. We just built something and lived with it and sustained it, so now we have thousands of network enclaves and 1,500 data centers. The enterprise grew to a point where it’s not really sustainable, defendable or affordable.”
Tarasiuk said intelligence agencies have a similar story.
“We have no choice but to move in this direction,” he said. “The budget situation was the impetus that put us over the top to move in this direction. This has been tried before, but the culture has already resisted and the budget has been growing for many years. But the reality now is that none of our agencies is going to have enough money to deal with the kind of requirements we have, especially when you look at big data, mass analytics and things like that. No agency will be able to handle the volumes and the intensity of the data that’s coming in. The only way we can do this and be effective is to do this together, so we’re going to be forced to turn things off.”