Decentralized Defense networks open to cyberattacks, report says

The Defense Department is ill-equipped to defend itself against cyberattacks because it lacks centrally managed networks and information systems capable of responding to those threats, the Defense Science Board said in a report released in April.

The Air Force, Army and Navy develop and run their own networks and information systems while the Defense Information Systems Agency operates departmentwide networks and systems. The result is Defense has a "multibillion-dollar effort that is not managed in an integrated way -- each service doing what they need with little consideration of the other services and agencies within DoD," the report said.

According to the task force that produced the report, "Creating an Assured Joint DoD and Interagency Interoperable Net-Centric Enterprise," the combatant commanders and Defense employees interviewed said, "no one is in charge" of the networks and information systems key to management and operation of 21st century armed forces.

Defense systems lack the interoperability needed to manage a high-tech enterprise, the report said, noting "without an integrated netcentric/cyberspace plan, threats from cyber-intelligent adversaries represent a clear and present danger to U.S. national security."

The Science Board said Defense should set in motion a 500-day action plan to improve governance of its IT systems, starting with the appointment of a top-level Net-Centric Cyber Council chaired by the deputy secretary of Defense and the vice chairman of the Joint Chiefs of Staff. Other members would include the commanders of the U.S. Strategic Command, U.S. Joint Forces Command and U.S. Northern Command, the director of the National Security Agency, and the vice chiefs of staff of the military services.

Since Defense must operate with the Homeland Security Department and National Guard in response to domestic attacks and natural disasters, the report said the National Guard bureau director and the deputy secretary at DHS also should serve on the council.

The report envisions a major role for DISA in developing the architecture for Defensewide, interoperable enterprise information systems. DISA, the report said, would manage a strong Network Systems Architecture Group to assess shortcomings in the network architecture and publish a roadmap for acquisition programs.

DISA also would be in charge of developing a common services-oriented architecture while the Strategic Command would create a heterogeneous departmentwide network, which the report said is essential for interoperability.

The report calls for establishing a two-tiered network system for Defense. A well-protected "hard core" would handle limited information, and a broadband "soft" network would support a data-intensive Web service, which the task force assumes would be more vulnerable to attack than the hard core network.

Michael Wynn, Air Force secretary during the Bush administration, told NextGov that he supported the report's emphasis on governance and the need to protect highly classified networks. Wynn, who pushed Defense to assign the cybercommand mission to the Air Force acknowledged that a soft network could be compromised because it is more accessible to hackers.

Defense must "learn to operate in a compromised environment with protocols [for] validation and verification," Wynn said. He cited the need to develop a cybersecurity manual to manage threats and penetrations of the soft network.

According to John Weiler, executive director of the Interoperability Clearinghouse, an Alexandria, Va., nonprofit that promotes enterprise technology solutions for Defense, the department needs a 500-day plan to get its network house in order. But Weiler said he had problems with the governance approach, especially the top-level council.

"Defense leadership needs another council like it needs another hole in their head. No decisions can be made by committee," he said. "What it needs is a very powerful leadership and governance structure like GE, IBM or Cisco."

Paul Kaminski, a member of the Defense Science Board task force that researched and wrote the report, sees DISA playing a fundamental but not exclusive architectural role. According to Kaminski, a consultant who served as undersecretary of Defense for acquisition and technology from 1994 to 1997, other agencies could work with DISA on network architecture once President Obama releases a federal cyber strategy later this spring.

Kaminski said there is a 50 percent chance that Defense will adopt the recommendations contained in the netcentric report.