Some lawmakers aren't convinced the Pentagon is adequately preparing for sophisticated cyberthreats, despite a growing Defense Department budget request.
At a Feb. 25 House Armed Services Committee hearing on DOD's IT investments, Rep. Jim Cooper, D-Tenn., pinned some of the blame on the department’s push to adopt cloud computing, quipping that he worried “cloud” stood for “Chinese Love Our Uploaded Data.”
“I’m worried that our troops would be incapable of working if the 'net went down, [or] if things go dark,” he said. “To me, the vulnerability is amazing when virtually every company has been taken down.”
DOD has evinced clear interest in accelerating adoption of cloud computing, although the steps it’s taken have generally been cautious.
DOD's transition to the cloud has been slowed by the fact that technology providers aren't always up to the department's constantly evolving security requirements, DOD acting Chief Information Officer Terry Halvorsen testified.
“We are not dodging the hard question of how [companies] will meet our requirements, and frankly how will they respond when they have a penetration and lose our data, [and] what’s the accountability that they’re going to have," he said. "What we've had to tell them is the standards I put out today in this environment, in the IT world, they will change. And they might change in six months, depending on what the threat does. We’ve told them they have to be reactive to that."
President Barack Obama’s 2016 budget proposal, released earlier this month, requested a total federal IT budget of $86 billion, up 2.7 percent from the previous year. About $37 billion of the total budget is slated for Pentagon IT programs.
During the hearing, Halvorsen urged lawmakers to prioritize efforts to update military IT, such as the Joint Information Environment, a concept for a militarywide data sharing system.
About 80 percent of the department's logistics applications incorporate the same data, Halvorsen said.
"We can start shrinking the number of systems . . . combine the data elements, and wrap that around the different parts of the application that each of the services needs [individually]," he said.
Doing that would allow the department to protect information in one location, Halvorsen added.
All told, the White House budget requested $534 billion for DOD spending, about $36 billion more than sequestration caps, according to the department.
If DOD budgets returned to sequestration levels, Halvorsen warned, it would delay IT modernization by two to three years.
"We won't [be able] to support the warfighters," he said. "They will be at risk."
Cyber actors are more capable than before, he added. “That includes everything from your country-state threats to terrorist groups that would be in the news today," Halvorsen said. "Any slowdown in our modernization would make it easier for even less complicated or less sophisticated groups to interfere with our business.”
Rep. Rich Nugent, R-Fla., asked witnesses how the department planned to combat insider threats -- unauthorized personnel gaining access to sensitive information, for instance.
“The biggest insider threat is from system administrators, the guys that have complete access,” Halvorsen said. DOD is working to require system administrators to use tokens to access sensitive information, so "you will have a visible identity for every systems administrator.”
DOD is also developing the ability to monitor system administrator behavior, sending alerts “if they route traffic differently or if we’re seeing them move things around differently,” Halvorsen said.
Army CIO Lt. Gen. Robert Ferrell said the Army supplements software-based security with educational outreach and training to prevent insider threats.