Defense overhaul's emphasis on the cloud carries supply chain risks

iStockPhoto

The shift of military operations to the cloud -- part of a Defense Department downsizing -- will require protecting electronics manufactured in Asia from supply chain tampering, say some private security auditors. But that won't necessarily mean inspecting every network component made in China.

As the military ends campaigns in Iraq and Afghanistan and institutes mandated cost cuts, funding for cyber operations will dodge the chopping block , Defense Secretary Leon Panetta said Thursday. To defend the military's information assets, Pentagon leaders say defense computers must be tied to the cloud -- meaning an online environment that can be centrally locked down. Yet it's difficult to police parts of that environment manufactured or even housed in countries that stand accused of cyberespionage, experts say.

"Our clouds are running off of hardware that's built in China," said Tom McAndrew, an executive at IT compliance firm Coalfire who also is a Navy Reserve surface warfare officer specializing in weapons systems. He was not speaking on behalf of the Pentagon. "The challenge is -- can you create a secure cloud running on top of nonstandardized, noncertified hardware?"

Lawmakers have warned of a nightmare situation where bad actors intentionally install a "backdoor" mechanism -- essentially malicious programming -- into military circuitry to, for example, shut down systems remotely or leak information.

In December 2011, the White House issued FedRAMP, basic security standards for cloud products purchased by defense and civilian agencies. The approval process should speed deployments of back-office services -- email management or commissary operations -- but cloud-centric warfare will have to satisfy a different set of safety standards, McAndrew said. Especially, as Panetta noted, with tech-manufacturer China becoming a rising power.

The Asia-Pacific region "is growing in importance to the future of the United States economy and our national security," pushing the government to "maintain our military's technological edge and freedom of action," Panetta said. Under the terms of a debt-reduction deal brokered last year, the Pentagon must figure out a way to cut $487 billion in defense spending over a decade, without sacrificing forcefulness.

Cutting-edge cloud providers such as Google "can't guarantee that all of their code is developed in-house," McAndrew said. "We're not going to be able to get to a secure state by validating every piece of hardware and software." Instead, Pentagon officials likely will demand layered controls, such as ordering that data be encrypted in the cloud, he said.

Defense's cyber chief envisions the cloud as a common network infrastructure capable of spotting and blocking threats remotely for all the military's software and electronics. "How do we create the next set of architecture that is more defensible and can ensure the integrity of our data? I think it's in the cloud," Gen. Keith Alexander, chief of U.S. Cyber Command, said in October .

For that to happen, McAndrew said Pentagon officials and Web service providers must understand each other's business needs. Some of those firms' server farms are located in China and other nations with different privacy and security regimes. "There aren't a lot of brass in the military who have spent time at Microsoft, at other IT companies," he said. "And to be honest, those cloud providers are learning too."