NSA chief endorses the cloud for classified military cyber program

The cloud will be a logical place for sharing classified intelligence on cyber threats with critical industries as the Defense Department presses ahead on an attack-prevention program it recently opened to all defense contractors, former military officials say, and Wednesday, a spokeswoman for Gen. Keith Alexander, the military’s top intelligence official, said he endorsed the idea.

When the Pentagon started the defense industrial base cybersecurity pilot program last summer with select suppliers, many defense and some nondefense companies vital to Americans, such as banks, wanted to join. The military in May expanded the program to all defense contractors and their Internet service providers partly because the department was able to develop “a dedicated threat-sharing and collaboration system, and validated online application procedures in order to support participation by a large number of companies,” preliminary regulations noted.

Alexander, who runs the Pentagon’s National Security Agency, which produces the intelligence disseminated through the program, has repeatedly told lawmakers that the military’s 15,000 networks eventually will move to the cloud. And the Pentagon is attempting to save $680 million annually by consolidating information services through clouds run by the Defense Information Systems Agency.

“As Gen. Alexander said at last year’s [Geospatial Intelligence Foundation] conference, secure cloud computing offers both DoD and the [intelligence community] many advantages and efficiencies that could enhance information sharing and collaboration,” NSA spokeswoman Marci Green Miller said in a statement. The GEOINT symposium is an annual conference that the nonprofit group organizes for intelligence, defense and homeland security professionals.

Under the cyber program, NSA culls the “signatures” or unique characteristics of identified malicious coding for vendors so they can feed those danger signs into antivirus software. The quid pro quo is that what goes into the information sharing system, including Secret intelligence and companies’ confessions of breaches, stays in the system. The cloud -- a remote computer hub that transfers data through the Internet or a classified network -- could facilitate that reciprocity, experts say.

Former DISA director Gen. Harry D. Raduege explained that the cloud’s flexibility should accommodate the program’s expected high demand. A cloud environment can be compartmentalized based on a user’s authorization level so that, for example, only a defense contractor could read the classified intelligence, while perhaps unclassified threat information would be accessible to nondefense sectors, such as state governments.

“It’s become very, very popular,” Raduege, now chairman of the Deloitte Center for Cyber Innovation, said of the defense contractor program. “It’s become one of those free services, where . . . if they have the proper security clearance, they can get into a secure cloud so that they can get insights to protect their own enterprise.”

Alexander has strongly endorsed the use of the cloud for military operations for more than a year.

“The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of cloud computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use -- each of which has to be individually secured for just one of our three major architectures -- up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter,” he testified before a House subcommittee in March 2011.

On March 27, he told the Senate Armed Services committee: “Our DoD cyber enterprise, with the department’s chief information officers, DISA and Cyber Command helping to lead the way, will build a common cloud infrastructure across the department and the services that will not only be more secure but more efficient -- and ultimately less costly in this time of diminishing resources -- than what we have today.”

Other computer specialists say they also have faith in the cloud to securely transmit information.

“Everybody who is in security these days is into the cloud, partially because you want to start from scratch” in launching new information services, said Dave Aitel, president of cybersecurity firm Immunity Inc. and a former NSA computer scientist. Eventually, the program might encapsulate multiple clouds, he said, because participants may want to interface with the feds through their own clouds. “Getting two clouds to talk to each other will be a very big deal,” Aitel added.

Due to budget cuts and the drawdown of U.S. troops, the Pentagon’s spending priorities have changed. According to the new defense strategy released in January, two areas will receive additional resources: the Asia-Pacific region and cyber operations. To conserve funding and expand the defense contractor cyber program, “DoD is going to need to learn to use the technology called cloud in a more expansive space,” said Dale Meyerrose, the intelligence community’s former chief information officer.

But some cybersecurity specialists and government agencies remain wary of the technology, partly because of its major attribute -- the shared space.

“If you’re moving information into the cloud, it just seems to me that all kinds of nasty activity could go on in there,” said. Gen. John P. Casciano, a former director of intelligence, surveillance and reconnaissance for the Air Force. “I would take a Missouri approach and say, ‘prove it to me, show it to me,’ how it’s more secure.”

Alexander has acknowledged there are reliability and trust issues with the cloud. “This architecture would seem at first glance to be vulnerable to insider threats. Indeed, no system that human beings use can be made immune to abuse. But we are convinced the controls and tools that will be built into the cloud will ensure that people cannot see any data beyond what they need for their jobs and will be swiftly identified if they make unauthorized attempts to access data,” he told the lawmakers in 2011.