I sent two essays to USNI. The second one is below, which covers my thoughts on what DISA's role should be in the Joint Information Environment.
The reality is the network structure of today
reflects a different time and a different place...that's why JIE, the Joint
Information Environment, is so critical in the future for us. We have got to
get to a defensible architecture.
- ADM Michael Rogers, during his Senate
confirmation hearing
The
Department of Defense needs to completely rethink the roles that the Defense
Information Systems Agency (DISA), National Security Agency (NSA), U.S. Cyber
Command (USCYBERCOM) and the military services currently occupy concerning the
acquisition, maintenance, upgrade, certification and employment of information systems and the
personnel who operate these systems in the Joint Information Environment. The current setup reflects a now-ancient view
of information systems as simply supporting warfighting capability, and this
setup makes us vulnerable to our future adversaries. Offensive cyber and electronic attack
capabilities require their own specialized tactics and trained operators to be
effective. Even purely supporting
information systems, if lost, can cripple the decision making of a
commander. Our view of information
systems must completely shift, similar to how we viewed submarine warfare before
and after World War Two.
Historical context
When the
USS Holland launched in 1897, John Holland likely had no idea that in fewer
than 100 years submarines would be primarily responsible for bringing Japan to
its knees in World War Two, fighting the Cold War against the Russians and
ultimately keeping our nation safe from nuclear holocaust. Submarines initially filled scouting roles in
the US Navy, always subordinated to Battleships and Aircraft Carriers. It was only out of desperation that the Navy
began to allow submarines a wider role and, after the successes of World War
Two, submarines retained their fairly independent role in Naval Warfare.
Information
systems occupy the pre-World War Two position submarines once did. The Navy, in particular, continues to view
information systems and warfighting in the information domain as a supporting
function. Much like the submarine, the
current view is that information systems exist solely to support
"real" warfighting in the maritime domain. This is particularly reflected in the Navy's
choice of manning, where URL officers continue to fill billets in areas like
ISR and IT that are better suited for Information Dominance Corp (IDC)
officers.
Just
like the Japanese did with submarine warfare, the Navy is playing a dangerous
game with this thinking. The US Navy
completely changed submarine tactics and brought the Japanese warfighting
machine to a grinding hault, while the Japanese continued to use submarines only
in supporting roles, mainly to covertly resupply trapped army units. US Submarines destroyed the Japanese ability
to supply its Army and rebuild its Navy and Air Force, to the point where they
actively looked at building wooden aircraft due to lack of metal parts.
Like
submarines, cyber weapons can achieve similar effects against our enemies. Electrical power plants, communications
relays and manufacturing plants are all just as vulnerable to cyber attacks as
they are to kinetic weapons. A cyber
attack on a nation could bring about the same effects, and it could happen
against our nation. Most complicated
manufacturing equipment uses cyber interfaces, such as SCADA, and cannot
operate successfully without it.
Electrical production could cease for large portions of a country, with
effects much worse than the power outage that hit the Northeastern United
States in 2003. With over half of all
Americans not owning a home phone, a cyber attack on cellular infrastructure
would cripple communications throughout an affected region. Given the severity, we need to act now to
change how we think of cyber.
The role of the NSA,
DISA and US Cyber Command
The military services have already
proven they do not take cyber warfare seriously. Network patches and security violations
remain low on the services' priority, despite the serious vulnerabilities these
violations open in our information systems.
Sadly, too many top officers continue to pay lip service to cyber while
openly deriding their own lack of knowledge.
The low priority and mocking tone emanating from these officers serves
as an impediment to building a truly defensible cyber infrastructure. The United States remains too vulnerable to
cyber attacks to continue to allow the military services to independently field
their own information systems and cyber personnel.
The role
of DISA in protecting the Joint Information Environment needs to resemble how
the US Navy set up Naval Reactors.
President Ronald Reagan signed Executive Order 12344 in 1982 to unify
control over the design and operation of nuclear power plants and the
certification and training of the personnel who operate them. Naval Reactors is an expert organization,
headed by a four star admiral, that exerts considerable control over nuclear
personnel and has prevented significant nuclear accidents among the US Navy's
nuclear reactors, unlike their counterparts in the Russian Navy.
DISA
currently exists under the Assistant Secretary of Defense for Command, Control,
Communications and Intelligence (C3I).
This is too far down in the chain of command to get the proper attention
needed for protecting and certifying information systems. Currently, DISA cannot command the military
services to take vulnerable systems off the Global Information Grid (GIG),
while Naval Reactors can shut down the reactor on a submarine that fails a Operational
Reactor Safeguards Exam (ORSE), which essentially ties it to the pier until its
personnel recertify. This control has
kept our reactors safe and ensures a high standard among nuclear trained personnel.
The
President should elevate the DISA director to a four star position under the Secretary
of Defense through an executive order similar to 12344. This executive order should give DISA the
broad power over both the design and acquisition of information systems as well
as the training and certification of personnel that operate those systems. It could be written like this:
Within the Department of the Defense, the Secretary of Defense shall assign to the director responsibility to supervise all technical aspects of the Joint Information Environment, including:
(a) research, development, design, procurement, specification, construction, inspection, installation, certification, testing, overhaul, operating practices and procedures, maintenance, supply support, and ultimate disposition, of defense information systems, including components thereof, and any special maintenance and service facilities related thereto; and
(b) training programs and assistance and concurrence in the selection, training, qualification, and assignment of personnel reporting to the director and of Government personnel who supervise, operate, or maintain Department of Defense information systems.
With DISA's
elevated stature, we should reexamine the roles of the NSA and USCYBERCOM. The director position of the NSA should be
severed from USCYBERCOM and linked to DISA instead. NSA, like DISA, is a combat support
agency. The war on terror and the rapid
expansion of cyber, however, has blurred the lines of authority, and the NSA
has inappropriately taken a bigger role in cyber to fill the vacuum left by the
services' lack of interest.
NSA
cyber operations need to move to USCYBERCOM.
Computer network exploitation and computer network attack utilize many
of the same tools, and the distinction between the two is very blurred. This distinction currently relies on the operators
intent to distinguish between Title 10 and Title 50 authorities. If the intent is foreign intelligence
collection, then a civilian can operate with that Title 50 authority, even if
he or she uses a tool that a military member could use to harm an adversary
under Title 10 authority. A future
conflict involving large scale cyber operations against an equitable adversary
will not have the time to wait for lawyers to determine the legality of
allowing civilians to harm the enemy with cyber effects. Furthermore, future adversaries will consider
civilians who damage their cyber infrastructure, whether intentional or not, to
be enemy combatants and will target them as such and ignore our laws. The legality of this may not hold up in a
courtroom, but lawyers words and promises will not protect these civilian personnel
from enemy action.
This
DISA/NSA combination brings NSA expertise to bear on DoD information system
development and testing. Since the NSA is
already adept at foreign signals collection, its expertise in foreign
communications intelligence can improve our own information systems. The expertise in the NSA's Information
Assurance Directorate (IAD) can easily strengthen DoD's information systems. NSA personnel have considerable expertise and
can perform in-depth vulnerability testing on our systems.
The
DISA/NSA merger must come with increased authority for the new director,
specifically in the ability to certify DoD personnel to operate and maintain
information systems, as well as the ability to remove those certifications. It's not enough to continue with the string
of empty threats sent in message traffic.
Failure to properly maintain certification on information systems is the
same as an INSURV or ORSE failure, and until corrected we should not deploy
vulnerable, uncertified units into combat.
Even in the middle of World War Two, submarines stationed in Australia certified
before going on combat patrols. The
adversary is delighted to have us deploy uncertified information systems in the
name of expediency, and we should do everything in our power to deny them those
easy targets.
This new
organization also needs expanded acquisition authority, similar to the
authority given to Special Operations Command.
Our current acquisition pipeline for new system development takes too
long to field systems. Our adversaries,
such as China, are fielding smaller number of units and rapidly upgrading them
while our upgrades languish due to mission and requirements creep in an
outdated and bloated JCIDS process. The
DISA/NSA director should convene a quarterly requirements council with the
military services to determine new information systems requirements and the
platforms that will receive these upgrades that quarter. The council requires the authority to approve
the requirements on the spot through an expansion of either the JUONS or JEONS
process. Once the council sets quarterly
requirements, DISA/NSA has 90 days to field, test, and install these new
systems on the small number of approved platforms.
This
repeatable process has several advantages.
First, due to the early lockdown of requirements, there is no
opportunity for requirements creep.
Expansion of information systems requirements can happen, but only at
the next quarterly meeting. Second, it
establishes a timeline for system upgrades, ensuring timely upgrades to
military units. Lastly, by focusing on
upgrading only a few platforms at a time, it allows an iterative and
incremental approach to system deployment.
Instead of attempting sweeping change in a huge ACAT Level I program
that will go over budget and under deliver, the services will receive phased
upgrades as technology matures and requirements change. This allows cutting edge technology to be on
the frontlines faster while still maintaining proper oversight.
DISA/NSA
will set personnel training and certification requirements that the military
services will administer through their type commander or service equivalent. The NSA has done an outstanding job utilizing
its Associate Directorate for Education and Training (ADET) to expand cyber
training. Not only have they expanded
traditional training, but they also regularly utilize distance training
technologies to reach trainees in remote sites.
ADET can expand to include federated training at fleet concentration
areas. DISA/NSA would establish training
requirements for new systems in their quarterly requirements meeting so that
training curriculums would adequately meet new system needs.
With
DISA/NSA's expanded role, the military services could remain focused on kinetic
operations. The services can conduct
full spectrum warfare in all domains, secure in the knowledge that their
information systems will withstand first contact with the enemy. Properly trained and certified personnel will
conduct more effective cyber and electronic operations than in the past. With all cyber operations moved to USCYBERCOM,
other combatant commanders have one point of contact to incorporate cyber into
their CONPLAN and OPLAN development.
DISA has
sat for too long on the sidelines while our information systems have languished
due to lack of a unified, effective program from the military services. Future warfare will have information systems acting
in offensive, defensive and support roles.
These roles require both expertly qualified personnel and well-designed
and maintained systems. The acquisition,
certification and maintenance of information systems and the personnel who
operate them, especially when credible adversaries seek every day to exploit
them, can no longer be left to amateurs who continue to reject the notion of
warfare in the information domain. The
Navy learned this lesson with submarine warfare and won a past war in the
Pacific. Significant change now will
keep our future victory secure.
