Monday, June 16, 2014

USNI Essay Number 2

I sent two essays to USNI. The second one is below, which covers my thoughts on what DISA's role should be in the Joint Information Environment.

The reality is the network structure of today reflects a different time and a different place...that's why JIE, the Joint Information Environment, is so critical in the future for us. We have got to get to a defensible architecture.
- ADM Michael Rogers, during his Senate confirmation hearing

  The Department of Defense needs to completely rethink the roles that the Defense Information Systems Agency (DISA), National Security Agency (NSA), U.S. Cyber Command (USCYBERCOM) and the military services currently occupy concerning the acquisition, maintenance, upgrade, certification and  employment of information systems and the personnel who operate these systems in the Joint Information Environment.  The current setup reflects a now-ancient view of information systems as simply supporting warfighting capability, and this setup makes us vulnerable to our future adversaries.  Offensive cyber and electronic attack capabilities require their own specialized tactics and trained operators to be effective.  Even purely supporting information systems, if lost, can cripple the decision making of a commander.  Our view of information systems must completely shift, similar to how we viewed submarine warfare before and after World War Two.

Historical context

  When the USS Holland launched in 1897, John Holland likely had no idea that in fewer than 100 years submarines would be primarily responsible for bringing Japan to its knees in World War Two, fighting the Cold War against the Russians and ultimately keeping our nation safe from nuclear holocaust.  Submarines initially filled scouting roles in the US Navy, always subordinated to Battleships and Aircraft Carriers.  It was only out of desperation that the Navy began to allow submarines a wider role and, after the successes of World War Two, submarines retained their fairly independent role in Naval Warfare.

  Information systems occupy the pre-World War Two position submarines once did.  The Navy, in particular, continues to view information systems and warfighting in the information domain as a supporting function.  Much like the submarine, the current view is that information systems exist solely to support "real" warfighting in the maritime domain.  This is particularly reflected in the Navy's choice of manning, where URL officers continue to fill billets in areas like ISR and IT that are better suited for Information Dominance Corp (IDC) officers.

  Just like the Japanese did with submarine warfare, the Navy is playing a dangerous game with this thinking.  The US Navy completely changed submarine tactics and brought the Japanese warfighting machine to a grinding hault, while the Japanese continued to use submarines only in supporting roles, mainly to covertly resupply trapped army units.  US Submarines destroyed the Japanese ability to supply its Army and rebuild its Navy and Air Force, to the point where they actively looked at building wooden aircraft due to lack of metal parts. 

  Like submarines, cyber weapons can achieve similar effects against our enemies.  Electrical power plants, communications relays and manufacturing plants are all just as vulnerable to cyber attacks as they are to kinetic weapons.  A cyber attack on a nation could bring about the same effects, and it could happen against our nation.  Most complicated manufacturing equipment uses cyber interfaces, such as SCADA, and cannot operate successfully without it.  Electrical production could cease for large portions of a country, with effects much worse than the power outage that hit the Northeastern United States in 2003.  With over half of all Americans not owning a home phone, a cyber attack on cellular infrastructure would cripple communications throughout an affected region.  Given the severity, we need to act now to change how we think of cyber.

The role of the NSA, DISA and US Cyber Command

  The military services have already proven they do not take cyber warfare seriously.  Network patches and security violations remain low on the services' priority, despite the serious vulnerabilities these violations open in our information systems.  Sadly, too many top officers continue to pay lip service to cyber while openly deriding their own lack of knowledge.  The low priority and mocking tone emanating from these officers serves as an impediment to building a truly defensible cyber infrastructure.  The United States remains too vulnerable to cyber attacks to continue to allow the military services to independently field their own information systems and cyber personnel.

  The role of DISA in protecting the Joint Information Environment needs to resemble how the US Navy set up Naval Reactors.  President Ronald Reagan signed Executive Order 12344 in 1982 to unify control over the design and operation of nuclear power plants and the certification and training of the personnel who operate them.  Naval Reactors is an expert organization, headed by a four star admiral, that exerts considerable control over nuclear personnel and has prevented significant nuclear accidents among the US Navy's nuclear reactors, unlike their counterparts in the Russian Navy. 
  DISA currently exists under the Assistant Secretary of Defense for Command, Control, Communications and Intelligence (C3I).  This is too far down in the chain of command to get the proper attention needed for protecting and certifying information systems.  Currently, DISA cannot command the military services to take vulnerable systems off the Global Information Grid (GIG), while Naval Reactors can shut down the reactor on a submarine that fails a Operational Reactor Safeguards Exam (ORSE), which essentially ties it to the pier until its personnel recertify.  This control has kept our reactors safe and ensures a high standard among nuclear trained personnel.

  The President should elevate the DISA director to a four star position under the Secretary of Defense through an executive order similar to 12344.  This executive order should give DISA the broad power over both the design and acquisition of information systems as well as the training and certification of personnel that operate those systems.  It could be written like this:

Within the Department of the Defense, the Secretary of Defense shall assign to the director responsibility to supervise all technical aspects of the Joint Information Environment, including:

(a) research, development, design, procurement, specification, construction, inspection, installation, certification, testing, overhaul, operating practices and procedures, maintenance, supply support, and ultimate disposition, of defense information systems, including components thereof, and any special maintenance and service facilities related thereto; and

(b) training programs and assistance and concurrence in the selection, training, qualification, and assignment of personnel reporting to the director and of Government personnel who supervise, operate, or maintain Department of Defense information systems.

  With DISA's elevated stature, we should reexamine the roles of the NSA and USCYBERCOM.  The director position of the NSA should be severed from USCYBERCOM and linked to DISA instead.  NSA, like DISA, is a combat support agency.  The war on terror and the rapid expansion of cyber, however, has blurred the lines of authority, and the NSA has inappropriately taken a bigger role in cyber to fill the vacuum left by the services' lack of interest.

  NSA cyber operations need to move to USCYBERCOM.  Computer network exploitation and computer network attack utilize many of the same tools, and the distinction between the two is very blurred.  This distinction currently relies on the operators intent to distinguish between Title 10 and Title 50 authorities.  If the intent is foreign intelligence collection, then a civilian can operate with that Title 50 authority, even if he or she uses a tool that a military member could use to harm an adversary under Title 10 authority.  A future conflict involving large scale cyber operations against an equitable adversary will not have the time to wait for lawyers to determine the legality of allowing civilians to harm the enemy with cyber effects.  Furthermore, future adversaries will consider civilians who damage their cyber infrastructure, whether intentional or not, to be enemy combatants and will target them as such and ignore our laws.  The legality of this may not hold up in a courtroom, but lawyers words and promises will not protect these civilian personnel from enemy action.

  This DISA/NSA combination brings NSA expertise to bear on DoD information system development and testing.  Since the NSA is already adept at foreign signals collection, its expertise in foreign communications intelligence can improve our own information systems.  The expertise in the NSA's Information Assurance Directorate (IAD) can easily strengthen DoD's information systems.  NSA personnel have considerable expertise and can perform in-depth vulnerability testing on our systems.
  The DISA/NSA merger must come with increased authority for the new director, specifically in the ability to certify DoD personnel to operate and maintain information systems, as well as the ability to remove those certifications.  It's not enough to continue with the string of empty threats sent in message traffic.  Failure to properly maintain certification on information systems is the same as an INSURV or ORSE failure, and until corrected we should not deploy vulnerable, uncertified units into combat.  Even in the middle of World War Two, submarines stationed in Australia certified before going on combat patrols.  The adversary is delighted to have us deploy uncertified information systems in the name of expediency, and we should do everything in our power to deny them those easy targets.

  This new organization also needs expanded acquisition authority, similar to the authority given to Special Operations Command.  Our current acquisition pipeline for new system development takes too long to field systems.  Our adversaries, such as China, are fielding smaller number of units and rapidly upgrading them while our upgrades languish due to mission and requirements creep in an outdated and bloated JCIDS process.  The DISA/NSA director should convene a quarterly requirements council with the military services to determine new information systems requirements and the platforms that will receive these upgrades that quarter.  The council requires the authority to approve the requirements on the spot through an expansion of either the JUONS or JEONS process.  Once the council sets quarterly requirements, DISA/NSA has 90 days to field, test, and install these new systems on the small number of approved platforms.

  This repeatable process has several advantages.  First, due to the early lockdown of requirements, there is no opportunity for requirements creep.  Expansion of information systems requirements can happen, but only at the next quarterly meeting.  Second, it establishes a timeline for system upgrades, ensuring timely upgrades to military units.  Lastly, by focusing on upgrading only a few platforms at a time, it allows an iterative and incremental approach to system deployment.  Instead of attempting sweeping change in a huge ACAT Level I program that will go over budget and under deliver, the services will receive phased upgrades as technology matures and requirements change.  This allows cutting edge technology to be on the frontlines faster while still maintaining proper oversight.

  DISA/NSA will set personnel training and certification requirements that the military services will administer through their type commander or service equivalent.  The NSA has done an outstanding job utilizing its Associate Directorate for Education and Training (ADET) to expand cyber training.  Not only have they expanded traditional training, but they also regularly utilize distance training technologies to reach trainees in remote sites.  ADET can expand to include federated training at fleet concentration areas.  DISA/NSA would establish training requirements for new systems in their quarterly requirements meeting so that training curriculums would adequately meet new system needs.

  With DISA/NSA's expanded role, the military services could remain focused on kinetic operations.  The services can conduct full spectrum warfare in all domains, secure in the knowledge that their information systems will withstand first contact with the enemy.  Properly trained and certified personnel will conduct more effective cyber and electronic operations than in the past.  With all cyber operations moved to USCYBERCOM, other combatant commanders have one point of contact to incorporate cyber into their CONPLAN and OPLAN development.

  DISA has sat for too long on the sidelines while our information systems have languished due to lack of a unified, effective program from the military services.  Future warfare will have information systems acting in offensive, defensive and support roles.  These roles require both expertly qualified personnel and well-designed and maintained systems.  The acquisition, certification and maintenance of information systems and the personnel who operate them, especially when credible adversaries seek every day to exploit them, can no longer be left to amateurs who continue to reject the notion of warfare in the information domain.  The Navy learned this lesson with submarine warfare and won a past war in the Pacific.  Significant change now will keep our future victory secure.