24 December 2020

Biden Defense Team Needs To Speed Consolidation Of Pentagon’s Vulnerable Cloud Architecture

Loren Thompson

As Washington struggles to cope with the latest “unprecedented” penetration of sensitive networks, it’s hard to escape the feeling that the federal government’s cyber problems are at least partly self-inflicted.

Despite pouring billions of dollars into cybersecurity and talking incessantly about the challenge, the government’s adoption of secure, resilient information systems is quite uneven.

The Pentagon is a case in point, because it outspends every other federal department on computer and data systems, and yet operates an information architecture with more seams than the First Lady’s wedding dress.

Seams in this instance means gaps that can be exploited by foreign operatives to unravel system security or functionality.

This may not look like a war zone, but the Pentagon's cloud strategy argues that today "the ... [+] WIKIPEDIA

In 2018 the defense department published a strategy calling for migration of the current, balkanized infrastructure to a cloud system in which data could be handled more flexibly and securely.

This was not a conceptual breakthrough. The commercial sector has been shifting to cloud computing since Amazon AMZN -1.1% created its web services unit in 2006.

The basic idea is to rely on third-party providers to supply on-demand information services rather than maintaining in-house data centers that often can’t keep up with the latest standards in productivity and protection.

So here we are, two years later, and where does the Pentagon stand? Its premier cloud initiative, the Joint Enterprise Defense Infrastructure (or JEDI) program has been tied up in legal wrangling for over a year. Meanwhile, various defense organizations are operating, according to Sydney Freedberg of Breaking Defense, over 500 separate cloud systems.

This is not the way cloud computing is supposed to work. At least, not in the Pentagon’s plan.

The goal is to maximize functionality and security while minimizing costs by pooling information services in a consolidated, enterprise-wide resource.

The Pentagon already had such as system, called milCloud 2.0, and JEDI was supposed to be the next step. A separate cloud for office applications such as email called DEOS recently escaped from its own 14-month round of protests and reviews.

But it isn’t enough to award enterprise computing contracts to competent providers. Defense organizations actually have to use them. And in the case of cloud computing, they don’t seem to be doing that.

Rather than migrating to milCloud, back-office organizations in the defense bureaucracy have sought to stick with narrow-gauge, preexisting clouds that can’t possibly provide the efficiency or protection of an overarching architecture.

That wastes huge amounts of money that should be finding its way to warfighters for more pressing needs. But it also presents a significant security threat, because when so many small-to-medium-size clouds are being sustained by so many disparate organizations, the opportunities for penetration and exploitation by outsiders are multiplied manifold.

In other words, the Pentagon’s existing cloud architecture is a catastrophe waiting to happen. It keeps the military locked into an antiquated infrastructure supporting tens of thousands of servers at a time when defense budgets are likely to plateau, and fragments efforts to provide a decent level of security across the entire enterprise.

The Pentagon’s cloud strategy was supposed to fix this system, but it has been slow going, in part because policymakers have not pressed users to migrate to the enterprise-wide milCloud.

I should note that milCloud is operated by General Dynamics GD +0.7% Information Technology, whose parent company contributes to my think tank. Several other contributors have an interest in various facets of this business.

But this isn’t about who provides a suitable cloud for military purposes, it’s about whether the Pentagon is going to implement an information upgrade critical to future warfighters.

As the defense department’s interim guidance on cloud strategy stated in April of this year, “DoD Components should begin to reduce the number of cloud contracts through consolidation under broader enterprise contracts.”

Whether that happens through migration to GD’s milCloud or to a JEDI architecture operated by Microsoft MSFT -0.4% and/or Amazon is immaterial. The point is, it has to happen to bring the computing and data resources of the joint force up to a reasonable level of affordability and performance.

Systems like milCloud are constantly evolving as new features are added in response to military requirements. However, it hardly matters if vast swaths of the defense community remain mired in legacy clouds that waste money and are potentially subject to intrusion.

Since milCloud is the only available enterprise-wide cloud currently available to defense users, the incoming Biden team should be pushing the department to speed migration there. The system offers high reliability (99.9% availability) and an added increment of security beyond purely commercial clouds.

This is one area where the Biden administration can enhance every facet of information-systems utilization without spending any additional money. In fact, it will save billions of dollars in the long run by accelerating the shutdown of redundant data centers.

All the Biden team has to do is mandate a migration of users to better technology, which is what the Trump administration said it would do, but then failed to follow through on. As defense challenges go, this is an easy fix because the solution is already in place.

No comments: