Pages

6 November 2023

Pentagon Plans For Networked Warfare Will Falter Without Better Access Controls

Loren Thompson

The idea is simple: give all U.S. warfighters access to the same high-speed network so they can share vital information and select the optimum response to any threat.

That is the vision behind the Joint All-Domain Command and Control system, universally referred to in military circles as JADC2. It’s an idea that has been kicking around for decades, but now is becoming feasible thanks to the digital revolution.

Feasible in this case means a warfighting network that is rapid, robust and reliable. Oh yes, and secure.

That last item may be the biggest challenge, because once you create a network where all information useful to warfighters is readily available, it is absolutely essential that enemies not gain access.

If they did, it would be like a medieval lord handing barbarians the keys to the kingdom.

There’s no point in pursuing JADC2 unless policymakers are certain they can secure it against unauthorized intrusions.

That brings me to ICAM—the acronym for identity, credential and access management tools. Every military network has some mechanism for trying to keep out malicious actors.

However, the mechanisms vary from network to network. As the Pentagon’s current ICAM strategy warns, “The distribution of authentication decisions across thousands of applications hosted by DoD and commercial cloud vendors makes it virtually impossible for the United States Cyber Command (USCC) to adequately identify malicious cross platform activity or identity fraud.”

We know the existing ICAM protections don’t work perfectly, because of the frequency with which sensitive data is leaked or stolen.

As long as the military’s network architecture is fragmented, there is a limit to what nefarious actors can accomplish. But once everybody is on the same network, the danger from intrusions is unlimited.

The Pentagon requires a rigorous, department-wide ICAM solution that goes beyond the prevailing approach of creating checkpoints at the perimeter of the network. It needs a mechanism that continuously verifies the credentials of any user in the system, calibrated to the mission and level of classification where each user is operating.

By signing up, you accept and agree to our Terms of Service (including the class action waiver and arbitration provisions), and you acknowledge our Privacy Statement.

The department’s present ICAM strategy provides a vision of what is needed: “A secure trusted environment where people and non-person entities can securely access all authorized resources based on mission need, and where we know who and what is on our networks at any time.”

Assuring fast access to secure data is especially critical at what warfighters describe as the “tactical edge”—in other words, places where combat is possible or already underway.

Without access to the best information at the fastest pace possible from all available sources, many lives may be lost. But lives can also be lost if adversaries are able to access the same data flows.

General Dynamics Information Technology recently collaborated with Fortinex in conducting the first exercise demonstrating how a rigorous ICAM system can operate at the tactical edge.

GDIT holds a contract from the Defense Information Systems Agency to devise a department-wide ICAM system. Its parent company contributes to my think tank.

The Senate Armed Service Committee, in its proposed version of the National Defense Authorization Act for 2024, calls on the defense department to make ICAM a program of record, formalizing its status as an investment priority.

In the committee’s words, “An enterprise-wide ICAM capability is a critical and pressing need for the Department of Defense (DOD) not only for cybersecurity, but also for managing complex multi-domain military operations involving information and systems classified at multiple levels.”

That pretty much captures what JADC2 is all about, and creating such a joint warfighting network is the centerpiece of Pentagon modernization plans.

However, progress on implementing the network within the department is uneven at best. For instance, the Biden administration canceled plans for a single joint cloud computing system, and instead parceled out pieces between four tech companies.

It had sound reasons for doing so, but buying four clouds from four vendors is going to increase the challenge of securing the overall network. Hence the Armed Services Committee’s call for a program of record that can assure identity, credentialing and access management receive proper priority in modernization plans.

The bottom line on all of this is that if the military can’t assure the security of its joint warfighting network in future conflicts, the network could become an enemy of success rather than an enabler of victory.

That has to begin by continuously monitoring all users of the network, in what planners like to call a “zero-trust” information environment.

As President Reagan liked to say of arms control agreements, ‘trust but verify.’ Our warfighters need to be certain the enemy isn’t sharing their most sensitive information.

Disclosure: General Dynamics, which has developed a department-wide ICAM system, contributes to my think tank—the Lexington Institute.

No comments:

Post a Comment