Navy, Marine Networks To Move To JIE; Security Doubts Persist

UPDATED with Adm. Richardson & Branch comments ARLINGTON: The Navy and Marines have agreed to follow the Army and Air Force into the Joint Information Environment — but the sea services have security and other concerns. Will networks connected to JIE really be more secure? Can JIE really serve frontline warfighters as well as rear-area administrators? The answers are “probably” and “maybe.”

[UPDATE] Historically the Navy has resisted inter-service centralization since before there was a Defense Department, but this morning the Chief of Naval Operations made clear this morning that the service is on board with JIE, at least in general terms. “At the end of the day we all have to be communicating across the joint force with a common set of standards, a common set of systems,” Adm. Jonathan Richardson told me after his remarks to the annual Sea-Air-Space conference. “At least the data standards have to be common, otherwise we’re just not going to be able to talk.”

In the near term, though, the sea services are taking it slowly, keeping most of their networks behind their own Navy-Marine Corps Intranet (NMCI). Only about 53 so-called “excepted” networks — those not currently part of NMCI — are currently moving over to the JIE’s new Joint Regional Security Stack (JRSS) architecture.

“No one can argue the goodness of the Joint Information Environment,” said Vice Adm. Ted Branch, who’s Richardson’s Deputy Chief of Naval Operations for Information Warfare (N2/N6). “It talks about things like identity and access management, data center consolidation, network and application rationalization, all things that make good sense. (We) continue to be a strong proponent of JIE and will be.”

That said, “because of our Navy-Marine Corps Internet that we’ve had since the early 2000s, (the Navy) was out in front…of the Army and the Air Force,” Branch continued. “We already had very good network and boundary level protections, similar (to the) kinds of things that JRSS will provide.”

“I don’t think anybody really wants us to go backwards,” added Vice Adm. Jan Tighe the head of Fleet Cyber Command who’s tapped as Branch’s successor. “What we don’t want to do is [go] ‘okay, we’re all in on the JIE and JRSS, but now we have less capability than we had yesterday,” she said in a briefing at Sea-Air-Space. The Navy will move over “when the JIE and JRSS bring more capability than we have today…That’s still a little bit undetermined.”

So the service sees no urgency to move networks from NMCI to a joint system that doesn’t offer improved security, not yet. “What the Navy’s position has been and continues to be, we will jump into the JRSS, jump onto that bandwagon, when it matures to the point where it’s an additive protection to what we have now,” Branch told me at Sea-Air-Space. The Navy will recompete its NMCI contract in 2018, he said, and then NMCI “will roll onto JRSS 2.0 when 2.0 is ready, (around) ’18, ’19.”

Can the Navy offer any date-certain on that move? Tighe and Branch consulted briefly before replying: Nope.[UPDATE ENDS]

 

Eggs In One Basket

Security is the crucial question. In many ways, JIE brings to mind the old adage about putting all your eggs in one basket and then ­watching the basket like a mother hawk. Instead of the current countless incompatible and unconnected networks, JIE seeks to consolidate many networks into few and standardize them so they can connect better — and so cybersecurity teams can keep a better eye on them. A smaller number of networks using common standards should make it easier to patch vulnerabilities and monitor for intrusions.

But, as the Navy’s deputy chief information officer, Janice Haith, pointed out at an AFCEA panel Wednesday, consolidation creates its own kind of vulnerability: If someone does break in, they might get everything. Even as we merge many data centers and databases into few, Haith said, “we don’t want another OPM breach.”

Then there’s the tactical anxiety. “”How do I survive when I’m forward and I’m segregated from the network?” asked Brig. Gen. Dennis Crall, the Marine Corps CIO. “There’s a spot where JIE ends, [and] we’re responsible for that tactical edge — all the services are.”

Both troops deployed in warzones and functionaries back at US bases need security against cyber attacks and espionage. But the frontline units have to handle many more problems besides, from fluctuating (“dirty“) power supplies to extreme weather, frequent moves and maneuvers, and — given the sad lack of landlines on the battlefield — a reliance on wireless radio-frequency (RF) networks that be disrupted by natural phenomena, friendly ineptitude, or enemy jamming. Troops need enough data and applications on their own devices, be they handheld or aircraft avionics, that they can lose the network and still carry out the mission, said Crall.

The Army, which has led the way on JIE, is well aware of the tactical connectivity problem, said Gary Wang, the service’s deputy CIO. “The forward-deployed folks, they are RF-driven, they’re satellite terminal-driven, and then [at the] base, camp, post, and station, we’re IP terrestrial driven… but the idea is to make sure that those two pieces play together,” Wang told me after the AFCEA panel. “The idea is to make sure those work in concert with each other and that there’s a security architecture that supports both.”

The big picture goal, Wang said, is “one Army network” that allows “home station mission command,” whereby forward forces can access all the Army’s information worldwide. That allows deploying units to leave significant portions of their headquarters staff at home, streamlining deployments.

That’s not easy, I noted. “No,” Wang said, “it’s not.”

To achieve this great convergence of the tactical and the administrative, the Army CIO/G-6 (signals) office works closely with the service’s Program Executive Offices handling tactical wireless networks — PEO-C3T — and home-station fiber optic networks — PEO-EIS. One example of these efforts is moving the whole Army to Windows 10, updating everything from a civilian bureaucrat’s desktop to a soldier’s Android-based tactical device. The new operating system will be more secure. But if the two sides of the Army moved to 10 on different schedules, Wang said, the compatibility problems would make it hard for them to connect.

In some areas the tactical and administrative worlds have already converged, Wang added, such as identification standards. “Everybody has a CAC [Common Access Card], everybody has two-factor authentication,” he said.

Then there are still other areas where the different parts of the Defense Department should never converge. JIE is not a single homogenous mega-network but a set of standards and programs meant to connect different networks better, while letting each network keep the unique features its users need.

 

Not One Network To Rule Them All

“Many people think it’s a program of record….It is not: it’s a series of initiatives,” from cloud services to cybersecurity improvements to international information-sharing, said David Cotton, deputy CIO for the whole Department of Defense. “It’s not one thing, one program, which has one funding line and one contract. It’s all these things we weave together.”

“There’s a fundamental misconception that people have about what JIE means to the Department of Defense. It’s not about moving to one system and it’s certainly not about moving to one database,” said former Navy CIO David Wennergren. Instead, the idea is bringing disparate networks under common “standards and ways of doing business that will improve both security and access to information — which is very different from saying everything rides on the same system.”

Because JIE is not a single, homogenous system, it should accommodate different networks tailored to different needs. As long as they meet the common standards set by JIE, different networks can still be optimized for, say, a soldier on a weak wireless connection in a foxhole, a pilot in a cockpit, a mechanic back at base, or an official in a Pentagon office.

JIE’s nature as a federation of different networks, rather than a single mega-network, also helps prevent the “all your eggs in one basket” problem. If a hacker slips through the Joint Regional Security Stacks (JRSS) that act as super-firewalls between JIE and the wider internet, they don’t hit a single OPM-style mother lode, but rather a whole array of specialized networks. The difference from the bad old days of fractured networks is that these individual networks can share cybersecurity data much better, allowing their defenders to compare notes, see patterns, and stop infections earlier.

So here’s the $64 billion question: Does consolidating networks under JIE make them more or less vulnerable than the old patchwork? Wennergren, now with the Professional Services Council, argued that the pre-JIE chaos of incompatible networks didn’t make things that much harder for the hackers, because they just went for the weakest link in the chain.

“If you were an attacker you could just … wander around until you found the most porous place,” said Wennergren. Then you’d steal some legitimate user’s credentials and use that to wriggle into the next network. What’s more, because the networks didn’t connect or share cybersecurity data well, it was easy to infect one after another without anyone comparing notes and realizing you were there. Said Wennergren, “it’s hard to protect and defend if you don’t have good visibility of your assets and your network.”

The goal for JIE is to tear down the barriers blocking that visibility — without bulldozing the unique features that individual networks need to serve their disparate users.