Sydney J. Freedberg Jr. graphic from DoD data

Breaking Defense graphic from Defense Department data

WASHINGTON: The Defense Department has increased its capacity for remote email access, videoteleconferencing, and conference calls “upwards of ten times” in the weeks since it instituted social distancing, Pentagon CIO Dana Deasy told reporters this morning.

That’s a staggering feat for a bureaucracy infamous for slow and painful procurements, especially of information technology.

“The previous pace was one to two years from planning to implementation,” said Air Force Lt. Gen. Bradford Shwedo, CIO of the Joint Staff. “Now these upgrades are happening and completing in days to weeks.”

And these expanded capabilities won’t evaporate when life finally returns to normal.

“We are creating a much more robust, enhanced telework capability, [in terms of] the quantity, the types of services, the collaboration tools, etc.,” Deasy said. “There will be some permanency to what we have here.”

“We’re not just procuring laptops and other devices,” Shwedo said. “To enable all these capabilities, we had to do a lot of backend work….That doesn’t go away, and this is going to be a force multiplier for the future.”

Deasy and Shwedo rattled off a host of statistics for specific increases by different armed services and defense agencies across the department. We’ve summarized some of them in the chart above. But it’s impossible to calculate the growth percentage for something that starts from nothing (you can’t divide by zero), which is the case for some brand-new IT the Pentagon has created since the start of the crisis.

The most dramatic example is a new cloud-based telework system called the Commercial Virtual Remote (CVR) Environment  — commercial meaning it uses off-the-shelf IT from the open market instead of tech custom-built to military specifications at great expense. (CVR is a separate effort from the much-delayed JEDI cloud computing contract).

CVR began its rollout March 27th. As of this morning – 17 days later – DoD has activated over 900,000 user accounts. Now, only a fraction of those accounts are actually being used so far: some 78,000-plus users have actually logged in. But that’s still growth from nothing three weeks ago to the equivalent of 20 full-strength Army combat brigades or the crews of 13 aircraft carriers. (Protip: The US only has 11 carriers, two of them now impaired by COVID-19).

For its part, the Air Force – the most tech-savvy service – has fielded a new system called Enterprise User Remote Access Management (EURAM), which is on track to go from zero users to over 200,000 by the end of the month. The Army has also created ad hoc networks from scratch for field hospitals and the hospital ship Comfort so they can connect to local health authorities.

Of course, a huge increase in novice users on hastily set-up systems comes with a corresponding risk of cyber attacks. “As always, we require that the workforce only use DoD-approved platforms, for security reasons,” Deasy said this morning, pointing personnel towards the official reference at public.cyber.mil. But he and Shwedo wouldn’t discuss any details or statistics of hacking attempts, saying they didn’t want to give adversaries any insight into what the Pentagon knew or how it might respond.

To that point, Congress’s Government Accountability Office released a new report later in the day on DoD’s “cyber hygiene” shortfalls. The Defense Department is years behind implementing its own security plans, GAO warned:

  • 11 “culture and compliance” initiatives were supposed to be completed by 2016, from training and exercises to new legal authorities. Four years later, GAO said, “seven of these tasks have not been fully implemented.”
  • 10 “cyber discipline” tasks assigned to the DoD CIO were supposed to be 90 percent implemented by the end of 2018. (That’s well before Deasy took the job). Instead, four tasks have definitely “not been implemented,” GAO said, while the status of the seven others is “unknown because no DOD entity has been designated to report on the progress.”
  • “Cyber awareness” training is being instituted with little tracking or accountability of who’s actually completed it. In a GAO review of 16 DoD component organizations, six couldn’t report on which users had not completed the required training.

A DoD factsheet summarizing this morning’s press conference follows below:

Deasy-Shwedo Opening Remarks NUMBERS COMPARISON by BreakingDefense on Scribd