JIE: How DOD is building a bigger network that's also a smaller target

Faced with growing and more sophisticated cyber threats to U.S. military networks, Defense Department officials openly acknowledge that in its current state DOD’s legacy information architecture is not in a strongly defensible position. When it comes to defending DOD networks, they point to capability gaps in dealing with increasingly menacing cyber threats that have left their systems at risk from attack.

In January, DOD’s Director of Operational Test and Evaluation, Michael Gilmore, released his fiscal year 2014 review of more than 40 defense systems which found “exploitable cyber vulnerabilities” on military networks, including unnecessary network services or system functions, as well as misconfigured, unpatched, or outdated software, and weak passwords. “Any electronic data exchange, however brief, provides an opportunity for a determined and skilled cyber adversary to monitor, interrupt, or damage information and combat systems,” Gilmore warns in his report.

Adding fuel to the fire, that same month the Twitter and YouTube accounts for U.S. Central Command were hacked by ISIS sympathizers in what the command downplayed as merely a “case of cybervandalism.” While no classified information was obtained and no military networks were compromised, according to the command, industry analysts argue that, because the U.S. military depends on commercial networks, even a robust DOD cyber defense could ultimately be threatened by a weak link outside its domain, with potentially damaging impacts to its operations.

“DOD is not immune to any of those threats, so we need to shrink the attack surface that we have,” said Vanessa Hallihan, DOD’s deputy CIO for cybersecurity, who points to the military’s Joint Regional Security Stacks (JRSS) initiative as a critical effort to consolidate its security posture across its infrastructure, giving adversaries less surface area to attack. “We’re able to do that via the JRSS by consolidating several disparate internal networks for both classified and unclassified.”

DOD’s attack surface decreases as fewer access points, vulnerabilities and exploits are available to its adversaries. Through JRSS, DOD estimates that it will shrink its overall attack surface by reducing the need for security enclaves at more than 1,000 existing network access points and replacing them with regional security stacks at 50 global ingress locations.

“When you look at the DOD enterprise today, there’s lots of different potential entry points, attack points,” said Brad Medairy, senior vice president in Booz Allen Hamilton’s Strategic Innovation Group. “Moving in this direction is going to reduce the overall attack surface and provide better control points in terms of access to the enterprise.”

Security in the JIE

JRSS is envisioned as bringing together cyber defense in an integrated architecture for the department to align with the Joint Information Environment (JIE), a secure, interoperable cloud computing environment that accommodates all of the military services, DOD components and allied forces. In fact, a goal of JIE is to improve the exchange of information, both unclassified and classified, with coalition partners.  

The JIE concept is for a shared infrastructure, enterprise services and a single security architecture designed to improve mission effectiveness, increase cybersecurity and realize IT efficiencies. JRSS is a major component of JIE’s single security architecture (SSA), which provides for a common approach to the structure and defense of computing and networks across all military organizations.

“We want to produce a standard network security architecture” and the JRSS “addresses the immediate needs that we have for the department in defending the cyber warfighting domain to resolve some critical gaps that we have right now,” Hallihan said. “Each one of the services has had in some cases their own really good architectures. But we need to have a better standardized approach for greater visibility and for command and control.”

A specialist works on a server rack during JRSS installation at Joint Base San Antonio, the first U.S. base to go operational with it.

Although many of DOD's cybersecurity initiatives are currently common across all military organizations, under the legacy information architecture each service has had the ability to make important decisions about how to design its networks and how to structure their respective cyber defenses. This disjointed approach to cybersecurity has led to major challenges as a result of varying levels of cyber protection.

“When you look today across the DOD enterprise, without standardization every combatant command, service and agency is left to make decisions for themselves,” leading to “one-off or point solutions,” said Booz Allen Hamilton’s Medairy. However, standardizing a set of core infrastructure components that provide common security capabilities, he believes, will help the U.S. military achieve transparency across its networks and to rapidly respond to emerging cyber threats. “Through this centralized architecture and through these regional security stacks, the Department of Defense is going to be more agile and nimble in rolling out new and innovative capabilities in a much faster way than they could in the past.”

According to Hallihan, the "end-to-end" cybersecurity approach of JRSS will significantly improve DOD's ability to defend against cyberattacks. In addition, she believes that through standardization and data sharing, the military will have broader visibility into its networks and will be able to much more quickly construct and execute defensive actions.

“In order to respond to these ever-increasing and sophisticated threats, we need to have a better global synchronized network operations response to those threats,” Hallihan said. “This architecture really allows us to accelerate the standardization of command and control, and it also enables us to be globally synchronized from a network operations perspective.”

Working with defense enterprise operations centers to manage user access, JRSS will provide the ability to see what is going on inside the networks. Cyber operators at every level will be able to see the status of the networks for operations and security. This enhanced situational awareness in cyberspace is meant to better synchronize cyber responses, maximize operational efficiencies, and reduce risk.

Making the switch

Dave Cotton, DOD’s acting deputy CIO for information enterprise, who is responsible for providing the leadership, strategy, and guidance for JIE, said that the JRSS foundational layer includes network standardization and optimization across DOD networks, such as increasing bandwidth capabilities where necessary and switching upgrades through Multi-Protocol Label Switching (MPLS) technology.

MPLS, which enables higher bandwidth/throughput and faster routing capabilities, allows the department to “stop leasing circuits and get away from the legacy-based circuits to a more IP-based infrastructure,” he said. “That provides the foundation then to put the security component in place.” MPLS routers are an industry-standard for speeding and managing network traffic flow. JRSS is prompting a massive effort to expand capacity and increase throughput across Army and Air Force bases with MPLS upgrades to the network backbone that will increase the bandwidth to 100 gigabytes per second.

According to Cotton, MPLS also enables DOD to route and secure network traffic for a specific mission instead of just for a particular location, resulting in more focused and coherent command and control for missions. Unlike the one-size-fits-all networks that DOD currently operates, he says the JIE will provide operational commanders more freedom to take cybersecurity risks with the networks since the risks can be contained to the decision support and systems specifically needed for that mission. This is a significant change from today's DOD networks which impose more operational constraints on commanders.

The  risk containment zones the SSA defines in the server computing and the network will enable joint commanders to better contain cyber risks assumed by a particular mission from spilling over into other missions, while sharing as broadly with external partners as a mission requires, Cotton said. In addition, users and systems will be able to trust their connection with the assurance that the information and systems involved in a mission are correct and working even during a cyberattack.

Based on a single DOD-wide IT architecture and key enabling enterprise services, JIE is “a more secure, defendable, responsible, and more command and controllable, integrated network for the Department of Defense information exchange environment,” Cotton said. The idea is to bring together all the capabilities that will enable “a more coherent, more secure, interoperable and less costly capability”—efficiencies that will be achieved through economies of scale and eliminating duplication. A big part of that is cloud computing, which is a critical component of the JIE and DOD’s IT modernization efforts.

Plans for JIE include consolidating applications and data which historically have been segregated by military services and agencies, into centralized

data centers at the regional or global level. That will significantly reduce the current number of DOD data centers. While JIE is not a program of record, it is being managed by the Office of the DOD Chief Information Officer, with the Defense Information Systems Agency (DISA) as the principal integrator for services and testing.

Installing, Evaluating JRSS

Installation of the first MPLS and JRSS capabilities, which include an integrated suite of network and defensive hardware and software, has begun both in the continental United States and in Europe. Installation is complete at 11 JRSS sites in the United States, with final implementation to be a phased approach, while JRSS installation in Europe is complete. Three more JRSS sites are planned for completion in the third quarter of fiscal year 2015 in Southwest Asia.

In September 2014, a JRSS installation at Joint Base San Antonio in Texas was the first site to successfully reach initial operating capacity, supporting both Army and Air Force network operations. In the case of JBSA, its attack surface was reduced by one third.

JBSA was the first of 25 DOD Non-secure Internet Protocol Router Network (NIPRNet) data sites to host the suite of JRSS equipment, which performs firewall functions, intrusion detection and prevention, enterprise management, virtual routing and forwarding, and provides a host of network security capabilities. In addition, 25 DOD Secret Internet Protocol Router Network (SIPRNet) data sites will be implemented into the same locations. JBSA was selected as the first JRSS site because it provided “a rich, multi-service dimensional activity” in CONUS, according to Cotton.

Currently, DOD is developing and refining JRSS tactics, techniques and procedures for migration to other military sites and installations. In December, acting DOD CIO Terry Halverson said testing of JRSS at JBSA and in Europe demonstrated that “our architecture connection plan appears to be sound,” paving the way for deployment of the initial components. An additional theater of interest is the Pacific.

“We hope to have a robust capability through fiscal year 2017 and that brings in primarily the Army and the Air Force,” said Cotton, adding that the Navy and Marine Corps will start to migrate to JRSS in 2017. “We have JRSS today but as it moves forward I’m sure it will morph as technology and the threat environment changes, as part of the department’s recurring focus and review.”

Chris Kearns, director of DISA programs for Lockheed Martin, said the installation at JBSA is considered Version 1.0 of JRSS. Lockheed’s Information Systems and Global Solutions is the prime contractor for the Global Information Grid Systems Management-Operations contract, under which JRSS work is being performed.

Versions 1.5 and 2.0 of JRSS have yet to be defined and will address the differences between the Army, Air Force, Navy and Marine Corps, according to Kearns, who believes the Navy and Marines will skip Version 1.5 that's currently in the planning phase. “They definitely are evolving this. It’s not a set thing,” he said.

Another area that is up in the air is testing. As DOT&E’s FY14 report points out, DISA and the services have not conducted any operational testing of the JIE infrastructure or components. In addition, the operational parameters required for DOT&E to review and evaluate JIE are still under development by U.S. Cyber Command. However, DOT&E says it is working with the DISA Test and Evaluation Office to plan for an early operational assessment of JIE in FY15. 

“The availability of test sites for JIE and component tests are limited and advanced planning for future tests is not fully matured,” states the report. “To date, testing focuses on system functionality and DISA has not yet scheduled full cybersecurity testing.”