SVG
Commentary
91 Institute

The Security and Resilience of the DOD’s Cloud-based Architecture

The ability to store, process, protect, and distribute data is at the heart of modern U.S. and allied defense networks. Under its Joint Enterprise Defense Infrastructure initiative, or JEDI, the U.S. Department of Defense (DoD) has been making significant strides in shaping its path toward the adoption of a cloud-based IT architecture to replace its legacy IT infrastructure:

* Cloud-based IT infrastructure will become the locus for storage and processing of DoD data as well as its protection from cyber and physical attacks.1

* DoD aspires to benefit from the ability of the commercial IT sector to produce and rapidly exploit technological innovation at low cost and at scale.

* DoD has recognized that its cloud architecture will be a "multi-cloud" environment comprised of a general purpose “enterprise” cloud and a number of special-purpose clouds (“fit for purpose”) from different cloud service providers. This will enable DoD to take advantage of competition and innovation among commercial cloud providers. Among what are likely to be many special purpose clouds would be the Defense Information Security Agency’s MILCLOUD 2.0, where the servers and related equipment would be located on military reservations and carry highly sensitive data for the conduct of military operations.

**Security as a Threat to Modern Cloud-based IT Architectures – and as a Barrier to Entry to DoD Cloud Services Market**

As is so often the case in the IT industry, functionality often trumps security. Indeed, most of the security challenges facing IT users were “baked into” IT technologies as user demand for greater and greater functionality overwhelmed opportunities and efforts to mitigate potential security risks. A cloud-based IT architecture has significant security benefits over legacy IT infrastructure vulnerabilities – especially those related to so-called computer hygiene issues, such as managing passwords. However, it remains the case that new capabilities often also create new vulnerabilities.

The extraordinary concentration of valuable data in cloud-based systems makes them an extremely high-value target for cyber spying. Moreover, because private companies are primarily incentivized by economic efficiency, rather than security strength, their cloud service sites make particularly attractive targets for such cyber and even physical attacks. Even the largest and most successful IT enterprises are economically driven to field a small number of server farms that provide their cloud services. In addition to cyber intrusions, the huge value of sensitive government data stored at these few sites could encourage a physical attack – such as disabling access to electrical power and cooling supplies.

The federal government’s multibillion-dollar personnel security clearance processes also encumber DoD’s ability to take advantage of the superior IT technology available from the commercial sector at what Secretary of Defense Mattis calls “the speed of relevance.” A DoD SECRET security clearance currently requires an average of 221 days to complete, while a TOP SECRET clearance requires an average of 534 days. Other clearances such as those for access to nuclear weapons data (Department of Energy “Q” Clearance) and intelligence information (Sensitive Compartmented Information) may require even longer. Furthermore, a DoD Facility Clearance, which enables the user of the facility to perform work on a classified DoD contract, often entails significant additional processing beyond that required to clear individuals.

These personnel security clearance processes, however, do not obviously produce better outcomes than those the private sector has put in place at far lower cost. For example, Apple’s highly regarded security measures to protect its intellectual property are built around globally implemented, well-executed standards of personnel recruitment. Their ability to protect core corporate IP appears to be at least as good as the capacity of the US government to protect its core classified information.

The commercial sector invests to meet the demand for its goods and services. Military readiness requirements necessitate that DoD invest in advance of the emergence of the actual demand for its services. Hence, while the defense industrial base is designed to be able to respond promptly to DoD needs, including with a workforce holding the requisite security clearances, the non-defense private sector is not. These circumstances condemn DoD to procuring obsolescent technology at higher cost than could be obtained from the civilian sector.

The Statement of Objectives guiding the pending selection process for the first contract award under JEDI requires that the winner(s) must be able to offer fully functional services at the SECRET level within 180 days of the award and at the TOP SECRET within 270 days. Neither of these objectives is achievable within the current timelines for clearance processing for firms not already there.

These circumstances in turn raise three related issues:

• Though barely a decade old the US cloud services industry is vibrant. More than 200 firms currently supply cloud-based services to the burgeoning IT market, providing innovation through competition. Yet the source selection for the JEDI contract is likely to be limited to only two firms, those which currently hold classified contracts. This will limit the government’s ability to leverage the industry’s competitive strength in the interests of security and innovation;

• Even under JEDI, highly classified work can be conducted on DoD’s MILCLOUD 2.0. This should diminish the importance of the SECRET and TOP SECRET timelines to the initial JEDI contract award. DoD could thereby obtain the benefit of a more robust competition, as has been suggested by two senior Members of the Defense Subcommittee of the House Committee on Appropriations; they do not believe the higher level of classification is necessary for all functions of the JEDI cloud; and

• Reporting by Reuters in 2017 investigation revealed that U.S. software makers were allowing the Russian government to conduct source code reviews of their products to maintain market access. Congress responded in the 2018 NDAA with a provision (Section 1656) requiring U.S. defense contractors to disclose such reviews to the Pentagon. Similarly, U.S. commercial cloud providers are multinational corporations with global customer bases. It seems likely that US near-peer competitors China and Russia – as well as other adversaries – have gained insights into the workings of these providers’ products through means both authorized and surreptitious.

Suffice to say, security remains a fundamental dimension of successful cloud deployment for both the private sector and industry. In its initial JEDI procurement and throughout its move to the cloud, DoD needs access to the most effective and compelling security practices. The assumption that current government clearance processes are the only way to ensure security is unwarranted.