Can DOD overcome its 'data hoarding' problem?

A senior Pentagon tech official said that when it comes to data protection, the Defense Department and other organizations must learn how to harness their data if they want to stay secure.

Shutterstock image (by R.T. Wohlstadter): blue binary tunnel, fractal illustration.
 

The best way to protect critical infrastructure is to first protect the data.

“If you ask a social media company if they want to be critical infrastructure, they will tell you absolutely not,” said Kiersten Todt, president and managing partner for Liberty Group Ventures LLC during an Oct. 24 panel discussion at the Armed Forces Communications and Electronics Association’s MILCOM conference. "But look at the data that they’re aggregating and look at how that data is being stored."

“How are we defining the difference between critical infrastructure and critical information when all of that data and all of that information is mobile?” she asked.

Todt, who is also a University of Pittsburgh cyber law and policy scholar, called mobile devices “an end-point priority equal to -- I would argue even more so important than -- the laptops and desktops that we each use.” She added that “critical information has to be the priority for how we look at secure devices' data and how we’re securing our workforce,” and predicted that public-private partnerships will facilitate that security.

“We need to be working more effectively together before something happens,” Todt said. “We can’t just identify information sharing as a destination; we have to put the work in to get there.”

There are other challenges as well. All of that information sharing lends itself to data collection, or as the Defense Department's Deputy CIO Essye Miller calls it, “hoarding.”

“We are hoarders,” she said, likening the data problem to traditional recordkeeping and storage, slowly moving files into less secure environments as data’s value diminished. “It’s just a natural inclination that we feel we have to keep everything, which drives the need for security.”

Part of the solution, Miller said, is to put mechanisms in place, such using artificial intelligence and machine learning to automate and manage the rapidly accumulating data. The rest will be cultural.

“Part of it, quite frankly, will be the services' understanding that at some point they’ll have to let go,” she said.

As the DOD modernizes legacy networks, data will ultimately become a key security component. The bottom line, according to former DOD CIO Terry Halverson, is to let data define system security needs.

“We’re not going to be able to define critical infrastructure in the way we used to,” said Halvorsen, who is now Samsung’s CIO and executive vice president for IT and mobile business communication. “In fact, it is going to be defined for us by our critical information, and that is going to take cooperation between all sectors … in ways that we haven’t been very successful at in the past.”

And as the data stacks up, he said, the government will have to learn to throw it out.

“Data is like milk, it actually goes bad after a while,” Halverson said. “It has time frames [for] when it needs to be protected and time frames when it doesn’t.”

“How do you [put] a rheostat on your systems that says, 'Today I need a 10 level of protection on this data, tomorrow I might not need any.' It’s either become exposed or the value of that data has decreased so much that spending money and time protecting it no longer makes sense," he said. "How do you trash data? At some point you need to do that … because [then] you’re storing so much stuff that [what] you’re protecting … actually has no relevant data.”