What happens when data becomes more important than the mission?
As the prominence of the cyber domain intensifies, the Pentagon increasingly must choose between supporting the mission and protecting its valuable data.
In some respects, data is one of the U.S. military's greatest advantages.
A 2017 report by the George Washington University Center for Cyber and Homeland Security found that the Department of Defense is sitting on a treasure trove of unique, exclusive data that can be used to feed AI algorithms, improve battlefield efficiency and communicate the latest threats across defense networks.
According to Col. Darlene Straub, chief of defense cyber operations at the Defense Information Systems Agency, until recently the strategy for how best to use this information was relatively simple: analyze it, package it and push it out to those in the field who need it as quickly as possible.
However, as cyberspace has become more integral to the way military planners gather intelligence, identify trends and analyze threats, that dynamic may be starting to shift. Some information is becoming too important to expose.
"What's available on the network today is so much more damaging," said Straub at a June 14 luncheon hosted by the Armed Forces Communications and Electronics Association. “It’s not just...voice transmission, it’s not text messages going back and forth. The security of the data of the network sometimes is more important than the availability, because if the enemy has that data, I've endangered that team more than by not providing them the information, and that’s just such a different shift in how we think."
When and how the military shares information on the battlefield, where security conditions are often less than optimal, is becoming an increasingly important question that officials like Straub must consider.
Those questions only become more pertinent as the DOD, intelligence agencies and defense contractors become ever more dependent on newer technologies like the cloud. The Pentagon is currently in the early stages of procurement for a Joint Enterprise Defense Infrastructure (JEDI), a massive commercial cloud infrastructure designed to support military operations.
In an era where many federal agencies still fret over cloud security, military officials must grapple with the same dilemmas in situations where lives are on the line. Simply relying on your provider to keep the network secure in uncertain technical conditions against nation-state hacking groups is not an option.
"You can't just take your data and put it in the cloud and be like, 'OK, cloud provider, defend it.' You're still responsible," said Rear Adm. Kathleen Creighton, the deputy commander for the Joint Force Headquarters-Department of Defense Information Networks (DODIN) at a January AFCEA luncheon.
Like many other agencies and companies in the private sector, the Pentagon is struggling to adapt in the Internet of Things era, where a proliferation of connected devices among personnel leave more end points – and vulnerabilities – than there is capacity to monitor and track.
Straub pointed to an incident earlier in the year, where military personnel using Fitbits to track their runs inadvertently revealed the location of sensitive military installations around the world. The incident raised questions among security experts and former feds about whether the Pentagon faced a policy gap when it comes to guidance for connected devices.
To Straub, the episode was a prime example of the unforeseen "data oceans" being created in a world filled with IoT devices and she called for more operational discipline as well as more restrictive policies to control what devices connected to the DOD defense networks can and cannot upload to the cloud.
"At some point the end point is how we manage," said Straub. "When you see the direction industry is going with end points, can we get there? Can we turn our network upside down to make each system its own security device and its own standalone agent in our cybersecurity battles?"