Navy opens some IT ops to vendors

The ongoing debate about how the Defense Department should organize to support

the emerging high-tech field of information operations took an unexpected

turn last month when the Navy published new guidance that opens up certain

portions of the IO field to civilian contractors.

A memorandum signed July 25 by Dan Porter, the Navy's chief information

officer, provides Navy organizations with the latest guidance on what information

technology jobs are considered "inherently governmental" and what jobs are

open for outsourcing. However, in a change from a previous draft of the

document, the Navy has labeled all defensive information operations, including

information assurance and other defensive security operations, as "non-inherently

governmental" job functions.

Although the earlier version of the Navy document released last year did

not include defensive information operations as a job function open to outsourcing,

the new policy recognizes that grand-scale IT initiatives, such as the Navy/

Marine Corps Intranet, are changing the face of the IT work force.

"With the advent of N/MCI, some of what has been "traditionally' government

work will transition to contractor support," Porter said. N/MCI would replace

a hodgepodge of two dozen Navy and Marine Corps networks with a seamless

network owned and operated by a single contractor.

The Navy's new policy guidance also stipulates that offensive information

operations — which include computer network attack, perception management

and psychological operations — are inherently governmental. It adds that

even though contractors may perform some elements of inherently governmental

work, "this will usually be in a supporting or consulting role."

The Pentagon first codified its definition of IO in a formal guidance document

known as Joint Publication 3-13. The initial document vaguely defines IO

and outlines the interrelated roles of such disciplines as psychological

operations, deception, perception management, civilian affairs and various

intelligence-related fields [FCW, Dec. 2, 1998]. Since then, however, the

term has come to include electronic warfare, computer network attacks, critical

infrastructure protection and information assurance.

Some experts point to questions about the link between offensive and defensive

IO and say the Pentagon has yet to resolve all the roles and missions within

IO, including the role of contractor personnel (see box).

"There is still ongoing role confusion regarding information technology

in general and information munitions specifically," said a senior Pentagon

official who has participated in high- level discussions on the future of

IO. "Taking care of IT equipment has clearly been relegated to support status

[and is] commonly outsourced," the official said.

"On the other hand, good attack techniques often arise from a sound

understanding of defensive tactics. So the two are clearly linked, and our

50-year-old organizational structure will continue to have difficulty with

this."

The policy change raises serious questions about the role of civilian contractors

in supporting ongoing military operations, in which uniformed personnel

have historically received legal protections from international conventions.

The Pentagon official said it's likely that the Navy is trying to ensure

through its policy guidance that offensive IO tactics "remain within the

province of trained warfighters." But he also noted that contractor personnel

are heavily involved in all aspects of IO. Civilian contractors, for example,

staff the entire IO cell supporting the U.S. Southern Command, which is

responsible for defense operations in 32 countries in Central America, South

America and the Caribbean, the official said.

A former intelligence officer who during the invasion of Haiti in 1994

served under Army Brig. Gen. Keith Huber, the current operations officer

at Southcom, said the contractor IO cell at Southcom is involved in coordinating

psychological operations with ongoing military operations, including counter-drug

missions and other classified operations.

John Thomas, the former commander of the Pentagon's Global Network Operations

Center (GNOSC), said the use of contractor personnel in the realm of IO

is nothing new. He added that one of his current employees from the information

assurance division within the AverStar group of Titan Corp., where he now

serves as vice president, directly supports the IO effort at Southcom.

"When I landed in Haiti with the Army's 18th Airborne Corps, GTE [Corp.]

contractors went with us," Thomas said. "They were side by side with us

in combat.

"The military is at a crossroads here," Thomas said. "Their requirements

have outpaced the ability of the schoolhouses to produce trained students

[in IO]. The best thing the military can do is create a win-win situation

by partnering with industry."

Thomas said most of the staff members at DOD's five regional Computer Emergency

Response Teams were AverStar employees when he served as GNOSC commander.

"I could not discern between the contractors and the DOD personnel in terms

of dedication or performance difference," he said.

Although he has no firsthand knowledge of it, Thomas said, he is confident

that there are contractors involved in some aspects of offensive IO in DOD.

"You have contractors in every aspect of IO," he said. "They're working

hand-in-glove with the military."