DOD gets serious about funding IA improvements
- By William Jackson
- Jan 25, 2006
The Defense Department is talking a lot about network and information security these days, and according to Pentagon officials speaking at the Black Hat Federal Briefings in Arlington, Va., it has begun putting some of its money where its mouth is.
The department has budgeted $77 million for six years beginning in 2007 to fund new training and certification requirements for systems administrators, said Rick Aldrich of the DOD network defense organization. An additional $500 million has been requested for IT security initiatives resulting from the department's most recent quadrennial review.
This money is in addition to the $2 billion now being spent annually on information assurance from the DOD's $30 billion IT budget.
Linton Wells II, principal deputy assistant secretary for network and information integration, described some of the security initiatives in his opening keynote address at the briefings.
Wells said the four-year review, which began in 2001, went beyond the program and budget level to address new strategic needs for the nation's military. In the future, DOD will depend more on speed and agility than on brute force to address emerging threats.
'That is why the network, which allows you to use your forces in nonconventional ways, is one of the keys to change in the quadrennial review,' Wells said.
But he warned that today's DOD networks are vulnerable and under attack. Some of the attackers are believed to be nations.
'We know our adversaries have the networks in their sights,' he said. 'We have to assume we are facing a patient, skilled and well financed adversary.'
Actions taken in the last six months to address these threats include:
- Setting new standards for training and certifying systems administrators on DOD IT systems, which required legislation enabling the department to pay for commercial certification of its IT professionals
- Standardizing system configurations
- Pushing for the use of the Common Access smart ID card for network access control throughout the department
- Improving network monitoring capabilities
- Establishing greater control over connections between DOD and public networks
Automating patch management. 'We are quite a way away from that because of the heterogeneity of our systems,' Wells said.
To bring more order to DOD communications, the commander of the Strategic Command, headquartered in Omaha, has been placed in command of all department networks, establishing a single point of responsibility and clear chain of command.
The new emphasis on command responsibility was seen in last November's departmentwide information assurance stand-down day, during which IT security policies were reviewed. The stand-down was not a one-time event, Wells said
'I expect we would see more of that in the future,' he said.
One lesson learned by DOD from the war in Iraq is the need to plan for stability, security and rebuilding in the wake of military action. The increased cooperation with nongovernmental organizations that will provide many of these services will require new extranet capabilities, Wells said, 'because they are not getting inside our firewalls.'
William Jackson is a Maryland-based freelance writer.