The Defense Department has planned for security in its Joint Information Environment to protect from outside cyber attackers, but lawmakers worry the departmentwide network consolidation might not do enough to protect against threats from within.
In a proposal for its portion of the National Defense Authorization Act of 2017 released Tuesday, the House Armed Services Committee’s Subcommittee for Emerging Threats and Capabilities put forward a number of policy and spending proposals, including hardening JIE, reigning in the Defense Department’s Silicon Valley innovation outpost and boosting the use of commercial cloud computing.
The Defense Information Systems Agency-led JIE is intended to standardize, simplify, centralize, secure and automate the DODwide IT infrastructure under one network. Officials have said the new network would provide less surface area for outside cyberattacks, but the subcommittee proposal frets not enough is being done to police activity inside the network.
“Historically, the tools used to monitor … exterior threats do not provide good defenses against insiders or lateral movements within a network” by attackers who’ve already penetrated the system, the proposal says. “Where the Department has been focused on insider threats, the committee is concerned that those recommendations have been focused on procedural changes that are not connected to the capabilities, or the capability needs, for network tools and digital rights management.”
The proposal — which still faces mark up from the subcommittee, as well as the full committee as part of the 2017 NDAA — would require DOD CIO Terry Halvorsen to brief the House Armed Services Committee by the year’s end on his plan to integrate insider threat defenses into the JIE.
“This briefing should address those tools currently planned for incorporation, like digital rights management, as well as identification of any gaps in the architecture where commercial tools for insider threat monitoring might be included into JIE, or into upgrades to key enabling capabilities like the Joint Regional Security Stacks or the Host Based Security System,” the proposal says.
The subcommittee targeted an array of defense IT issues in its proposal, such as updating the DOD cloud access point strategy to enable greater adoption of commercial cloud; assessing DOD’s efforts to secure the Internet of Things; countering terrorists groups’ spread of messaging on social media; and funding the DOD-led development of security clearance systems to replace those housed by the Office of Personnel Management that resulted in stolen information on tens of millions of Americans who applied for federal background checks.
Additionally, the proposal would restrict funding for the Pentagon’s Silicon Valley innovation outreach effort the Defense Innovation Unit — Experimental, or DIUx. Future spending will be locked up until Secretary of Defense Ash Carter provides a report to Congress on the use of funds so far to establish and expand the team.
The proposal sets out to limit DIUx’s funding to no more than 80 percent of what the NDAA authorizes for it in 2017 until Carter has provided the requested report. The president’s fiscal year 2017 budget request designated $45 million for DIUx operations, but that could change based on the NDAA and defense appropriation bill.
Lawmakers worry that while DIUx is working to bridge the gap between private startups — particularly those on the West Coast — and the DOD, it is focusing in too much on one region and disregarding other non-geographical barriers to partnering with small, innovative companies.
“The committee believes DIUx to be a helpful step in bridging those communities, but is concerned by the pinpoint focus on one geographic region, as well as the dedication of significant funding at such a nascent period in the development of this organization and the concept on which it was founded,” the proposal says. “The committee is concerned that outreach is proceeding without sufficient attention being paid to breaking down the barriers that have traditionally prevented nontraditional contractors from supporting defense needs, like lengthy contracting processes and the inability to transition technologies.”
The subcommittee will mark up its portion of the 2017 NDAA Thursday.