WASHINGTON — As the Defense Information Systems Agency beefs up its role in “combat support,” agency chief Lt. Gen. Robert Skinner previewed a “hot off the presses” five-year strategy — due out this Monday — that puts new emphasis on keeping commanders connected, from the President on down, in event of major war.
“This is really focusing on the bad day,” Skinner told a Potomac Officers Club conference Wednesday. “It’s great to have internet day to day in peacetime, in the [strategic] competition that we’re in today, but it’s more imperative to have it when bullets are flying and nations are past the point of competition. … You don’t see that day to day, our Department doesn’t see that day to day necessarily, but we’ve got to have that.”
So, alongside the usual hot topics for an IT-focused agency — cleaning up data, replacing old tech, migrating to the cloud — the strategy makes its first priority providing “resilient” capability for warfighters and its second “strategic command, control, and communications.”
“The President can’t talk without us, neither can the SecDef or the chairman, but our warfighters are the ones we have to support,” Skinner continued. “We have organizations aligned to every combatant command … so we are day to day in the combatant commanders’ battle rhythm and understanding what their requirements are.”
That “Strategic C3” imperative goes hand-in-hand with the strategy’s emphasis on resilience. “Our capabilities have to be secure and operational and available — which means resilient — for our warfighters and our mission partners,” Skinner said. “If that capability is not available and we don’t have a resilient capability when our warfighters need it … then we have failed.”
Part of this resiliency is cybersecurity, from implementing new post-quantum cryptography encryption to standing up the first intelligence analysis cell at DISA headquarters — what the military calls a staff section J-2.
Skinner first publicly discussed creating the J-2 staff in January. “I’ve had a lot of people tell me I can’t do it, so we’ve learned a lot,” he said Wednesday with a laugh.
DISA isn’t trying to become an intelligence collection agency, he emphasized, but it needed an in-house organization to bring together intelligence from other agencies and figure out how DISA should respond to threats, both near-term network operations and in long-term acquisition of more secure technology.
“The DISA J-2 is going to be very standard, [like] a J-2 at a combatant command” or a military service, Skinner said. “They will take multi-int reports, coalesce them, and align to the threats and align them to the capabilities the agency provides. … I don’t want to go any further than that.”
Where DISA finds vulnerabilities, it’s also exerting its authority to make Defense Department organizations clean up their networks — or be cut off. Nine years ago, when DISA helped stand up an operational cybersecurity HQ, Joint Force Headquarters – Department of Defense Information Network, an all-too-common response was “‘you can’t tell me what to do,” Skinner recalled. But they don’t say that anymore.
“There are some organizations that have had their access to the internet isolated or blocked because of their cybersecurity posture,” said Skinner, who also serves as the JFHQ-DODIN commander. “Three years ago that would never have happened, but it’s happening today because we have the departments’ leadership that is understanding of the cyberscurity threat and is taking it seriously and holding organizations accountable.”
Modernization: Circuits And Clouds
Not everything DISA is doing to achieve resilience is so hard-nosed, however. Some of the new strategy’s modernization moves may even seem mundane, like replacing archaic Time-Division Multiplexing circuits, a technology that was last considered cutting-edge in World War II.
“It’s not resilient anymore,” Skinner said, because TDM is so obsolete that most companies don’t know how to keep it running anymore and those few that do charge extortionate prices.
That’s just one example of where DISA needs to rip out outdated “legacy” tech and replace it with modern IT, he said, pointing to the strategy’s modernization priority. “We’ve got to go faster, modernizing off of the legacy and getting to the cloud faster,” he said.
That said, Skinner cautioned, “cloud is not the panacea,” and some high-priority functions need to be performed on closed “on-premise” networks. But cloud computing is a major push for DISA, which offers multiple cloud options: the year-old Joint Warfighting Cloud Capability run by Amazon, Google, Microsoft and Oracle; the older General Dynamics/Microsoft DEOS; the military-specific STRATUS (replacing MilCloud) and the new Joint Operational Edge (JOE); and a recently announced prototype with HPE.
At this point, Skinner said, what he needs from industry is not more cloud options, but help pruning outdated software and consolidating redundant applications to make it easier to migrate to the cloud, instead of just carrying everything over indiscriminately, also known as “lift and shift”.
“What I ask of you is application rationalization support,” he told the contractors in the audience. “You can’t just re-host [software] from the current environment to commercial cloud, and moving from one cloud to the next is still too expensive.”
Above all, the DISA director advised contractors, they need to think big and offer solutions that can scale up to serve a massive military that’s deployed worldwide. “If your product and capability doesn’t scale, it’s hard for us to use it,” he said.
HASC pushes for reciprocity guidance for cloud computing in draft NDAA language
The legislation proposes that if one office in the department officially deems a “cloud-based platform, service, or application” is sufficiently cybersecure to use, then all parts of DoD can accept this ATO.