Pentagon, ODNI form ‘joint team’ to explore risks connected to mobility across cloud networks
Experts within the Office of the Under Secretary of Defense for Intelligence and Security and Office of the Director of National Intelligence are collaboratively reviewing the technical, governance and policy implications — among other emerging challenges — associated with automatically moving authorized data and resources between private or public clouds and to tactical edge devices, depending on government needs.
“USDI&S and ODNI have established a joint team that’s kind of looking into the security of the mobility systems,” Johanna ‘Jojo’ Leasiolagi said during Federal News Network’s virtual Cloud Exchange on Thursday.
Leasiolagi, a senior technical advisor for the Defense Intelligence Agency, went into deeper detail about that ongoing review in a discussion with DefenseScoop on Friday.
Cloud services, which are essentially delivered on-demand via the internet, mark a major enabler of DIA’s unfolding pursuit to modernize its legacy, secretive Joint Worldwide Intelligence Communication System, or JWICS, network. Through multi-vendor, multi-award contracts including the Pentagon-wide Joint Warfighting Cloud Capability (JWCC) and the intelligence community’s Commercial Cloud Enterprise (C2E), DIA can choose from and is engaging with several large cloud service providers.
At the event Thursday, Leasiolagi said the agency is currently working with its various programs offices to identify “efficiencies, where it makes sense” to set up different cloud access points globally.
“It’s kind of like a co-location of sorts, where customers can have better access to all of the different services that will be available — that way there is no confusion on having one service over here and another one over there,” she noted.
DIA officials are aware of and accept risks associated with the agency’s complex shift to the cloud.
On that note, Leasiolagi pointed to reports of a recent incident where a misconfigured cloud server connected to Special Operations Command left some data — which was unclassified but included some officials’ personal information — exposed publicly online for weeks.
“We just saw this last week, with the leak of some of the email services, right? So just because we’re moving to the cloud does not mean that we no longer have risks and that it’s on the cloud service providers. It’s a partnership here, where they also have a part of the infrastructure that they have to secure and we also, as customers, have our responsibilities to secure,” she said.
“And so if we continue to work together, having a better visibility into what each other does in the community” is necessary, Leasiolagi added, saying it could help strengthen “the entire system architecture.”
She advocated for a cloud strategy that encompasses end-to-end security.
With the enhanced mobility and more widely available network services DIA envisions in migrating to the cloud, surfacing information-governing issues must also be confronted in the near term.
“That is actually something that we’re exploring right now,” Leasiolagi noted — pointing to that USDI&S and ODNI joint team now “looking into the security of the mobility systems.”
“It goes beyond just a technical area, but it also goes into governance and policies. As you know, tactical systems have to be mobile, so they have to be able to work anywhere in the world,” she explained.
However, “if you look at data governance” today, privacy laws differ across the world. This could essentially “mean that if you are in a certain area of a country, the laws in there, locally, mandate that that data can be reviewed by either the local government or someone else,” Leasiolagi said during the event.
In her view, “one of the biggest challenges is understanding the policies and the laws that regulate the data at that location — the visibility, the security, and how do we protect it? How do we make sure that that is our data, and then no one else is going to look at it, and that whenever we need it, we can get it back?”
She also suggested a memorandum of understanding or other agreements between parties involved regarding data sovereignty and security could stem from the joint team’s work.
Leasiolagi provided more details about those activities on Friday, in response to a request for further information from DefenseScoop.
When asked to define “mobility systems” in this context, she spotlighted the Defense Information Systems Agency’s Strategic Plan in support of the Hosting and Compute Center (HaCC), noting there “mobility, sometimes referred to tactical edge or tactical communications, describes a wide range of systems that ‘enable a mobile workforce; deliver modern secure IT solutions that facilitate delivery of [Defense Department] mission applications to the endpoint at all classification levels.’”
“These could be government cellphones, laptops, ships, or aircraft as examples,” Leasiolagi said.
On the definition, she also mentioned the DOD’s overarching objectives to “have global accessibility to the right data at the time of need.”
According to Leasiolagi, studies into how the broader IC and DOD communities can support global cloud connectivity have been around for a few years — and particularly as each new service “comes online” with C2E, JWCC and other network modernization contracts.
“Most recently DISA, [USDI&S] and ODNI have focused more on JWCC to ensure we are coordinating how services will begin to be delivered and interconnected. I participate in a few key groups to help coordinate DIA actions — though I believe that each agency’s communication team would be best postured to share information on relevant studies and meetings they are leading,” she told DefenseScoop.
Spokespersons from ODNI and USDI&S did not respond to DefenseScoop’s questions on the new joint team by publication.