Can the IDF afford to switch to a cloud computing model in the era of cyber? This is one of the questions that have been bothering senior officials in the Israeli defense establishment recently. If in the past the IDF operated in a decentralized manner that provided each service branch with technological independence, the current economic reality has compelled the military to become more efficient and the various branches to combine their technological capabilities. Concepts like sharing and transparency are entering the defense jargon, to the chagrin of the opponents, and change – under the surface – the technological and organizational culture.
As recently as early last March, the commander of the Lotem unit at the IDF C4I Branch, Brig. Gen. Danny Bren, said at the international C5 conference that the "Networked IDF" program for combining communication networks had been approved. BG Bren said further that in the context of the relocation to the south, to Beer Sheva, the IDF will cut down the number of server farms in their possession. It is reasonable to assume that the same trend is taking place in other security agencies such as ISA and Mossad, who need (or will need) to demonstrate efficiency improvement in the field of IT in the near future.
"Amazonization" of the IDF
At the same time, along with the statements made by senior military officers, quite a few questions remain unanswered regarding the ability of the IDF to switch to a cloud computing model. If we examine the world around Israel, we will see that the aspiration to get there may exist, but in effect, the defense culture cannot contain such concepts as “sharing” and “openness”. One of the most significant moves in this context took place last July in the USA when DISA, the Defense Information Systems Agency of the US Department of Defense allocated a budget of US 450 million to ten projects in the field of cloud computing for the defense services of the USA.
In this context, DISA announced a certification program designated FedRAMP that every contractor supplying cloud computing services to DOD must pass before the end of this year. Additionally, once certified, contractors are required to undergo a specific certification process at DISA in order to implement their cloud computing services at DOD. At the same time, even if a similar certification program is implemented at IMOD, it will still be hard to imagine operational processes of the IDF relying on the servers of Amazon or any other supplier of cloud computing services anywhere in the world, who maintains decentralized server farms somewhere in North America, Europe or Asia.
Proof of the problematic nature of DISA's new certification program may be found in the fact that this certification process does not include a demand for compliance with the FISMA federal law enforced by the US government. According to this statute, every federal agency is responsible for securing its own information, and that includes the personal accountability of the head of each agency. According to FISMA, information security means protecting information and information systems against unauthorized access, use, disclosure, disruption, alteration or destruction of the information, all for the purpose of ensuring the integrity, confidentiality and availability of the information. Why has DISA failed to include the demand for compliance with FISMA in their certification program for suppliers of cloud computers? Good question.
And since we mentioned Amazon, it is the world's first civilian cloud computing service provider which is FedRAMP certified and has been contracted to establish a cloud for the CIA. The contract signed last October (following a legal battle against IBM) for US$ 600 million will enable Amazon to establish a cloud for the Central Intelligence Agency of the USA. Although not much is known about the architecture of the cloud, senior officials at Amazon were able to tell various websites that it will rely on Amazon infrastructure and that the nature of the services will be similar to the company's AWS solution. Nevertheless, it is not yet clear how the CIA will be able to maintain the data channel between itself and Amazon hermetically secured.
Another company dealing extensively with the implementation of cloud computing models for clients from the government and defense sectors in the USA and Europe is Lockheed Martin. This company, too, is FedRAMP certified. "Classified information cannot pass to the cloud, it is not a sufficiently safe environment for it," says Robert (Bob) Eastman, VP in charge of Lockheed Martin's global solution program, which is a part of the company's defense and intelligence product and service line, in an interview he granted to IsraelDefense Magazine. Eastman is the person responsible for the agreement signed with the Bynet Data Communications company of Israel (through a joint venture named LB Negev) for building the server farm for the IDF in the context of the relocation to Beer Sheva (Project 5/9).
"It is possible to establish a private cloud and control the authorizations. In many security organizations around the world they are beginning to implement private clouds. It enables them to combine server farms and serve more units," explains Eastman. "You need to understand that every military organization or intelligence service runs numerous applications, some of which had been tailor-made to the needs of that organization. Many of them run on dedicated software and dedicated operating systems and these cannot be transferred to the cloud. Some of the applications would have to change to a configuration better suited to the cloud, and some of them would have to be written afresh.
"The intelligence community in the USA is reviewing the cloud. Both the configuration of a private cloud and the feasibility of using a public cloud for unclassified services. The idea is to create a spectrum of cloud services for the user. You can say with certainty that in the field of defense it is possible to opt for the cloud."
Is an international cloud possible?
"I do not see the defense organizations switching to an international cloud model for purposes of cooperation. But that does not mean that there is not much work to be done around the ability to share information between countries regarding cyber attacks. In the USA we have NDIA (the National Defense Industrial Association) which developed a methodology that would enable the defense industries and the government to share information regarding cyber attacks. Some of it are protocols such as TAXII and STIX (developed by MITRE). In this way, if an organization has experienced a cyber event, it will be able to share what it has seen and experienced so that others may be able to prepare," explains Eastman. According to him, this trend is evolving in the UK, too, where they decided to establish a national cyber hub to enable the government and commercial sectors to share information about cyber.
"In the USA we participate in the development of this architecture. We were also partners in the UK in the development of the hub," says Eastman. "It is a state-led project but we did the integration and the design. We work with several other countries and international corporations to support them in analyzing the vulnerabilities in their networks. A part of it is a proposal for sharing information about how to do it. They can take advantage of what we know. We also have a model for analyzing APT attacks. The country or the organization can send us data about an attack, and we will analyze the data and return conclusions that would help them reinforce their defenses."
The Human Capital Challenge
Beyond Lockheed Martin's dealings with cloud computing, it is regarded as one of the world's largest corporations in the field of cyber. Having mentioned the fact that cloud computing and cyber overlap earlier, there is some similarity between Lockheed Martin and the IDF in this respect. Just like the IDF cannot switch to cloud computing without reinforcing their cyber defense capabilities – a responsibility of the Lotem unit – so Lockheed Martin cannot sell cloud computing services without cyber defense capabilities. This similarity enables us to draw an analogy between the way Lockheed Martin copes with the problem and the way the IDF cope with the problem, for example, with regard to recruiting and preserving the cyber human capital.
"We are the largest IT contractor working opposite the federal government in the USA. Our IT sales reach a turnover of US$ 8 billion (out of a total sales turnover of about US$ 45 billion). Cyber is a major part of that. Admittedly, if you review our purely-cyber contracts, it will not be such a substantial turnover, but if you examine the cyber work embedded in the IT contracts – then the percentage will be more substantial," explains Eastman.
"The human capital is a major problem for us. We found that cyber expertise can come from all fields, not just from graduates of cyber studies or computer science. A high percentage of our best analysts have degrees in history, law and other fields that are not directly associated with the field of cyber. They simply love IT and information security and have an analytical capability. We try to hire people who love it."
In order to preserve their professional cyber personnel complement, Lockheed Martin has developed, over the last two years, a unique recruitment method that provides every employee of the company the opportunity to become a cyber analyst. It is a program that includes a week's evaluation, during which the employee experiences handling simulated cyber attacks. If Lockheed Martin identifies that he/she has potential, he/she will go through an intensive training program of 3-4 months at the end of which he/she would become an analyst. Additionally, the training program also includes advanced training courses for people already involved in the field.
"We realized we needed more people in cyber. We developed these courses in order to reach a higher percentage of our personnel. From the moment we can identify those who possess the capabilities, they undergo an on-the-job-training (OJT) process. Every employee can be a cyber analyst. It is a process of marketing the field of cyber inside the company," explains Eastman. It should be noted that Lockheed Martin has 120,000 employees worldwide.
"We are also involved in universities around the world. For this reason, we entered a cooperative alliance with EMC at the Ben-Gurion University, in order to reach those youngsters who want to work in cyber, with the hope of recruiting them. We have several such initiatives with EMC around the world in the field of storage, but in Israel it was the first time we did it in the field of cyber."
There is no doubt that a reality where the trend of switching to cloud computing exists alongside the trend of increasing threats from the direction of cyberspace does not make life easy (to put it mildly) for the decision makers in the IDF and in Israel's other security services, but not just for them. The moves made by DISA that we mentioned previously, even if they still do not solve all of the problems associated with the transition to cloud computing, indicate a change of trend. In an economic era where military organizations and intelligence services all over the world are required to cut costs, cloud computing is a necessary evil.
But viewing cloud computing only as a financial solution will be a distortion of the technological truth. Admittedly, the primary catalyst is the economic aspect, but cloud computing is expected to provide the IDF with technological capabilities they never possessed, whether this applies to backup, operational/functional continuity and disaster recovery capabilities that are superior to those currently available and whether this applies to the ability to mobilize IT resources while accurately overlapping the operational need in real time. In an era when the military is totally dependent on technology, these capabilities will have a far-reaching effect on the operational potential of the IDF, in offensive as well as defensive operations.