What could go wrong? Pentagon prepares to put high-risk secret documents in the cloud
A request for information published [PDF] earlier this month by the United States Defense Information Systems Agency reveals that the Pentagon wants IT companies that administer cloud services, like the one run by Amazon, to provide the United States government with a plan for a similar system where classified information can be shared securely.
Such an infrastructure and the associated policies already exist for data deemed to have an impact level of 1 or 2 but, according to Business Insider, letting the military’s new plan come to fruition will for the first time allow data that “could put people in grave danger if it is leaked" legally end up on the cloud.
Jai Vijayan, a writer for Information Week who was among the first to spot the Defense Department proposal, wrote last week that the government’s interest suggests Washington wants “to put in place an ecosystem that will allow the DoD to take advantage of commercial cloud computing technologies while ensuring the level of security needed to run highly sensitive workloads.”
“DISA is exploring several possible ways to integrate commercial cloud services with DoD networks, each with its own planning, technical and contracting considerations,” the Pentagon explained in the October 1 request. “Each method has different levels of Government and vendor responsibility, technical interface points and subsequent project planning, though logically they may all be considered by the NIST definition as implementing a ‘private’ cloud deployment, with the single tenant being the DoD community and mission partners.”
The request for information outlines two potential models that the Pentagon wants cloud companies to consider when designing a system that could be securely implemented by the Department of Defense.
“The first model, entitled the Data Center Leasing Model (DCLM), allows the vendor to lease rack space or floor space in DoD data centers and place their software and hardware on the DoD premise,” the whitepaper reads in part. “The model enables a select number of market-leading cloud ecosystem vendors to be allocated discrete floor/rack space inside DoD facilities (e.g., DoD Core Data Centers (CDCs)) After sufficient security scrutiny and accreditation, the vendors reside inside the CDC and offer contemporary cloud ecosystem services to the DoD community.”
“In the second model, the On-Premise Container Model (OPCM), integration with the vendor occurs at a shipping container boundary,” the request continues. “The container is brought to a DoD premise, where it resides under the physical protections of the local facility. Many of the considerations in this model are analogous to the data center model (e.g., power, cooling), though the containerized IT resources provide an inherent physical boundary and most likely reside in close proximity to the data center they support, drawing key services, such as redundant power and network connections, from that data center.”
“Since the two integration models either reside in, or adjacent to, the DoD data centers, both models are being considered for Cloud Security Model (CSM) Levels 5 and 6 data and workloads,” the request continues. As Business Insider pointed out, this type of classification is reserved for information that might pose a real threat to national security if a breach was to occur.
“The majority of the documents leaked by Edward Snowden were level 6,” James Cook wrote for BI. “To put that in context, earlier this year Amazon was granted provisional authorization to store public and unclassified level 1 and level 2 data in its servers.” According to a highly redacted Pentagon report on the damage caused by the former intelligence contractor, the disclosure of some of Snowden’s documents may result in “exceptionally grave damage to national security.”
Earlier this year, in fact, a report published by FCW federal technology website suggested that putting level 6-graded info on the cloud was something that had yet to be seriously weighed by officials. In an January 2014 article in which the “DOD’s cautious path to the cloud” was considered, FCWs’ Frank Kokel wrote that “Impact level 6 is designated for classified information only” and that “the market value for cloud computing services at Impact Levels 3-5 is likely 10 times more than exists at Levels 1-2, according to sources.” At the time only ten months ago, Kokel wrote that getting DOD data classified as levels 3-5 onto the cloud remained in “draft status.” Less than a year later, however, the latest call for work suggests the military is already considering making that move with regards to even more sensitive data.
For now, the Pentagon is not certain what type of cloud system, if any, it will consider implementing. Potential vendors have until early next month to submit details and answer questions, including some specific to handling level-5 and -6 workloads.
Meanwhile, the deputy director for management at the White House Office of Management announced only last week that “growing cybersecurity threats,” including this year’s Heartbleed bug, has prompted the government to embrace better tactics aimed at ensuring the computer networks used by civilian agencies stay secure, specifically a program in which the Department of Homeland Security will now conduct “regular and proactive scans” of agency systems without prior agency authorization “to protect our nation’s most sensitive information.”
Days earlier, Rep. Mike Rogers (R-Michigan), the chair of the House Intelligence Committee, warned that the majority of networks in which data transverses in the US are, unlike government systems, all too prone to attack.
“We are not prepared if the federal government decides that they want to take an offensive action or disruptive action in any significant way, even in response,” Rogers said. “Again it’s not the government we’re worried about: we can hunker down and put the helmets on. It’s the 85 percent . . . and they will not be ready for what comes next. I guarantee you that today.”