The United States Defense Innovation Board (DIB) has recommended that the Pentagon hire civilians to work from home who can handle classified information as a way of attracting people with technical expertise.
DIB, in its September 15 report, proposes a “highly limited, temporary and specific use of waivers for a small percentage of the workforce to ensure two things: First, key innovation and technology initiatives are fully staffed, and second, that the most service members with the greatest potential are retained.”
The individuals sought “will have technical degrees and/or highly specialized skills in digital technologies and innovation needed across the U.S. Department of Defense,” which is undergoing digital transformation.
These skills include modern software development, cyberphysical systems, data science, and artificial intelligence/machine learning (AI/ML); rapid capability development and adoption; and applied innovation methodologies such as design thinking and Lean Startup, which emphasize critical thinking, experimentation, and iteration.
According to Gartner, these systems “underpin all connected IT, operational technology (OT) and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure and clinical healthcare environments.”
Modernize the DoD
DIB’s recommendation to recruit civilians from home is aimed at helping facilitate the U.S. Department of Defense’s (DoD) digital modernization strategy for 2019 to 2023.
“Digital technologies and capabilities, including the integration of software with legacy systems, will transform every facet of DoD operations, from human resource systems to weapon systems,” according to the DIB.
“DoD faces a digital readiness crisis,” the DIB said. “With each passing day, the gap with the private sector grows bigger, and we are seeing near-peer competitors and would-be adversaries display accelerating progress. In contrast, the [DoD] has yet to determine the right metrics to begin assessing digital readiness or understand the gaps in its digital innovation workforce; there is an institutional blindness to our digital deficits.”
People with tech expertise are sorely needed by the DoD, which published a classified artificial intelligence strategy and is establishing a Joint AI Center (JAIC), publishing a strategic roadmap for AI development and fielding, and establishing a National Security Commission on AI.
The DoD’s AI strategy aims to identify appropriate use cases for AI across the department, rapidly piloting solutions and scaling the successes across the enterprise through the JAIC.
The JAIC will use AI to solve large and complex problem sets across multiple services, then provide those services real-time access to libraries of data sets and tools that will constantly be updated and upgraded.
Meanwhile, the DoD is working to create a Joint Common Foundation, an enterprise-wide cloud-based foundation that will “provide the development, test, and runtime environment and the collaboration, tools, reusable assets, and data that military services need to build, refine, test, and field AI.”
To that end, the Defense Information Systems Agency (DISA) in August awarded a four-year US$106 million contract to Deloitte Consulting, LLC, an arm of management consulting firm Deloitte to “design and build the Joint Common Foundation Artificial Intelligence development environment.”
DoD Struggles to Retain Trained Tech Staff
Meanwhile, people with high-tech skills have been leaving the military because most of its personnel policies and systems “were designed for the industrial era,” the DIB noted. “Many digital innovation skillsets do not fit within existing career tracks; therefore, service members with these skills are often left unidentified and ignored in DoD’s talent management systems.”
The DIB recommended in 2017 that the DoD overhaul its personnel policies and systems to focus on training, developing, and retaining individuals with the requisite technical expertise and skills, but change has been slow in coming because it involves several layers of law, regulation, policy, and culture.
“The current system — as effective as it has been in the past — simply will not allow us to optimize the potential of our workforce going forward,” then-Secretary of the Army Mark Esper said in June 2019.
“If we are to attract, develop, and retain the nation’s best and brightest, we must manage our people in a way that accounts for their skills, their knowledge, their behaviors, and indeed, their preferences,” Esper remarked.
With the current system, there “is little need or desire to consider an individual’s unique talents or personal preferences,” he added. “Oftentimes, only rank and military specialty are all that are used to determine a person’s next-to assignment. Such rudimentary management of our people is no longer sufficient for today’s generation.”
The Army faces a competitive labor market where highly skilled people are in great demand, and winning the “war for talent” requires a new approach to personnel management, Esper noted.
However, hiring new staff has not been easy for the DoD.
The department “has traditionally struggled to compete for digital talent for reasons ranging from relocation requirements to hiring speed, to access to modern IT and tools,” the DIB said. The new work-from-home (WFH) norm attendant on the pandemic “creates an opening for the DoD to either adapt and narrow the gap or fall further behind in competing for top-notch technical talent.”
The recommendation to hire civilian tech experts working from home “focuses on immediate, short-term actions to better use and retain active duty service members with digital innovation skills.”
Remote Workers Could Threaten National Security
Hiring outside contractors is risky. Edward Snowden, who in 2013 blew the whistle on secret mass surveillance of Americans’ communications by the National Security Agency (NSA) through its PRISM program, was a subcontractor to the NSA, working for NSA contractor Booze Allen Hamilton, a management and IT consulting firm that works closely with governmental institutions and different branches of the U.S. Armed Forces.
Snowden copied thousands of highly classified documents on the PRISM program from the agency’s files, fled the U.S. with the documents, and later released several to journalists who published them, causing outrage among many Americans when they learned of the secret surveillance.
Edward Snowden’s actions illustrate the insider threat to cybersecurity. Security experts consider insiders more of a threat to organizations and businesses than outside hackers, as they can easily access the organization’s networks and data.
Insiders were responsible for 57 percent of database breaches, according to the Verizon 2019 Insider Threat Report.
The DoD “follows battle-tested protocols for granting and controlling access to classified information, which also define the parameters and requirements of remote access,” Vahid Behzadan, an assistant professor at the University of New Haven’s Tagliatela College of Engineering, told TechNewsWorld.
These can be supplemented by technologies such as data loss prevention software, which uses business rules to control or restrict the sending of sensitive or critical information outside the network, reducing the risk of insider threats and data leaks, Behzadan said.
“However, the lack of physical supervision and inspection in such scenarios will undoubtedly increase the risk of such compromises.”
The extension of access to remote users escalates the vulnerability of the DoD to cyberattacks,” Behzadan warned, but cybersecurity is always “a tradeoff between reducing the risk of security compromises and increasing the efficiency and efficacy of the core mission.”
Technology alone is not enough, Daniel Castro, vice president at the Information Technology and Innovation Foundation (ITIF), told TechNewsWorld.
“To prevent a future Snowden, arguably the answer is ‘don’t lie to the American people’, not tighter security, Castro said. “If we don’t trust the people working at these levels of government, we have much more than a technical problem. The technology is in place to mitigate the size of a potential breach, but it cannot stop one from happening.”
WFH the New Threat Frontier
Putting sensitive data on devices in an unsecured environment like a home is risky because “the equipment can be stolen, the people can be coerced, and the data can be manually copied,” Castro pointed out. “These risks are difficult, if not impossible, to circumvent.”
Akamai Technologies, a global content delivery network, cybersecurity, and cloud service company, considers working from home the new threat frontier.
“It doesn’t make much sense to allow remote workers to access the nation’s most sensitive secrets from a home computer, Castro said. “This is the same reason banks keep money in the vault — and they haven’t decided to let the bank manager bring it home at night just because of COVID-19.”
Organizations are moving to zero trust architecture, which enables better security even when the device, network, or user cannot be fully trusted, Castro noted, “but there are limits to this model, and it’s not something that DoD can implement overnight.”
Zero trust architecture treats all users as potential threats and allows a user full access, but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can help ensure that the damage is contained.
Security Controls for Remote Access
The DoD has made moving to the cloud a priority, and this might help ensure cybersecurity for projects being worked on by civilian tech experts from home.
“The leading concern for many practitioners is maintaining visibility into and control over sensitive data as it moves across cloud applications — as these apps serve the needs of remote workers so effectively,” Pravin Kothari, Founder and CEO of cloud security solutions CipherCloud told TechNewsWorld.
The DoD should enact cloud security controls to mitigate remote access vulnerabilities and use a centralized platform to implement multi-cloud security, Kothari said.
“Most organizations use multiple cloud apps, such as Microsoft Office 365, Slack, and Box, and need to protect access and data across all of these in a unified way,” Kothari explained. They also want to apply a centralized set of security and compliance data security policies.
Using a cloud access security broker is currently the leading approach to securing a centralized platform, he advised.
Kothari recommended the DoD also use encryption for strong data protection. “Encrypting cloud data and securing the key away from the cloud service provider is absolutely essential.”
The latest trend is to use rights-based management and authorize specific users to decrypt data when, and only when, they are using it, Kothari remarked. Some organizations also encrypt cloud data broadly as an additional precaution.