Section 262 of the Defense Authorization Act for Fiscal Year 1996 directed the Secretary of Defense to request that the National Research Council conduct a review of current and planned service and defense-wide programs for command, control, communications, computers, and intelligence (C4I) with a special focus on cross-service and inter-service issues. (For purposes of this report, C4I systems include systems designed to support a commander's exercise of command and control across the range of military operations and to generate information and knowledge about an adversary and friendly forces.)
Although the Cold War is over, new regional threats to U.S. interests are increasingly likely. The U.S. military, in its traditional role as an instrument of national power, will be required to deal with a more varied set of military tasks and missions, helping to both establish and maintain regional peace and stability and also coping with less traditional tasks such as humanitarian relief and disaster recovery. Budget pressures have already resulted in a significantly reduced force structure and withdrawal of U.S. military presence from many overseas locations. Joint operations are now the norm, and in many cases, U.S. military operations are combined with those of allied and coalition forces. Forces responding to contingencies are likely to be employed "come as they are," with only mini-
mal time for preparation and deployment before entering the operational phase of a contingency.
The military that must play these roles has many different C4I systems, both old and new. Older systems often were built for single-purpose, stand-alone applications, and often rely heavily on military-specific technology. In contrast, current systems are increasingly being built to meet explicit requirements for interoperability and flexibility, and the Department of Defense (DOD)1 has been increasingly capitalizing on commercial information technologies for C4I systems. DOD's focus on using C4I as a way to empower the forces is an approach made easier by the fact that more and more military personnel are familiar with information technology.
To make a smaller military force more effective, DOD is planning to rely more than ever before on the use of high-technology C4I systems to leverage its military assets. DOD's vision of the future—Joint Vision 2010—is one of information superiority.2 In this vision, combat planning and execution are much faster, and smaller forces are much more autonomous and lethal. Integrated C4I systems, which exchange data and work together, help military forces to prevail against adversaries by operating in a rapid, coherent, and coordinated fashion never previously achieved. Commanders at all levels can control their forces and apply their weapons with a high degree of precision, certainty of location, and awareness of the environment and of enemy actions and intentions. Responsive and reliable information technology provides timely intelligence, greater situational awareness, and a single integrated operational picture of the battlefield.
Joint Vision 2010 is compelling, but unrealized. The evidence to support it comes from a host of sources, including analysis, simulation, ex-
periments, and experience from the private sector and DOD. These sources suggest that information technology, and by extension C4I systems, can enable entirely new modes of military operation with much greater military effectiveness, just as they have radically changed how many businesses operate. These possible new modes include greater freedom of action for small, decentralized forces and the massing of firepower rather than massing of forces.
However, the vision is as yet unrealized, because it is not yet known how to exploit information technology across the full spectrum of military operations. Realizing the benefits of new C4I technologies may well require trade-offs between the C4I systems acquisition and other force investments, as well as requiring major changes in doctrine. DOD's goal must be improved military effectiveness, not simply improved capabilities. In addition to sound military judgment, careful analysis of results from well-instrumented simulations and exercises is needed to evaluate the impact of information technology, and to drive budget trade-offs between C4I and other systems.
A related issue is that new C4I systems are based on rapidly advancing computing and communications technology, driven primarily by the commercial sector. Rapid advances usually mean rapid obsolescence, so technology exploitation must be a continuous process if superiority is to be maintained vis-à-vis potential adversaries who have access to the same underlying information technologies. Both military doctrine for C4I and the budget mix of C4I versus weapons must be periodically reevaluated.
DOD policy and strategy clearly recognize the potential value of C4I technology in enhancing military effectiveness, and a number of activities and initiatives under way, both within the services and, to a lesser extent, in the joint arena seek to realize this potential. Most prominent, of course, is Joint Vision 2010.
The committee sees three major challenges to the effective exploitation of the potential offered by C4I technology—interoperability, information systems security, and DOD processes and culture involving C4I. This report is focused on these three challenges. While all three challenges are important ones for DOD to address, the committee calls attention to the security challenge (including related process and culture issues) as posing a high level of current risk. In contrast, failure to fully exploit the potential leverage of C4I represents a longer-term risk; success depends on meeting the challenges of interoperability and DOD processes and culture with respect to acquisition and effective use of C4I technologies.
DOD has recognized the importance of these challenges in various directives and initiatives. But the totality of the DOD response to these challenges is not adequate to fully exploit C4I technologies. Furthermore,
it is unrealistic to expect to address these challenges ''once and for all." Rather, meeting these challenges will demand continuous attention and effort over time. (In more colloquial terms, each of these areas can be regarded as a partially filled glass. The level of water in the glass represents the extent to which DOD goals for C4I have been achieved.3 Today, the glass has both some leaks (representing matters becoming worse and failures to make progress) and a faucet putting water into the glass (representing DOD efforts to make progress). One could also argue that the glass is growing larger, representing the rapid increase in the capabilities that the technologies afford. A one-shot effort, no matter how massive, will eventually leak out. Thus, the challenge is to close up existing leaks (even as new leaks open up), and open the spigot on the faucet wider.)
The three major challenges—interoperability, information systems security, and DOD process and culture—are discussed in more detail below. For each area, a high-level goal is stated. Principles relevant to achieving that goal then follow; these principles are derived primarily from the committee's professional experiences and expertise in the civilian and military worlds set against what the committee saw and learned in its briefings and site visits. The committee's findings in each area are based on what the committee learned in the briefings it received and in the site visits it conducted, against the backdrop of these principles. Finally, specific and actionable recommendations in each area are made.
The principles and the findings and recommendations have different time horizons. The latter are tied to "today," that is, to the specific time frame in which the committee undertook this study. Five years from now, they may well no longer be timely. By contrast, the principles are intended to be more enduring, in that they frame useful questions that can be asked of DOD's efforts in C4I both today and in the future.
Because the recommendations are intended to be actionable today, the committee tried to identify specific offices that could take management action to make something happen. On the other hand, DOD—especially the Office of the Secretary of Defense and the Joint Chiefs of Staff—is engaged in an ongoing restructuring and streamlining effort. Thus, while the recommendations do identify action offices that the committee believes are appropriate, the intent is to focus more on what needs to be done than on the details of who is to do it. Finally, in the interests of space,
the findings and recommendations are supported in this executive summary by highly condensed versions of the argument and explanation that accompany them in the main text. Readers are urged to consult the main text for more detailed support.
Goal: Operational and technical interoperability commensurate with the role of C4I in support of multi-unit, joint, and combined missions.
Joint, flexible, and coherent operations are key components of DOD's vision (e.g., Joint Vision 2010); this means operational interoperability of forces and technical interoperability of C4I systems. Future U.S. military operations will inevitably involve elements from more than one service. Forces will probably be assembled with minimal time for planning and deployment, in ad hoc configurations, and for geographically far-flung missions that are highly diverse compared to those undertaken during the Cold War (and thus less predictable in advance). To enable fast and effective responses, interoperability must be built into the force structure across service and unit boundaries. Achieving adequate C4I interoperability is inherently a distributed, horizontal challenge that must be addressed in a largely vertical world. This means that there must be incentives and rewards for investments and actions across organizational boundaries.
- The needs of the operational military commander must be the main driver of interoperability solutions and investments. These needs exist both at the higher levels of command (e.g., the specified unified commander-in-chief or the joint task force commander) and at the tactical level where the services work together to accomplish joint missions. Interoperability is valuable not for its own sake, but only when it helps to accomplish a mission.
- While universal interoperability is neither necessary nor achievable, a high degree of interoperability is needed to provide the flexibility required for both anticipated mission needs and unanticipated operational deployments. What specific operations must be anticipated? Some are reasonably clear today (e.g., U.S. war plans for responding to a North Korean attack in the Korean peninsula define a specific operational context for U.S. and allied forces). Even when the theater of operations is not known, certain mission needs are likely (e.g., the need to ensure air superiority or to provide defenses against ballistic and cruise missiles). But other contingencies in which U.S. forces will be deployed will be unexpected, which places a premium on flexibility in the operational capabilities of U.S. forces—including interoperability.
- Interoperability must be balanced against other fundamental attributes of C4I systems, including security, availability, flexibility, survivability, and performance. Military commanders need many things from their C4I systems besides interoperability, and trade-offs among these needs are often required.
- C4I interoperability requires a unifying framework and a body of definitive implementing guidance. The C4I "system of systems" is large, complex, and distributed across organizational, program, and geographical boundaries. A framework and guidance are crucial because achieving C4I interoperability is largely a matter of management, design, and implementation discipline rather than of resolving technical issues. To date, the DOD has partially codified the framework and guidance in the still-incomplete architectural triad of technical, systems, and operational architectures.
- When developing architectures, use a small team. Good architects are critical in developing a good architecture. The role is demanding, requiring an ability to balance needs and resources, technologies, and the interests of multiple stakeholders. Good architectures usually result only when a small number of people are responsible for their content and structure. Good architectures are unlikely to emerge from a large team or from a broad consensus-based approach. These almost always involve compromises that lead to excessive complexity rather than a clear design philosophy, which in turn confuses the implementers.
- Decompose the problem of achieving defense-wide interoperability into manageable pieces. This principle arises from three underlying factors. First, the domain must be sufficiently bounded that progress can be made before the key players, mission requirements, or technology change significantly. An effort that is too large will simply never reach closure. Second, the problem to be addressed must not be overly complex. Third, the small teams required by the previous principle can only undertake problems of limited scope. The defense-wide network of systems, and the full spectrum of missions, are simply too large to be approached in one single effort.
- Assess interoperability on the basis of ongoing training and testing . Using standards makes interoperability among C4I systems easier, but does not guarantee it. Standards do not provide a complete design specification. Furthermore, given the continuing, asynchronous fielding of new systems and capabilities, interoperability is a time-perishable commodity. Only ongoing testing of a C4I system throughout its life cycle will ensure interoperability. This must include training and testing across a wide range of possible configurations that includes the other C4I systems with which it is expected to interoperate.
- Measure progress toward interoperability goals. Measurement and assessment—and reporting of results in a visible way—are essential to continued focus and to setting the right priorities (an instance of the general measurement principle that is articulated below under the process and culture goal). Despite laudable case-by-case efforts, there is today no method for tracking interoperability on a comprehensive or systematic basis.
- Build a common defense-wide infrastructure to facilitate interoperability. Where common systems and software are used, it is easier to make them interoperate. Common infrastructure is not a cure-all, however. It will not, for example, address some user or mission-specific needs.
- Engineer for flexibility.
- Use commercial off-the-shelf (COTS) products, services, and technology whenever possible. COTS products and services improve quickly, are more sustainable, and are usually less expensive than those custom-provided to the military. When commercial products are used, the vendor often assumes much of the burden of ensuring interoperability and backward compatibility. Decisions to use COTS products and services must, however, take into account possible security risks.
- Use standards. Technical standards are one way of planning for the future. Compliance with technical standards is an investment that makes future interoperability easier, though by no means certain.
- Base architectures and system designs on layering and clean interfaces. Layered architectures make it possible to exploit technological progress in some parts of a system without the need for a total system redesign. Clean interfaces make it easier to interoperate with other systems that conform to those interfaces. Interfaces are an investment in the future: by providing well-defined ways to access systems and capabilities, they make it easier to compose these components in new ways in the future, or to use existing systems in new ways.
Make data self-describing to permit future interoperability. Another investment in future interoperability is to identify the meaning of data so that it can be used in future applications. Examples include recording and transmitting not only a position but also the coordinate system it is given in, or generating a time stamp for a target track to help other systems resolve multiple tracks.
Finally, because the analysis of and solutions to interoperability problems are inherently distributed throughout and across the DOD, interoperability efforts should be guided by a final principle:
- Achieving interoperability requires responsibility and authority that crosses organizational boundaries—a requirement that implies the need for strong top-down leadership. This crossing of boundaries is particularly important to the development and fielding of systems that support joint operations, as well as to the development of doctrine for joint operations. The DOD must search for practical ways to reward interoperability and impose sanctions for ignoring it. Sanctions are unwieldy and can be applied only at great cost and effort, and only in a few cases. Therefore, although they do have value in focusing attention on flagrant offenders, it is much better in the long term to establish a culture that rewards interoperability.
Parts of DOD are well aware of a defense-wide problem in exploiting rapidly changing information technologies, in using commercial off-the shelf products effectively, and in security. There are in place today a DOD strategy and ongoing efforts to promote interoperability, resting on technical standards such as the Joint Technical Architecture and the use of a defense-wide common infrastructure. While much has been accomplished, the goal of a C4I system of systems with assured interoperability for the U.S. military continues to be unachieved. Progress has in many cases been slow, and past C4I studies 4 show that many documented C4I interoperability problems remain unresolved. Despite increased attention and management awareness, much more must be done before C4I interoperability is sufficient to provide adequate end-to-end support of military missions and cease being a major constraint on the execution of military operations.
Finding I-1: While the elements of DOD's current strategy for achieving interoperability are positive, they are not being fully executed. Both formulation and implementation have gaps and shortfalls.
The DOD technical interoperability strategy (adopting an architectural approach, building to standards defined by the Joint Technical Architecture, and developing a common, defense-wide "public utility" infrastructure) builds on the best practice in industry and is a very important step that promises to significantly improve interoperability over time. At the same time, this strategy is not being fully executed. There has been insufficient progress in the development and implementation of the Joint
Systems and Joint Operational architectures, in ensuring compliance with the Joint Technical Architecture, and in building and using a common infrastructure.
Finding I-2: Even full execution of the DOD strategy for interoperability will not assure that joint mission needs for C4I will be met.
First, priorities must be set and the problem bounded in size to make it more manageable. Second, interoperability must be built in throughout the life cycle of C4I systems—in development, initial fielding, ongoing assurance, and resolving problems faced by deployed forces. Third, there must be a system to measure the interoperability of C4I systems, both for assessing progress in development and acquisition and for assessing the interoperability component of force readiness. Fourth, there must be concrete guidance on technology evolution and the role of COTS technology. Finally, neither the DOD-wide mandatory Enterprise Data Model Initiative5 nor the voluntary collaboration approach to data interoperability embodied in the Shared Data Environment (SHADE) program is likely to be adequate.
Some of the interoperability challenge stems from the broader issue of the distributed, horizontal structure and organization of DOD itself, as established by Title X. The recommendations that follow do not assume any changes to this fundamental framework. While the specifics of these recommendations are directed at achieving interoperability among U.S. forces, the principles they embody do apply to interoperation with at least some coalition partners—those who are members of an existing alliance framework. However, management is clearly much more complex when several nations are involved.
Recommendation I-1: The Assistant Secretary of Defense for C3I and the Joint Chiefs of Staff should complement the DOD's current broad interoperability strategy with focused efforts in limited, operationally important domains, to include the development of Joint Operational and Joint Systems architectures for these domains.
An all-at-once development of an operational architecture covering the entire span of DOD's operational requirements is not feasible. Opera-
tional architectures must instead be developed for particular joint missions or tasks, organized either around significant operational capabilities or around mission slices. These slices or capabilities should be operationally important, be inherently joint, involve a large enough number of systems to warrant the effort, and be ones where significant foundational work has already been done. The focused activities would complement the defense-wide standards and common infrastructure initiatives that provide a necessary foundation for mission-specific capabilities.
Recommendation I-2: The Secretary of Defense should establish a joint C4I integration and interoperability activity to address integration and interoperability throughout the entire life cycle of C4I systems.
Current DOD activities for promoting C4I interoperability should be augmented in three areas: cross-service testing starting early in the development process, ongoing interoperability assurance in operational contexts, and interoperability support for deployed forces. The joint C4I integration and interoperability activity would do this work, taking development, testing, and training roles in peacetime and providing support during exercises and operational deployments.
Recommendation I-3: The Secretary of Defense, the Assistant Secretary of Defense for C3I, and the Chairman of the Joint Chiefs of Staff should establish processes to assess C4I interoperability on a regular basis.
Recommendation I-3.1: The Assistant Secretary of Defense for C3I and the Joint Chiefs of Staff should develop a set of "interoperability scorecards" as a basis for management, covering the spectrum from compliance with standards to successful end-to-end mission support.
Three scorecards are proposed—technical, systems, and operational—corresponding to the elements of the architectural triad. A technical compliance scorecard assesses how well systems comply with defined interoperability standards and guidance. A systems interoperability scorecard measures actual interoperability between C4I systems. An operational interoperability scorecard measures the ability of a set of systems to satisfy the information flows needed for a particular mission.
Recommendation I-3.2: The Chairman of the Joint Chiefs of Staff should establish a process to incorporate C4I interoperability into readiness reporting.
Although individual combat units can report their combat readiness, they often cannot assess their interoperability readiness. The readiness of
C4I systems must be assessed at higher echelons of command, particularly those with a joint perspective. Today no formal combat readiness reporting system exists at these levels. The system that the Chairman of the Joint Chiefs of Staff develops must focus on assessing the ability of forces to conduct end-to-end missions, based on a realistic set of scenarios for how units are to be employed. It may be appropriate to focus assessment efforts in the same mission slices as those in which the activities proposed in Recommendation I-1 are conducted.
Recommendation I-4: The services and agencies should designate an activity within the program offices for C4I systems (and weapons systems with embedded C4I) to be explicitly responsible for resolution of architectural and system-level issues that determine interoperability.
An "interoperability cell" or equivalent in C4I program offices would provide a central point of focus for interoperability issues, with an outward-looking cross-service perspective. Such an activity would provide a "bottom-up" approach to interoperability to complement "top-down" architectural and common infrastructure efforts. The cell would be responsible for revising architecture as needed to accommodate changes in doctrine, tactics, techniques, procedures, and equipment; engaging the stakeholders in a particular C4I system in making that system interoperable; and negotiating interoperability issues with those responsible for "neighboring'' systems.
C4I Systems Security
Goal: C4I systems that remain operationally secure and available for U.S. forces in the face of attacks by adversaries.
The more military leverage that C4I systems provide for U.S. forces, the larger the incentives are for an opponent to attack those systems. Indeed, it makes little sense for an opponent to challenge the United States symmetrically, i.e., force on force. More likely avenues of challenge are asymmetric ones that exploit potential U.S. vulnerabilities. Attacking U.S. C4I systems—whether directly or indirectly (e.g., through the U.S. civilian information infrastructure on which DOD C4I systems often depend)—is only one of many possible asymmetric attacks, but one for which the United States must be adequately prepared. Because the DOD understands the challenges of physical security for C4I systems very well, this report focuses on cyber-security.
- A culture of information security is required throughout the organization . The culture of any organization determines how seriously its members take their security responsibilities. For information security, policies and practices are at least as important as technical mechanisms. Policies specify the formal structures, ensure responsibility and accountability, establish procedures for using technical means of protection and assigning access privileges, create sanctions for breaches of security at any level, and require training in the relevant practices and use of security technologies. Furthermore, senior leadership must take the lead to promote information assurance as an important cultural value. Top-level commitment is not sufficient to ensure good security practices. Without it, however, organizations will not focus on security but will expend their energy on other things that seem more directly related to their core missions.
- Cyber-attack is easier than cyber-defense. The reason is that effective defense must be successful against all attacks whereas an attacker need succeed only once. Cyber-attack is easier, faster, and cheaper than cyber-defense. Paradoxically, cyber-attack appears to be more highly rewarded in U.S. military culture. Consequently, experts in cyber-attack are more numerous than those in cyber-defense. Today, the need for cyber-defenders far outstrips the supply, and defenders must be allocated wisely, encouraged in their efforts, and increased in their numbers.
- Cyber-attackers attack the weakest points in a defense, and every system has weak points. ("An army is like water: it avoids obstacles and flows through low places.") Thus, the security of a system—any system—can never be guaranteed. Any system is always compromised to some extent, and a basic design goal of any system must be that it can continue to operate appropriately in the presence of a penetration. Vulnerabilities include fraudulent identification and authorization, abuse of access privileges, compromises in the integrity of data or programs, and artificially induced disruptions or delays of service.
Implementation of good system security depends on several principles:
- Defend in depth. Defense in depth is a sound countermeasure against security failures at a single point and also against security failures that share a common mode. Furthermore, an attacker that faces multiple defenses must have the expertise to overcome all of them (rather than just one) and must also expend the time required to overcome all of them.
- Ensure graceful degradation of compromised systems. Prudence requires C4I developers and operators to assume some non-zero probability that any system will be successfully attacked, that some DOD systems have
- been successfully attacked, and that some C4I systems are compromised at any given moment. Nevertheless, most of the C4I systems connected to compromised components (and organizations that rely on these systems) should be able to function effectively despite local security failures.
- Manage the tension between security and other desirable C4I attributes , including user convenience, interoperability, and standardization. This tension is unavoidable. The desire for any of these attributes should not be used as an excuse for not working on security, or vice versa. From an acquisition standpoint, security is currently too often regarded as an afterthought in the design and implementation of C4I systems.
- Do what is possible, not what is perfect. Insistence on "perfect" security solutions for C4I systems means that as a practical matter, C4I systems will be deployed without much security functionality. By contrast, a pragmatic approach that makes significant use of commercial information security products and provides moderate protection is much better than nothing. In this respect information security is very different from communications security, because information systems are much more complex.
- Recognize the inherent weaknesses in passive defense. Because passive defense techniques are used to provide security, an unsuccessful attack on a C4I system usually does not result in a penalty for the attacker. Thus, a persistent attacker willing to expend the time to find weaknesses in system security will eventually be successful. Cyber-defenders of C4I systems must anticipate facing persistent attackers.
Finding S-l: Protection of DOD's information and information systems is a pressing national security issue.
DOD is in an increasingly compromised position. The rate at which information systems are being relied on outstrips the rate at which they are being protected. Also, the time needed to develop and deploy effective defenses in cyberspace is much longer than the time required to develop and mount an attack. The result is vulnerability: a gap between exposure and defense on the one hand and attack on the other. This gap is growing wider over time, and it leaves DOD a likely target for disruption or pin-down via information attack.
Finding S-2: The DOD response to the information systems security challenge has been inadequate.
In the last few years, a number of reports, incidents, and exercises have documented significant security vulnerabilities in DOD C4I systems.
Despite such evidence, the committee's site visits revealed that DOD's words regarding the importance of information systems security have not been matched by comparable action. Troops in the field did not appear to take the protection of their C4I systems nearly as seriously as they do other aspects of defense. Furthermore, in many cases, DOD is prohibited by law and by national policy from taking retaliatory action against a cyber-attacker that might deter future cyber-attacks. On the technology side, information systems security has been hampered by a failure to recognize fully that C4I systems are today heavily dependent on commercial components that often do not provide high levels of security. Furthermore, the C4I security practices that the committee observed in many of its site visits were far inferior to the standard set by the best DOD and private-sector practices for information systems security. Given the importance of DOD C4I systems to the national security and the sensitivity of the information handled in those systems, the committee would have expected DOD C4I security practices, in general, to reach a higher standard than was found.
The committee believes that operational dimensions of information systems security have received far less attention and focus than the subject deserves in light of a growing U.S. military dependence on information dominance as a pillar of its warfighting capabilities. Furthermore, the committee believes that it is urgent that DOD greatly improve the execution of its information systems security responsibilities .
One critical aspect of improving information systems security is changing the DOD culture, especially within the uniformed military, to place a high-value on it. With a culture that values the taking of the offensive in military operations, the military may well have difficulty in realizing that defending against information attack is more critical and more difficult than conducting an information attack against an adversary. Senior DOD leadership must therefore take the lead to promote information systems security as an important cultural value for DOD. The committee was encouraged by conversations with several senior defense officials, both civilian and military, who appeared to take information systems security quite seriously. Nevertheless, these officials will have a limited tenure, and the need for high-level attention is a continuing one.
A second obstacle to an information systems security culture is that from an operational perspective good security often conflicts with getting things done. And because good information systems security results in nothing (bad) happening, it is easy to see how the can-do culture of DOD might tend to devalue it.
Recommendation S-1: The Secretary of Defense, through the Assistant Secretary of Defense for C3I and the Chairman of the Joint Chiefs of Staff, should designate an organization responsible for providing direct operational support for cyber-defense to commanders.
Defensive information operations require specialized expertise that may take years to develop. This means that in the short run it is unrealistic to expect operational units to develop their own organic capabilities in this area. An organization that supports all commanders would bring specialized defensive expertise to bear in both exercises and real military operations. Close coupling between operators and the information systems security arena is a necessary precondition for achieving adequate security in fielded systems.
Recommendation S-2: The Secretary of Defense should ensure that adequate information system security tools are available to all DOD civilian and military personnel, direct that all personnel be properly trained in the use of these tools, and then hold all personnel accountable for their information system security practices.
Accountability for upholding the values of an organization is an essential element of promulgating a culture. Once senior leaders have articulated a department-wide policy for information assurance and provided personnel with appropriate tools, it is necessary to develop well-defined structures with clear lines of responsibility. Accountability depends on the availability of adequate tools that make good security possible with reasonable effort; ongoing education and training in security practices; incentives, rewards, and opportunities for professional advancement for promoting compliance with good security practices; continuous measurement of security; and sanctions for violations of good information assurance practice that are applied uniformly and consistently to all violators, regardless of rank.
Recommendation S-3: The Secretary of Defense, through the Assistant Secretary of Defense for C3I, the Chairman of the Joint Chiefs of Staff, and the CINCs,6 should support and fund a program to conduct frequent, unannounced penetration testing of deployed C4I systems.
Because all systems have technical and operational vulnerabilities (and develop new ones as they evolve), a continuing search for those weaknesses is essential. Only independent and unscheduled "red team" probes provide reliable information on actual weaknesses. This information can be used to enforce accountability for good security practices or to focus attention on necessary technical or procedural fixes, depending on the source of the weakness. Note the critical focus on C4I systems that are operating in a "full-up" mode, rather than on individual C4I components.
Recommendation S-4: The Assistant Secretary of Defense for C3I should mandate the immediate department-wide use of currently available network and configuration management tools and strong authentication mechanisms.
DOD-wide use of proper configuration management tools and strong (non-password) authentication mechanisms would be an important step toward upgrading the security of DOD C4I systems to the level of best practices in the private sector. Network management tools can continuously monitor the operational configuration of a network and all of its component machines, alerting the administrator when variances from known (and safe) configurations are detected. Strong authentication mechanisms nearly eliminate the vulnerabilities of passwords for authentication. Furthermore, they can also be used to authenticate all computer to-computer communication; thus all communications carried in the network can be authenticated rather than just those originating from outside a security perimeter.
Recommendation S-5: The Under Secretary of Defense for Acquisition and Technology and the Assistant Secretary of Defense for C3I should direct the appropriate defense agencies to develop new tools for information security.
Aligning DOD information security practice with the best practices found in industry today would be a major step forward in the DOD information security posture, but it will not be sufficient. Given the stakes of national security, DOD must go further. Going further will require research and development in many areas, including configuration control and systematic code verification; fine-grained authorization for resource usage; tools for adaptive or active defense; accurate and rapid location of attackers in cyberspace; secure composition of secure systems and components to support ad hoc (e.g., coalition) activities; better ways to configure and manage security features; generation of useful security specifications from programs; more robust and secure architectures for
networking (e.g., requiring trackable, certified authentication on each packet, along with a network fabric that denies transit to unauthenticatable packets); and automatic determination of classification from content.
Recommendation S-6: The Chairman of the Joint Chiefs of Staff and the service Secretaries should direct that a significant portion of all tests and exercises involving DOD C4I systems be conducted under the assumption that they are connected to a compromised network.
Prudent operation of C4I systems requires C4I developers and users to assume some non-zero probability that any system will be successfully attacked, that some DOD systems have been successfully attacked, and that some C4I systems are compromised at any given moment. (A "compromised" system or network is one that an adversary has penetrated or disrupted in some way, so that it is to some extent no longer capable of serving all of the functions that it could serve when it was not compromised.) However, despite this assumption, most of the C4I systems connected to the compromised components should be able to function effectively despite local security failures. Exercises conducted under this pessimistic assumption allow the U.S. military to be trained in how to use its C4I systems and networks even if they have been compromised, as well as for the possibility that they will be largely unavailable for use at all.
Recommendation S-7: The Secretary of Defense should take the lead in explaining the severe consequences for U.S. military capabilities that arise from a purely passive defense of its C4I infrastructure and in exploring policy options to respond to these challenges.
The notion of cyber-retaliation raises many legal and policy issues, such as differences between appropriate responses in wartime and peacetime, how to respond to domestic and foreign attackers (and attackers of uncertain origin), and the role of law enforcement authorities vis-à-vis the role of DOD. As a first step, DOD should review the legal limits on its ability to defend itself and its C4I infrastructure against information attack. After such a review, DOD should take the lead in advocating changes in national policy (including legislation, if necessary) that amend the current "rules of engagement" specifying the circumstances under which force is an appropriate response to a cyber-attack against its C4I infrastructure. The committee was not constituted to address the larger questions of national policy, e.g., whether other national goals do or do not outweigh the narrower national security interest in protecting the U.S.
military information infrastructure. It is explicitly silent on the question of whether DOD should be given the authority (even if constrained and limited to specific types and circumstances) to allow it to retaliate against attackers of its C4I infrastructure. But the committee does believe that DOD should take the lead in explaining the severe consequences for its military capabilities that arise from a purely passive defense.
DOD Process And Culture
Goal: A DOD culture and management system that fully reflects the importance of C4I in future military operations and the pace at which the underlying technologies evolve.
While both C4I interoperability and C4I security have technical and non-technical elements, DOD process, culture, and military doctrine are not issues of technology per se. Rather, they are issues of management and how to exploit the leverage afforded by technology as fully as possible. Realizing the full potential offered by Joint Vision 2010 will require significant doctrinal innovations that combine technology with new operational concepts. At the same time, just as many private-sector attempts at reengineering fail, new doctrines, new modes of operation, or new tactics may look promising but be unsound in fact. Thus, continuing exploration and experimentation are needed to validate major changes in these areas. In addition, the pace of progress in the underlying information technologies means that internal DOD processes to deal with the acquisition of C4I systems—as well as the trade-offs in emphasis among C4I, weapons systems, and personnel—will have to be changed radically if the DOD is to fully exploit advances in information technology. Joint Vision 2010 provides a top-level vision of what C4I technology can do for military operations, but the road from vision to realization is quite rocky, and progress has so far been too slow. DOD is changing, but it is not changing fast enough to fully exploit the opportunity for information superiority.
- Cultural change requires a clear vision of what is to be, together with processes that refine and communicate the vision. A clear vision is the essential starting point for changing organizational culture to take advantage of information technology.
- The senior leadership of the organization must be persistently, visibly, and deeply committed to driving cultural change.
- The organization must be willing and able to reengineer key processes in order to take maximum advantage of technology.
- The organization must be willing and able to reallocate resources commensurate with its vision, because the introduction of new technology is often expensive in the short term (both for procurement and training).
- The organization must systematically measure progress and change in its organizational processes, results, and performance of key people. Measurements are needed so that the organization can understand what remains to be done in achieving its goal.
Special attention must be paid to the DOD acquisition system and the human resource base. If DOD is to effectively exploit rapidly evolving information technologies, the acquisition system for C4I systems must take due account of several principles:
- Accept the "80% solution." Because users are often unable to specify exactly what they want until they see it, implementing an 80% solution provides a useful point of departure from which users can articulate their needs more precisely. Furthermore, an 80% solution provides immediately useful functionality, as well as benefits in the form of cost reduction and time to delivery.
- Accept and manage risk in oversight processes. Because information technology changes so rapidly, investments in C4I systems are inherently risky. They enable new ways of conducting military operations that may be at odds with established doctrine, and if not managed properly they run the risk of being obsolete before they are available for use. Decision makers will never have anything approximating perfect knowledge of how a C4I system will be used, and so risks must be accepted as part of the decision-making process.
- Test C4I systems cooperatively, collaboratively, flexibly, and continuously.
- Exploit experimental programs. Only through experiments can new C4I-enabled modes of military operations be discovered and explored, and their implications for C4I use understood.
- Seek budget flexibility. Especially in the context of a 5-year defense budget plan, funding should be promptly available to take advantage of unanticipated C4I applications.
The human resource base of the DOD is also critical to the effective exploitation of information technology. The following principles are important:
- Technology specialists and combat operators must be knowledgeable about both operations and technology. Combat operators should be deeply knowledgeable about the present and projected capabilities offered by
- C4I systems, and C4I specialists should be deeply knowledgeable about combat operations. The full potential of C4I can be achieved only by exploiting the synergy between operations and technology. Such reciprocal knowledge about one another's domains will undoubtedly require cross-training.
- Career paths in DOD must provide competitive reward, professional challenge, development, and recognition. DOD must compete with the private sector for information technology expertise, and while it cannot offer compensation packages equal to those found in the private sector, it must go out of its way to reduce the differential.
Finding P-l: DOD processes dealing with the acquisition of C4I systems have not been adequately restructured to account for the rapid pace of development in the commercial information technologies on which such systems will inevitably build.
The current acquisition system is particularly ill-suited to C4I systems. First, program management and oversight processes are heavily weighted toward metrics associated with historical acquisition methods associated with weapons systems in which the underlying technologies change much more slowly. Second, DOD no longer enjoys the leverage it once had in developing and applying information technology. Thus, C4I systems—unlike most weapons systems—increasingly rely on commercial technologies. Third, the current acquisition process assumes that a service can identify a specific system or program to address specific and articulated military needs. Such an assumption may be reasonable for weapons systems, but it is inadequate for C4I systems for two reasons. One reason is that C4I systems, and especially infrastructure such as networks, are often more valuable in enhancing the capability of several weapons systems than in meeting specific needs. A second reason is that C4I users more often come to understand their requirements by experimenting with prototypes than by deep intellectual analysis conducted on paper. Finally, acquisition personnel have not been well trained to manage C4I acquisitions or socialized into an information technology culture.
Finding P-2: In many instances, operational processes do not appear to have been reengineered to take full advantage of the capabilities that C4I technology can provide.
Commercial experience strongly suggests that the maximum benefits of information technology come not from automating existing business
processes, but rather from developing new processes that take full advantage of the new technologies. Such reengineering is quite difficult both for the private sector and for the DOD. When successful, however, reengineering gives enormous leverage. The competitive arena for the military is not as well defined as that for private-sector enterprises, but reengineered, technology-exploiting operational processes should yield major competitive advantage in the military, driving revisions of doctrine, smaller logistics footprints, enhanced agility, and a redefinition of the skill set required in the fighting forces. In its site visits and briefings, the committee saw a wide range of organizational responses to C4I technology. In some cases, new modes of combat operations were being explored and potential points of high leverage found. However, in most cases that the committee observed, C4I technology was being used to speed up existing processes. Some benefits were apparent from these latter efforts, but incremental application of technology in this way seldom results in large (order-of-magnitude) benefits.
Finding P-3: The military services have not accorded to information technology and C4I professionals stature comparable to their increasing importance for battlefield operations.
Well-trained C4I professionals are essential to the successful operation of modern military weapons such as jet fighters, warships, and sophisticated ground-based weapons. However, DOD is not succeeding in creating either the environment or the incentives to attract and retain such human resources. One problem is that DOD has not yet found a way to integrate its C4I personnel into combat line elements and to make them fully conversant with military doctrine, strategy, and tactics. Rather, they are often regarded as implementers of high-level strategy decisions that are made without their input, and the status and prestige of C4I specialists are not comparable to those of personnel in traditional combat arms specialties. Furthermore, the DOD culture tends to discourage attracting and retaining the necessary engineering, system integration, and applications talent for implementing and sustaining high-technology C4I systems. The private sector can offer greater monetary rewards, personal recognition, and opportunity for advancement, and thus beckons to every engineer, technician, and system specialist in the military—enlisted or officer.
Finding P-4: The DOD process for coupling end-user operational needs to C4I systems is inadequate.
The general principle that operational needs should drive the acquisition system is well established within DOD. But under the traditional
acquisition system, warfighter input (from the perspectives of the CINCs) enters the acquisition process only at the start of a new program. Thus, input from the end users—the field commanders—cannot easily be accommodated, because it is generally infeasible to specify requirements for C4I systems in a form that they can be handed ''over the transom." Furthermore, warfighter input (especially that from a joint perspective) can be diluted when individual services are responsible for setting system requirements.
Finding P-5: Achieving C4I interoperability is more a matter of organizational commitment and management (including allocation of resources, attention to detail, and continuing diligence) than one of technology.
Many parties alleged to the committee that higher degrees of C4I interoperability would require additional funding. While this is undoubtedly sometimes true, major cost savings are possible in the development of a system by reusing existing work (whether manifested as preexisting military technology or COTS technology). Most importantly, total life cycle costs may well be less when the need to hedge against unanticipated needs for interoperability is factored in, because retrofitting systems for interoperability results in working such problems case by case, providing expensive curative rather than inexpensive preventive medicine. Finally, interoperability can make it easier to use existing resources efficiently. The committee believes that senior DOD leaders, both civilian and military, take interoperability challenges quite seriously. But DOD is not establishing a culture supportive of C4I interoperability that will outlive today's senior leaders. Without such a culture, DOD efforts to promote and enforce interoperability will be fragile.
Recommendation P-l: The Secretary of Defense, working with the service Secretaries and the Chairman of the Joint Chiefs of Staff, should establish in each of the services a specialization in combat information operations, provide better professional career paths for C4I specialists, and emphasize the importance of information technology in the professional military education of DOD leadership.
Today, the treatment of the technical force in DOD relegates C4I specialists to the second-class status of support, rather than line functions. If it is true that information is critical to modern warfare, and that information dominance can provide the operational military advantages of large
forces without their costs, then C4I specialists must be better aligned with those in the mainstream operational community. Furthermore, senior commanders must have a good understanding of how best to exploit C4I to enhance military operations. Information system employment must become a first-line combat function, just like employment of combat forces and weapons. C4I specialists must be trained in the doctrine, strategy, tactics, and combat employment of military forces, and be fully integrated into combat units and operational planning elements of the military forces. DOD should also provide increased opportunities for promotion and recognition, as well as higher pay scales, for C4I specialists.
Recommendation P-2: The Under Secretary of Defense for Acquisition and Technology should train its civilian and military personnel who participate in the acquisition of C4I systems to understand the difference between C4I systems and weapons systems.
Program managers must understand the intrinsic differences between C4I and weapons technologies, and they must be able to argue the significance of those differences in front of acquisition boards and oversight councils that are more accustomed to dealing with weapons systems. Today, conservative "by the book" approaches that are better suited to long-lived weapons systems are regularly applied to C4I systems, even though existing acquisition rules allow considerable flexibility in the management of a C4I program.
Recommendation P-3: In order to explore and develop ("incubate") new ideas for the use of information technology to support military needs, the Secretary of Defense should establish an Institute for Military Information Technology either as a free-standing unit or by expanding the charter of an existing institution.
All levels of the DOD/service hierarchy contain individuals with good insights about existing problems, ideas about how to fix those problems, and innovative concepts about how C4I technology could be used to improve military effectiveness. But because of the traditional military command structure, those at lower levels of the hierarchy face considerable risk if they challenge the conventional wisdom. The purpose of the proposed institute would be to facilitate intellectual risk taking by bringing together for extended periods of time combat operators, military information technologists, and civilian information technology experts from academia and industry in an environment where innovative ideas for using information technology to support military needs could be explored relatively freely.
Recommendation P-4: The Assistant Secretary of Defense for C3I and the Under Secretary of Defense for Acquisition and Technology, working with the service Secretaries and the Chairman of the Joint Chiefs of Staff, should direct that as a general rule, every individual C4I acquisition should (a) use evolutionary acquisition; (b) articulate requirements as functional statements rather than technical specifications; and (c) develop operational requirements through a process that includes input from all the services and the CINCs.
Over the time scale of a typical military C4I program, the applicable technology underlying the program, as well as operational requirements for its use, the doctrine that governs its operation, and the world and local environments in which it must operate, can be expected to change dramatically. For these reasons, the initial requirement should be for an "80% solution" to the functional requirement. This will encourage the use of commercial technology and dramatically reduce the cycle time for developing new C4I systems. Furthermore, the use of functional requirements is a way to avoid overspecifications of design that limit the ability of a supplier to find better or more cost-effective ways of implementing the system. And, if all U.S. C4I systems are to be regarded as being for use in joint operations, the requirements definition process for C4I systems should be under the control of a group that represents the interests of all stakeholders. If all the services and CINCs participate in formulating requirements, not just in reviewing them, it is more likely that the system will satisfy needs for joint operation.
Recommendation P-5: The Secretary of Defense should seek, and the Congress should support, an appropriate level of budgetary flexibility to exploit unanticipated advances in C4I technology that have a high payoff potential.
As new commercial information technologies and applications emerge that can significantly improve military capabilities, management and budgeting must make it possible to exploit them. High-value C4I applications may emerge quickly (e.g., as the result of experiments or demonstrations such as the Joint Warrior Interoperability Demonstration) or on a track other than the normal acquisition track (e.g., as the result of an advanced concept technology development (ACTD)). Proper follow-on requires a process for inserting such applications into the appropriate phase of the acquisition process. Since service budgets do not include extra funds for such circumstances and reprogramming funds is a difficult task (implying that an otherwise funded program must be short-changed), an "offline" funding mechanism is required to cover unanticipated needs. Finally,
even if an ACTD does not enter the mainstream acquisition process, funding streams are needed to ensure that leave-behinds from ACTDs are compatible with the other systems where they are deployed, and are maintainable and supportable.
Recommendation P-6: DOD should put into place the foundation for a regular rebalancing of its resource allocations for C4I.
Recommendation P-6.1: The Under Secretary of Defense (Comptroller) should explicitly account for C4I spending as a whole in DOD's budget process.
Because the technologies underlying C4I change so rapidly, a DOD commitment to U.S. information superiority on the battlefield of the future must be accompanied by a continuing examination of the resources allocated to C4I, especially relative to other important categories of spending such as readiness, weapons, and force structure. Because C4I is not an explicit budget category within the annual DOD budgeting process, the services for the most part determine their own C4I priorities and how those weigh against their needs for force structure and weapons procurement. Without knowing what is being spent on C4I in any given year by all the services, it is obviously difficult to make informed defense-wide overall trade-offs.
Recommendation P-6.2: The Joint Chiefs of Staff should develop and use measures of military effectiveness that can be used to assess the contribution of C4I to military effectiveness.
Spending more on C4I would necessarily mean spending less on other modernization, readiness, and force structure. DOD therefore needs to be reasonably confident that the gain attributable to C4I outweighs the loss in other areas if it moves in this direction. Quantitative measures of military effectiveness will thus be necessary to support a continuing process of rebalancing investment among C4I, weapons, and force structure (and among C4I systems themselves).
Recommendation P-7: The Secretary of Defense, the Chairman of the Joints Chiefs of Staff, the CINCs, and the service Secretaries should sustain and expand their efforts to carry out experimentation to discover new concepts for conducting information-enabled military operations.
Experimentation within the DOD context is analogous to business process reengineering in the private sector. Both seek radically new ways
of doing things that create value and advance the ability of the organization to conduct military operations or to make money. Significant experimentation is under way within the DOD today. Nevertheless, it is all too easy to fall back to "business as usual" when faced with budget pressures. Experiments are undeniably expensive, and failure is to be expected from time to time. Well-meaning critics who focus on the cost and possible failure of particular individual experiments may do more damage than good in the long run. Fortunately, such criticism is rare today, but in the face of budget pressures to cut back on experimentation, the Secretary of Defense, the Joint Chiefs of Staff, and the service Secretaries will have to strongly uphold the value of investing in the future.
Recommendation P-8: DOD should develop and implement a set of management metrics that are coupled to key elements of C4I system effectiveness.
Achieving large-scale cultural change in an organization requires commensurate change in management metrics. Metrics are a major motivator of human behavior and have been demonstrated to be an essential element of making improvements: they are the base for driving continuous progress. Management metrics measure the characteristics or performance of an organization and are used by senior management to assess the effectiveness of the organization and its leadership. To assess and drive the cultural change needed to fully exploit C4I in warfighting, metrics are needed for such key areas as interoperability, security, and overall rate of implementation, as well as such associated elements as training, skill, and resource levels. These metrics should be as quantitative as possible, though in some cases judgment-based ratings will have to be used. The metrics should be applied both to units and to commanders at higher echelons in a manner consistent with their responsibilities.
Advanced C4I systems and technology offer the potential for enabling radically more effective military forces. But if this potential is to be realized, DOD will need to fix existing vulnerabilities in information systems security as well as to address challenges posed by C4I interoperability and to embrace and accommodate an information-age culture. Only through sustained action in these areas will DOD's needs for capable C4I systems be met in the coming decades.