When it comes to clandestine pursuits like cyber security, I generally assume that someone in the depths of the Pentagon or the National Security Agency has it covered. But to hear John Grimes tell it, there is a very thin line indeed separating the "bad guys" from the rest of us — a line the feds are working to reinforce in defense contracts.
Grimes is in a position to know about such things, having served the past two years as assistant secretary of defense for networks and information integration and DoD chief information officer. Prior to being named to the job by President Bush, he was vice president of intelligence and information systems with Raytheon.
‘Future DoD contracts will mandate that unclassified but sensitive information be protected.’
In October, Grimes gave a keynote address at the C4ISR Integration Conference in Arlington, Va., in the shadow of the Pentagon. His theme was the importance of information sharing and of protecting shared information, i.e., information assurance (IA). The defense and intelligence communities are actively collaborating on IA. This year, Grimes and Dale Meyerrose, associate deputy director of national intelligence, signed a charter establishing the Unified Cross Domain Management Office to improve information flow across networks at different clearance levels.
In a homespun way, Grimes peppered the speech with anecdotes and examples providing insight into the current state of thinking at DoD on cyber security. (One interesting note — C4ISR, the acronym for command, control, communications and computers, intelligence, surveillance and reconnaissance, is no longer being used by defense officials, said Grimes.)
Three months prior to his address, Grimes said, the Pentagon had assembled 20 defense industry CEOs, "and we set there in the room and explained to them the vulnerabilities of their networks that are processing our information." Among those in attendance were Director of National Intelligence Mike McConnell and the three service secretaries.
"We are very concerned about our networks," Grimes said. "Information sharing and information assurance... are my number one focus."
He went on: "Let me give you an example of how pervasive (the threat) is. We have this initiative called the ‘defense industrial base.’ We found some of you contractors, your systems that are processing our information under contracts for weapons systems, are being ex-filtrated a significant amount. That information was taken out of the network, aggregated, (and) becomes highly classified, highly sensitive."
A more recent meeting conducted by his deputy assistant secretary for IA, Bob Lentz, involved 175 defense contractors, Grimes said. Future DoD contracts, they’ve been informed, will mandate that unclassified but sensitive information be protected. "The primes — we’ve put them on notice, they’re responsible for their subs. We’ve seen some very interesting activities, including people writing code without clearances on a very sensitive program, and maybe even a foreign national. It’s a concern," Grimes related.
And it’s not just weapons systems that can be compromised. Grimes, who serves as a DoD liaison with FAA, said he feels strongly that "security be built into the front end" of the latter agency’s NextGen air-traffic modernization program. FAA, you will recall, recently awarded the contract to begin building the ground infrastructure for Automatic Dependent Surveillance-Broadcast (ADS-B). For better or worse, ADS-B represents the ultimate in information sharing by broadcasting an aircraft’s GPS-derived position, altitude, heading, speed, etc., to all concerned.
On a related note, I met recently with former Rear Adm. and current Raytheon executive Robert C. "Willie" Williamson, incoming chairman of the Network Centric Operations Industry Consortium (NCOIC). In just three years, NCOIC has grown from 15 founding members to 101, likely including many of the companies called to Grimes’s meetings. The consortium is assisting FAA with a Network Centric Analysis Tool that evaluates a system’s ability to operate in a network centric way.
"What we really try to do is advocate interoperability" of systems, agencies and multinational partners, Williamson told me over coffee in a Georgetown bistro. A question NCOIC seeks to answer, he said, is "how can we, as a consortium, advantage the good people?"