Can the military afford ‘cheap’ shadow IT?
Mon 3 Oct 2016
The U.S. Air Force is beginning a year-long campaign to sensitise its staff about the critical nature of cybersecurity, with the aim of improving potentially dangerous practices and local cultures of complacency. But some of the tenets of the project run against the grain of best practice in security across the government and military sector.
In a letter which takes Cyber Security Awareness month as a mere starting point, Lt. Gen William J. Bender, the Chief Information Officer for the USAF writes:
‘This October, I will highlight the most powerful tool we have available to shore up our cyber defences: our Airmen. Cybersecurity depends on every Airman regardless of rank or description. Every time you log onto a system, click on a link, download a file, or plug one device into another, we risk exposing our systems to exploitation.’
The problem of BYOD has plagued numerous branches of the military, torn between swingeing cutbacks and nation-critical security issues. The U.S. Marines have spent years seeking customisable, off-the-shelf comms systems which fit within budget but which could potentially be specced up to military security standards in a short enough time-frame not to become completely obsolete.
At the same time DARPA is soliciting citywide drone surveillance platforms with a TCO of a risible $90,000; it is not difficult to imagine some very improvisational assemblies taking their place in critical civil, government and military systems of the future under this planning mindset.
DARPA is in fact currently seeking a compromise between templated and bespoke solutions, with the Common Heterogeneous Integration and IP Reuse Strategies (CHIPS) scheme, which aims to facilitate integrated circuit chips which are bespoke as a final product, but modular and generic at a component level. This is essentially the same tension which the Marines are trying to resolve by seeking consumer hardware which can be ‘hardened’ without a delay of years. So the notion of the military ‘retrofit’ seems to be an appealing compromise between development and re-purposing.
Consumer components, often with hard-wired ‘report back’ IP connections or non-unique IDs or network protocols, may not be ideal candidates for cash-strapped soldiers and airmen. In 2014 The Indian Air Force strong-armed tech Chinese tech manufacturer Xiaomi into building a new data centre in India, after Indian airmen were banned from using a popular Xiaomi smartphone which sent data back to Xiaomi’s Beijing HQ by default.
The problem in tempering or turning back the tide of BYOD or consumer-level hardware in critical infrastructure and systems is not just that of a national impetus towards cost-cutting, but the appalling reputation of ‘from-zero’ government IT projects in the west. Despite its lower economy of scale, Britain’s reputation is among the worst in this respect, having wasted £12 billion on just one sweeping IT project in the noughties.
If there was ever any moment to reintroduce the possibility of truly bespoke proprietary government and military systems, it hardly seems that current economic timorousness would allow it. Yet the tension between cost and security still seems to be causing crises for government budget planners, with no resolution at hand which answers all needs.