The call last week by the Pentagon’s top tester to temporarily halt deployment of the Department of Defense’s Joint Regional Security Stacks (JRSS) wasn’t exactly out of the blue. The DoD’s independent Director of Operational Test and Evaluation (DOT&E) said the same thing in its annual report last year, while citing some of the same problems, such as staffing shortages, difficulty in integrating disparate commercial technologies, and the lack of mature standard operating processes.
But this year’s report includes a new caution that seems to chip away at the premise behind the JRSS. The report says that the massive flows of traffic the JRSS is intended to handle might be too much for it, and suggests that the DoD consider lightening the load for each of the regional security centers.
The JRSS, whose deployment is being managed by the Defense Information Systems Agency (DISA), is the linchpin of the DoD’s vision for a Joint Information Environment, which would provide a shared infrastructure and security architecture capable of accommodating all of the military services and coalition partners. The regional centers will consolidate around 5,000 separate firewalls into a relative handful of locations domestically and overseas, allowing traffic to be monitored more efficiently than if individual military bases and outposts had to handle the job. To date, the DoD has deployed 14 of a planned 24 stacks on the Non-classified Internet Protocol Router Network (NIPRNet), with plans for 25 stacks on the Secret Internet Protocol Router Network (SIPRNet).
Part of the JRSS’ appeal is that it would bolster security by shrinking the network attack surface, giving cyberattackers far fewer points of access, while increasing the speed of the network backbone from 10 gigabits per second to 100 Gbps. The DOT&E’s report, however, suggests that the DoD could be aiming a bit too high.
“The DOD CIO and the services should consider the possibility that the data flow designed to traverse each JRSS may be too large to enable secure data management,” the report says in its recommendations, “and if that is the case, refine the JRSS deployment plans to reduce the required data flow through each JRSS.” Reducing data flows to individual JRSS implementations could mark a change from what the DoD, DISA, and the services have been pursuing for the past several years.
Overall, the report, citing the data flow volume and other ongoing shortcomings, recommends that the DoD “should discontinue deploying JRSSs until the system demonstrates that it is capable of helping network defenders to detect and respond to operationally realistic cyberattacks.”
The DOT&E said that integrating commercial technologies has proved to be difficult, because “JRSS operator training still lags behind JRSS deployment,” leaving operators unable to effectively integrate and configure what is a complex suite of hardware and software. DISA and the Army don’t have enough personnel to properly operate JRSS, the report says. And DISA, the military services, and U.S. Cyber Command have yet to codify the tactics, techniques, and procedures for a unified operation.
Based on an operational assessment from last March, the report concludes that the JRSS “is unable to help network defenders protect the network against operationally realistic cyberattacks,” and showed little improvement since a similar test in July 2017. In wake of that test, the DOT&E in its previous report also recommended that the DoD put a hold on new deployments, including those involving the U.S. Central Command, Southwest Asia, the Marine Corps, and any involving SIPRNet.