The DoD CIO serves as the principal adviser to the Secretary of Defense for information management/information technology and information assurance, as well as non-intelligence space systems, critical satellite communications, navigation and timing programs, spectrum and telecommunications. As the DoD CIO, Ms. Teresa Takai provides strategy, leadership and guidance to create a unified information management and technology vision for the department and to ensure the delivery of information technology based capabilities required to support the broad set of department missions.
Ms. Takai spoke about some of the challenges, efforts and efficiencies that she is leading at the Army's LandWarNet conference Aug. 24, 2011. Ms. Takai's remarks have been edited into an article and include additional information about the DoD information enterprise strategy.
I would like to give a bit of a backdrop in terms of what my job is. Because there has been concern about the changes that are planned for the Assistant Secretary of Defense for Networks and Information Integration and Department of Defense Chief Information Officer (ASD (NII)/DoD CIO) organization and what that means for the DoD CIO's role and responsibilities. First, the NII office has been part of the study for efficiencies across the Office of the Secretary of Defense. One of the key challenges that Secretary Gates gave us was to look for any and all efficiencies that we could take at the Pentagon to ensure that we had adequate funding, and so that we have as much funding as possible for the missions of the military departments.
We have reduced overhead in the number of personnel and the budget. We have removed redundancies in OSD, particularly across my organization and the Under Secretary of Defense for Acquisition, Technology and Logistics (USD AT&L). We are transferring some functions to AT&L because that's the most efficient way to do them. We will have a very close working relationship. As you know, we do a significant amount of our work with the Defense Information Systems Agency (DISA), and we will continue to do so.
My office will move from being titled as the Assistant Secretary of Defense for Network Information and Integration/DoD CIO, which was very difficult for the organization to have two roles, into the title of DoD CIO. That doesn't mean that we aren't going to continue to perform the functions, but what we need for our organization is to have a much tighter integration.
Another part of the importance of the organization moving forward is that we will have a very close working relationship with U.S. Cyber Command. Between my organization and the policy organization, we will be playing an oversight role with CYBERCOM, particularly as it relates to understanding the operations that it will do and looking at those from a policy perspective.
Lastly, one of the important roles for the DoD CIO is looking across the technology landscape and making sure that we are doing several things. First of all, for instance, we play the lead role for spectrum because one of the challenges is the growing need for all the services to have more and more spectrum to be able to conduct operations. On the other hand, we have increasing pressure from the commercial sector for that same use of spectrum, and so some of you may have been involved in studies we are doing to look at the future uses of spectrum and how we can ensure that the interests of the Department of Defense are protected and that federal government needs are met.
The second area is for us to play a role on the international stage with our partners and also with NATO to look at the technology standards that we need. Then lastly, we look at the technology and dollars that we need to provide the communications technologies that operational commanders need.
What we need to do is have a single look at the technology, not as a service-by-service or a COCOM-by-COCOM (combatant command), but to recognize that for the warfighter, what's really needed is a single look at the way we operate.
The Challenges Ahead
The warfighter expects and needs access to information — from any device, anywhere, anytime… But the challenge is how to get it there in the best way possible, how to get it out in a secure fashion, and also in a way that is quickly usable for the mission. As you look over time, we are no longer going to be able to do that from the devices that we have traditionally used. We are going to be moving to commercial devices, which is another challenge.
If you look at the DoD IT landscape (Figure 1), it is easy to see why it is so difficult for us to get to a single secure, authoritative database and single search engine that warfighters need. It is tough to do when you have more than 10,000 operational systems with databases spread all over the world and more than 772 data centers, and by the way I think that number is pretty conservative. I think we have probably a lot more than that. In fact, every time we do an inventory, we find a few more data centers.
Then those 15,000 networks make it not only difficult for us to get information, but they are pretty tough to secure. So our points of vulnerability are considerable. If you tally up the numbers, with more than 3 million individuals in the organization, it is difficult to effectively use a tool which is pretty straightforward like email, when you can't get email from one end of the department to the other without looking at it from an overall perspective.
The estimated $38 billion a year the department spends on technology is actually conservative. It was interesting; we were in a meeting earlier this week talking with the Air Force about some of the efficiencies that it is doing. The Air Force found a significant amount of more money than it even knew it was spending on technology. So I would submit to you that while we have a lot of efficiencies drills coming at us, we have a lot of money that we can take and utilize in a different way to get to our end objective.
Other challenges ahead include exploding technologies, shrinking budgets and the growing cyber threat. I don't think this is new to you, but I want to add a different context around the actions that DoD will be taking.
Shrinking Budgets: Enterprise Strategy
It's easy to say, we either can have efficiencies or we will be effective, or we have to respond to the cyber threat, because those things won't work together. I submit to you that they do, and that the actions that we will take (shown in Figure 2) to effectively make the changes are, in many cases, the same actions.
The first piece is shrinking budgets, and each of the DoD organizations has been very aggressive in identifying IT efficiencies. Clearly, some of the things you are working on now are the data center and server consolidations. But data center consolidation isn't just about getting the footprint down. It is really getting to how we move to more standardized ways of operating, not just because it costs less, but because it gives us the ability to more quickly field new capabilities on a standard infrastructure.
The second piece is the number of networks and email systems that we have, and we will need to change for the way that we will operate in the future. To access the network of the future, identity management will allow you to get the information that you need. This includes the ability, not only to identify you, but to be able to link your identity to the information you need.
Cyber Threat: Exploitation, Disruption and Destruction
Now put the challenges against the backdrop of the growing cyber threat. [Former] Deputy Secretary William Lynn uses this lexicon: "We are in the midst of a strategic shift in the cyber threat…moving up the ladder of escalation."
Clearly, all of you who protect and defend IT systems recognize the threat. But what we see now is the exploitation of DoD networks. We see the theft of email addresses. We see utilization of that information to get in, not only DoD systems, but those of our industry partners to look at intellectual property and information. The next escalation of exploitation will be disruption. We saw it occur in Estonia; we have seen it in other areas of the world.
We are moving away from just purely the concept of the need to protect at the perimeter of the network. We are concerned about the potential for disruption to lead to destruction. We are concerned about the juxtaposition of the cyber threat with the kinetic threat.
The services are conducting a number of exercises to look at the resiliency of networks and IT systems, as well as defense and protection. This becomes very much a public/private requirement, it's something the DoD cannot do alone; we must include industry partners.
IT Strategies: Driven by Cyber Priorities
The IT strategies that I described (shown in Figure 3) are part of our efficiencies strategies, and the same strategies we need to use to address the cyber challenge. Consolidation and standardization will give us a much better way to decrease attacks on DoD networks and IT systems and can improve network defense. Now the challenge that everybody points to is that if there is one network the department is more vulnerable. That is true. But, we will never have one network. We have many legacy networks and systems, and we don't want one network or one way to protect and defend it. At the same token, there is a big difference between one network and 15,000 networks.
Our challenge is, and we are smart enough to figure it out, the right mix to be able to defend much better than we can today, and also ensure that we are engineering and managing technology in a way that decreases threats. IT strategies, like identity management and information tagging, allow us to more easily control the need-to-know and need-to-share, not only from the standpoint of external intrusions, but also to address insider threats.
Lastly, as we move to cloud computing, we will be able to move information into more standardized ways of accessing it. At the same time, a thin client infrastructure, in certain instances, is going to decrease our attack surface in the field. We will have the ability to share information more easily because it will not be traversing multiple networks and multiple data centers. Instead, DoD networks and IT systems will be configured in a way to share information. Operational commanders will be able to get to unclassified, classified and top secret information as it relates to a particular mission as dynamically as they need to.
Figure 4 is a great visual perspective of what the department is working to achieve. It is important to see that as we talk about enterprise and doing things together, there is still the need for the Army, Air Force, Navy and Marine Corps to have operational effectiveness within their operations, but to be able to come together for a core sharing of information and core use of DoD networks more effectively.
Effectiveness and efficiency do not always go hand in hand, there's a yin and a yang in terms of the push and pull. But, there is a way for us to be able to preserve the services' individual requirements and yet look at the broader perspective. That is what I really see as an important role for the DoD CIO office to play — to really bring us all together in the broader mission.
Exploding Technologies: Mobile Devices, Thin Client and Cloud Computing
We have to recognize changes in technology development; it is driving the need to change and standardize. As we look at commercial mobile devices, there are two factors that are really a challenge for us: we do not control their development and understand how to fit these devices into our networks. In the past we developed our own wireless communications. We developed radios and used commercial off-the-shelf technology to some extent, but we were able to influence the market because we were the largest customers. That's no longer true.
Some of the things that the Army is doing will be a big part of what we will do in the future, to ask questions like: Do you have a radio that is longlasting? Should every Soldier have the same radio or are the radios specific to a function? Is it necessary to have only one device for information?
To accommodate commercial technology, we have to move to a much more standardized infrastructure, so that we can secure it, so that we can lock it down, so that we can understand where the information is going, and we can look at ultimately how we communicate in a cross-domain environment.
A mobile device is a small thin client, and as we move toward thin clients, we are going to be thinking about how we use them on a more broad-based standpoint.
And then of course the term that all of us love, it is sometimes maligned and sometimes misunderstood, is cloud computing. Cloud computing is a service model of the way that our IT services will be provided. We don't all need to own our box, we don't need to see the server lights blinking. We need to know that we can get services from a standardized place and be able to build and innovate to the next level.
Cyber Challenges Beyond DoD: Supply Chain Risk, Attack on Defense Industrial Base and Critical Infrastructure Protection
There are cyber challenges in what we are doing. First, we are looking at the risks in the supply chain. In a global marketplace, we are seeing less and less of an ability to control the components that are in the technologies that we buy — for both hardware and software. We are working on a study with telecommunications providers to understand where our risks are throughout the supply chain.
The results will be to No. 1, understand where we have to take more control of the supply chain, and secondly, to better understand our vulnerabilities, which will impact the way we look at resiliency. Knowing that we have risks in our infrastructure, we can determine what we can do to combat the risks and be able to, in case of a breach or disruption, come back online very, very quickly.
I mentioned, we are seeing more attacks on the defense industrial base. One of the things we are working on is to form partnerships with defense companies. We have about 36 companies, and we are looking to expand that to the next set of companies that came to us through U.S. Transportation Command (TRANSCOM) so they can share information about the threats they are facing.
We are looking at the importance of critical infrastructure protection. It doesn't do us any good to be protected inside the DoD if the critical infrastructure that we depend on is not protected as well. This is a joint effort with the Department of Homeland Security, particularly as it relates to the continental United States, to make sure that we are working with the energy providers, that we are working with critical infrastructure officials to be sure that the DoD is looking at the cyber threat on a broader stage.
Army Enterprise Planning
I want to thank and congratulate you for the work that you are doing to push forward the Army IT enterprise. Lt. Gen. Susan Lawrence, Army CIO/G-6, has been an absolutely fantastic partner in looking at where the department should go. One of the challenges of being at OSD is to understand the important policies we need to make your operations easier across DoD.
I have to make sure that the policies the DoD issues are implementable and that they are going to make a difference for all of you. I will use a couple of examples because I think these are things that are affecting you sometimes in a good way, sometimes in a very disruptive and difficult way, and to give you a perspective on why working to an enterprise approach is so important across DoD.
So I picked the beloved enterprise email example (shown in Figure 5). Across the DoD there are multiple email addresses. Quite frankly, I am sure you have challenges identifying who is where and how to communicate. Second, we are unable to understand the global address list and move to an integrated email platform because organizations within DoD have very dissimilar security practices.
Enterprise Email — Keys to Enterprise Success
Figure 6 illustrates the advantages of enterprise email; it is a forcing function to make the kinds of infrastructure changes we need. By moving to enterprise email, we are beginning the journey of getting to a single identity — and of having that identity linked to information. So email is a part of getting us to a common directory and the kind of identity management that we need so we can share information more effectively.
Second, it gets the department on a more common infrastructure. We will move to a standard gold disk so that we can get to a common configuration, not only in the Army, but across the services, and that's one of the things that we have been working on with the Army. A standard gold disk is one of the policies we will be issuing in the future.
Lastly, this effort isn't just about email. All of you want to be able to use SharePoint, to use text and instant messaging across the services and combatant commands, and without having to stand up multiple instantiations of these environments for the specific missions that are necessary. So the objective and what the Army is doing in terms of email is to really drive that forward.
The Army has taken a big, bold step that we have challenged the other CIOs in the other services to do: to move from an email address that is army-dot-mil to an address that is mil-dot-mil.
Seems like a pain in the neck? But what it will do is give us the ability to share information. Can you imagine the administrative burden that it reduces to change your email address every time you change positions?
But more important, one of our collective efforts is with the Department of Veterans Affairs for electronic health records. The connection is if we can get to a common identifier, then as a service member you will have a common identifier from the time that you enter the service throughout your military career, and when you leave service and are provided services by the Veterans Affairs system. So enterprise email has far reaching advantages.
The Joint Enterprise Network
The next initiative which is important is the Army's role in an effort between U.S. Africa Command (USAFRICOM) and U.S. European Command (USEUCOM) to stand up common data centers and infrastructure from a network perspective. AFRICOM and EUCOM came together, with the support of the Army, to standardize the unique communications, data processing and security posture in the European and Africa commands.
Their efforts to improve the Joint Enterprise Network are shown in Figure 7. Figure 8 illustrates how we operate today. I am sure you will recognize the boxes. From network operations and transport perspectives, this is effectively our case for changing how we need to optimize the network in the future and how we need to institutionalize what EUCOM and AFRICOM have been able to do.
The objective is to move toward an integrated joint NetOps, joint transport, and then consolidated enterprise services, like collaboration tools, as shown in Figure 9.
We have to think about how this example can be extended into the way that we support the COCOMs in the future. Bringing together all the services and COCOMs into an infrastructure that allows the necessary applications to be built very quickly, fielded very quickly, and quite frankly, if we can build and field them quickly, we can also get rid of them and move on to what the next set of needed applications is for the next area of conflict and next area that we have to provision.
We really see the DoD, DISA and Army in a partnership. We are working very hard to make sure that No. 1, the Army is well supported. DISA Director Lt. Gen. Carroll Pollett and I are working very hard. DISA is working very hard for the success of the shared services model. DISA is moving beyond the backbone network into broader use of its Defense Enterprise Computing Centers (DECCs).
DISA is working to provide enterprise services, not only for Army, but across the DoD. In many ways, it isn't just about providing the services, it's about DISA looking at the technical directions that the department wants to take in the future and being a part of setting those technical directions. For the DoD, it's about understanding the needs across the department and looking at policies, processes, standards, and the things that we need to do from an OSD perspective to allow you to be able to do your jobs and move the entire organization forward.
Lastly, the department wants to take advantage of the great work all of you are doing — whether it's in enterprise email, your role in the joint environment or whether it's the work that you're doing at Fort Bliss to set the stage for fielding new technologies — all these efforts are going to be cornerstones to pull the technology infrastructure together and provide these capabilities, not only now and tomorrow, but five years from now with new mobile technologies, and 10 years from now with technologies like cross-domain sharing, a universal search engine and getting the information in a protected way to those individuals that need it.