Thoughts on the United States Air Force Computing Plans

As a former intelligence officer and computer network defender I was asked my thoughts on the US Air Force's new computing deal with Microsoft. In short, Microsoft will provide core server software, maintenance and upgrade support, and Dell will supply more than 525,000 Microsoft desktop Windows and Office software licenses to the Air Force.

From a business perspective, this is an important deal for Microsoft. For all of their seeming independence, the services tend to watch each other closely to see what technological advances are being considered or pursued. When the Navy began work on its Navy Marine Corp Intranet (NMCI), Air Force leaders scrambled to "catch up" to match the "progress" the Navy was assumed to be making. (NMCI has since produced mixed results for the Navy and financial woes for EDS, prime NMCI contractor.)

I have first-hand knowledge of the Air Force's response to NMCI. In the fall of 2000, the AFCERT sent me to Washington, DC to participate in the "redesign" of the Air Force enterprise network. Over a three week period we were expected to create plans to revamp the whole Air Force communications and security architecture. The new network was supposed to be running by June 2001. Obviously this did not happen, although it was the launch of the "One Air Force, One Network" campaign. The entire November 2000 (.pdf) issue of Intercom magazine was devoted to the project, while shorter articles explained the goals in brief.

The core of the project involved several key ideas:

- Server consolidation, particularly email
- Network access consolidation, with bases having links through their major commands
- An Air Force portal ("my.AF")

The Air Force is still following their "One Air Force, One Network" plans. You can see the Air Force CIO's September 2004 presentation (.ppt) reiterates these ideas, several of which I believe are valid. For example, it may not be necessary for each of the 100+ Air Force bases and operating locations to maintain their own connections to the Internet. It is certainly not necessary for each base to maintain its own Web, DNS, and mail servers, as these pieces of public infrastructure are one of the main ways external intruders can compromise Air Force assets.

Many reactions (e.g., Slashdot.org) to the new Microsoft/Air Force deal center on the standardization on Windows throughout the Air Force. Here I am disappointed. In the mid-1990s I used Solaris where it mattered, on servers and on intelligence projects. I remember using Windows for Workgroups 3.11 for office applications. Within the last five years Microsoft has replaced a lot of this infrastructure and handles core email and Web duties in many locations.

Regarding the implementation of a homogeneous infrastructure, I have a mixed opinion. Standardization can be a force for good when it eases system configuration, deployment, and patching. The question is, do the benefits of standardization outweigh the potential for thorough, widespread exploitation by a worm targeting standardized deployments? For years I've advocated deploying redundant architecture, running alternate operating systems, to mitigate this fate. If you want your Web site running IIS on Windows, have an Apache on UNIX backup ready.

I would have been pleased to see the Air Force adopt a thin client strategy for its desktop users, preferably based on Solaris or even a Linux distribution. I think the Air Force was too "corporate" to make such a radical step as to abandon its Microsoft desktop infrastructure. A TechWorld.com story noted that AF CIO "Gilligan acknowledged that in grappling with the patch-update issue, the Air Force had considered transitioning to open-source software but determined the transition costs would simply be too high." Ironically, that same article mentioned this:

"The Air Force endures about one network-based attack per week that successfully exploits new vulnerabilities, Gilligan said. 'There's some disruption and loss of capability,' he pointed out, noting that Air Force bases all over the world support the operations of the war in Afghanistan and Iraq. 'We're spending more money patching and fixing than buying software,' said Gilligan. It's not unusual for patching of vulnerabilities to take months to complete, he said."

So instead of taking a serious look at the root cause of its patching and exploitation costs (both financial and in mission impact), the Air Force sought a better deal from the vendor producing flawed software. This is sad. TechWorld's Ellen Messmer wrote "The US Air Force has had enough of Microsoft's security problems. But rather than switch to an alternative, it has struck a deal with CEO Steve Ballmer for a specially configured version of Windows." Will Microsoft sell this "special version" elsewhere, and if so, is the Air Force the guinea pig paying to develop this version?

Had the Air Force decided to break away from Microsoft, the other services would have definitely taken notice. In fact, corporate America would have taken notice. I hope vendors like Sun, IBM, and Red Hat step up their efforts to infiltrate the government space and introduce more secure products where it matters.

On a related note, the Air Force continues to lead the information warfare domain with its Advanced Course in Engineering (ACE) Cyber Security Boot Camp.

Comments

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics