Mission Critical Access for Remote Workers, Part 2 - Ep. 86
Part 2: Major General Joe Brendler, U.S. Army (retired) discusses Multi-Domain Operations and how Cross Domain Solutions have improved communications, how communications--especially telework has changed due to the pandemic and how IoT has made the military re-think secure communications.
Episode Table of Contents
- [00:42] Building Cross Domain Solutions in Mil-Con
- [06:32] Breaking Down Some Barriers
- [12:45] How DOD Has Adopted the Cross Domain Solutions
- [19:30] Multilevel Secure Access on Cross Domain Solutions
- About Our Guest
Building Cross Domain Solutions in Mil-Con
Carolyn: Welcome back to To The Point Cybersecurity podcast. I'm Carolyn Ford, joined by Eric Trexler. This week we have part two of our discussion with Major General Joe Brendler, a US Army retiree, and now a principal at Deep Water Point LLC about multi-domain operations, building cross domain solutions in mil-con and tactical applications.
Eric: In the modern day, we have SpaceX and Boeing and Virgin Galactic bringing out space-based networks. At this point, wireless comms that are coming out in the near future. We could really assign a small team of six people like I served on, go in a country with a laptop and run access solutions. They could run VDI sessions on multiple networks in theater at the team level.
Joe: You could probably further reduce the cost of the setup I was describing by eliminating the need for the dedicated encryption device. If you use the available commercial solutions for classified information processing that are authorized today.
Joe: So in combination, the acronym there is CSFC. CSFC and a multilevel secure access platform would enable you at significantly lower costs than it would have been 10 years ago to go in and do what you're talking about, Eric.
Joe: As a special operator, you would also have communications officers supporting you. They are trained to make sure that you're never relying on just one method of communication. Typically, the acronym there is PACE, Primary, Alternate, Contingency and Emergency communications plans are always in place.
Joe: It may be that that satellite connectivity you're talking about as the primary, but you'd have an alternate plan. In case that just isn't available either because the adversary denied it to you or mother nature did.
A Six Person Team
Eric: Allow me to translate that. That means three types of radios, multiple keyboards, and a hell of a lot of batteries you're humping into the bush.
Carolyn: I hear the ROI part of it. You're saying saving a lot of money.
Eric: There's also a space in weight. Think about a six person team, if you could carry one laptop device.
Eric: Joe, you mentioned encryption, I think we used it. It's been a long time. It was a KY-57 VISON. We would carry that out into the field with us to encrypt our transmission. That had a different battery than the three different types of radios we had. We had Satcom, we had HF and we had FM radios. A six person team is carrying three different radios.
Eric: They've got their own surveillance mission, multiple batteries for everything. We carried multiple keypads in case one would break. That's heavy. It's a lot of costs, a lot of complexity, a lot of stuff to destroy when you're in the field and in a contested environment also. It sounds like if we can get it down to one system, maybe you're carrying two of the same for redundancy back to the PACE concept.
Joe: You have to have the right level of redundancy. Otherwise, you're down to one thing and that one thing becomes nothing. As soon as one of those mother nature affects or an adversary takes a capability away from you. You need to have the optimized solution, which has sufficient redundancy in it.
Eric: Now I'm taking it to the extreme. I'm talking a six man team, six person team. A hundred miles behind enemy lines.
Zeroing in on Cross Domain Solutions
Eric: But even if you're looking at a brigade talk or something like that, they still have to have that redundancy. They have to have the different communication devices, the batteries, the power and generation and everything else. What we do is really we optimize the warfighter's ability to be nimble and move more quickly.
Carolyn: That's what I'm zeroing in on before the cross domain solutions, I don't even know how it was possible for you to do your job, Eric.
Eric: Well, we carried encryption devices and different radios for connectivity. We didn't deal with the different network segmentation as much in those days. I imagine much more so these days, but it's complex, it's expensive. Additional complexity, weight, size. We were carrying batteries instead of water and food, instead of ammunition.
Eric: Those are the trade-offs you have to make because your mission incapable if you can't communicate. At the team level, as you go up the stack, what you would say is your mission incapable if you can't communicate. You spend a whole career trying to ensure communications were there and as fast and easy as possible.
Joe: Absolutely. Most of the modern commanders would emphasize the same thing that you did Eric, if you can't talk, you can't fight.
Eric: When we had to do back in the day, now I'm really sounding old. Once again, I was an infantryman, so very select purpose. If we needed Naval gunfire, we wanted to call in an airstrike. We didn't have radios for that.
Eric: We would have to make communications back depending on what you were doing. You either had a satellite window open or you were able to bounce something off the ionosphere.
Breaking Down Some Barriers
Eric: Sometimes you could get through, sometimes you couldn't. We didn't have any way to directly communicate with the Navy offshore, with the air force flying around. If we were dealing with a coalition type of network or environment, we had no way to do that.
Eric: One of the things I'm seeing with programs like the Mission Partner Environment, MPE, and others like that Joe, we're really breaking down some of those barriers so that we can communicate more seamlessly with one another.
Joe: That Mission Partner Environment that you described, that's the perfect setting for the application of both transfer and access cross domain solutions in order to optimize the configuration.
Eric: Why is that?
Joe: It's the partner nation or the coalition communications environment that we were describing earlier in the conversation. The purpose of the Mission Partner Environment program is to create that in order to make it possible for the multiple members of the coalition to share information, share sensitive information with each other in an optimized fashion.
Joe: You have to have the ability to rapidly establish that environment for a new coalition where one may not have previously existed. If you look at some of the geographic regions where we face various adversaries, we can't say for certain that we know exactly who the members of the coalition would be.
Eric: They may change over time too.
Joe: They may change over time. If each coalition you establish requires its own dedicated set of hardware, it's unaffordable expensive to establish one of those environments for every coalition. Not to mention the simple weight and transport expense of getting the physical equipment in place to support that.
The Basis for International Cooperation of Coalition
Carolyn: How logistically fusible is that? Even on a timeline.
Eric: It's a lot of monitors. It's a lot of compute.
Eric: KVM switch and get rid of the mouse and keyboard, maybe the monitor.
Carolyn: How long does it take to stand something up like that? A week? A month?
Joe: The first step is the agreement between the nations to share some sensitive information with each other.
Eric: So now we're talking a little while.
Joe: We're potentially talking years to overcome that first step. Once you get past that first step and you've got an agreement that can become the basis for international cooperation of coalition, you need to be able to instantiate that with equipment quickly.
Eric: What we're really talking about is, let's pick on Poland for instance. If we have a partnership with Poland and we're working on an exercise, a drill of some sort, we can bring them into the network that we determined pretty quickly in this case, once the agreement is done. They can operate on their networks, they can get a VDI session of a shared network if you will, or certain data. We can transfer an access data back and forth as coalition partners.
Joe: That's the objective of the MPE program we were talking about before is to make it possible for U.S. Forces to do our part in that scenario.
Eric: If we ever need to cut them off, that's a pretty quick and easy one, too. The same thing would apply if there's something spinning up in the INDOPACOM AOR. I would think that it would be easy to bring somebody who's not on that network, on that network quickly.
Lift and Sustain Partners
Eric: They could almost subscribe to it and they get their VDI session from an access perspective. Quickly engage and understand what's happening and communicate with personnel on that network. Before that didn't work so well.
Joe: What I was talking about before is the MPE becomes the way that we are equipped in order to join that. Each partner nation would either have to have a similar program that is producing equipment and procedures that are consistent enough with those that we're using. So that that coalition can come together quickly.
Joe: They would have to have a sponsor so to speak that would be able to lift them from a technology perspective and sustain their capability if that partner nation doesn't organically have that industry, for example.
Joe: That was the case with some of our partners in operations in Afghanistan. A set of them were referred to as lift and sustain partners for which the US actually provided the equipment through a technology transfer of some sort.
Eric: Does CSFC help us with that from an access perspective? Because we don't have to give them sensitive cams gear, sensitive encryption gear in that case?
Joe: Yes. I don't have any personal experience applying CSFC in that setting. But I could foresee that it would be much simpler to do that than try to find the encryption devices that we're willing to give them.
Eric: Great. So you have a secure link. It's commercial off the shelf software or hardware in this case, which they have access to in many cases anyway. You can get them on the network and working when you want them to.
How DOD Has Adopted the Cross Domain Solutions
Eric: It's 2020 right now. I call this crystal ball time, Carolyn. In an ideal world, what does 2025, 2030 look like? How are we communicating? What's changed?
Carolyn: Have we seen changes since the current environment? What's the pandemic done to the way the military communicates?
Joe: The quick answer to that question is that it has accelerated some of the programmatic change that was already queued up to happen. If you look at the rate at which the DOD has adopted the solution, that's calling commercial virtual remote.
Joe: That is essentially through the application of commercial cloud capabilities, a rapid transition to enable a teleworking environment. In combination with that and some of the pilots that are going on right now, there's also an acceleration of the adoption of solutions involving commercial solutions for classified that we mentioned earlier.
Joe: The VDI technologies that Eric was referring to, to put access cross domain solutions on end of a commercial solution for classified connectivity. To make it possible to remotely do classified work. The pandemic has essentially accelerated those developments.
Eric: Meaning do it from home instead of in-country and theater. In this case, theater would be, "I can't go into the Pentagon right now. How do I access my desktop so I can do my job?"
Joe: I think that's fair.
Eric: Instead of having two or three laptops, you could theoretically be down to one system where you can access multiple networks feed via VDI.
Joe: Those things aren't happening wholesale right now, but there are pilots showing a lot of promise in that area.
Eric: What do you think the future looks like then? How easy does this get?
Normalization of Commercial Cloud Solutions
Joe: As an optimist, I foresee the successful delivery of some of those things that are in pilot right now. The broadening application and normalization of the commercial cloud solutions that are going to adopt it for CVR, the commercial virtual remote and the development of an expeditionary equivalency for that so when it becomes necessary to actually put some infrastructure in theater.
Joe: As a carrier signal officer, I was often finding myself feeling and saying, "You never want to be on the far end of the skinny pipe from your server. You want the infrastructure to be there with you in order to optimize the user experience." We'll see, in essence, the availability of tactical versions of that same enterprise infrastructure, that's now enabled through commercial cloud.
Eric: It's like a tactical Microsoft or Amazon stack that you can connect to when you are disconnected.
Joe: Some technology maybe it's hybrid, maybe it is one of those specific vendors. But to be agnostic to that for the time being, I think that it's relatively safe to assume that there will be continued development along those lines, in that direction.
Joe: We'll achieve the objective of making it possible for these information technologies to be part of a military solution that makes technology function as an advantage for us instead of as complexity and something that's hard to get working.
Eric: I always worry because the military seems to run pretty well on connected networks these days, but depends on. I always worry what happens in a time of conflict with a near peer adversary when those networks aren't as reliable as we need them to be or expect them to be.
The Philosophy for Command and Control
Joe: The first answer there of course is the redundancy we were referring to before. A denial of one capability doesn't deny our ability to operate because we had an alternative built-in as part of the plan. It's when you have the simultaneous denial of multiple systems, that things become really challenging.
Joe: I spent my time as an army officer under the tutelage of mentors who subscribe to what at the time we were referring to as mission command. Now, it's changed back to the traditional terminology of command and control. But the philosophy for command and control for army forces has been relatively decentralized.
Joe: You disseminate the intent of the operation to capable leaders who can take the resources that they have available. Do what needs to be done in order to accomplish the intent. Even in the absence of continuous positive control via some form of communications with their boss.
Joe: That's what we've essentially said, all along has been necessary. The more you make it possible for them to have continuous communication, the more streamlined operation can be. But it doesn't mean we can't operate.
Carolyn: I was just going to say with COVID, we're seeing a lot more attacks. I'm wondering how the DOD is handling that, or maybe how should they be handling it?
Joe: One of the anecdotes that I could share there is I was on one of those professional development sessions that the association of the U.S. Army chapter at Aberdeen proving ground supports periodically. This one was done virtually because it was like last month.
Multilevel Secure Access on Cross Domain Solutions
Joe: The two keynote speakers were Ron Pontius, the deputy commander of U.S. Army Cyber Command. The other is Pat Dedham, the deputy to the commander of U.S. Army Network Enterprise Technology Command, NETCOM.
Joe: I forget which one of them it was that said it. They referred to the need to provide more virtual private network connectivity for remote teleworkers. The JRSS program, the Joint Regional Security Stack program that had been put together over the preceding decade became the hero of the battle from that perspective.
Joe: Because it functioned as a concentration point at which to provide some of that VPN connectivity. That's one anecdote. The other is the acceleration of the adoption of things like CSFC and multilevel secure access solutions for the VDI type across the main solution we were talking about before.
Eric: I'd agree with you. When we look at things like a zero trust network architectures, where you're connecting directly to the cloud on a secure channel. You don't have to home run back to the base. Definitely a lot of movement in the industry there are also.
Joe: In along the lines of zero trust, I break it down into the same four technology areas that the DOD CIO has used to describe what he calls the DOD ecosystem. That is, the comply to connect program is essentially intending to make it so that we know that we can trust the device that is about to be attached to the network.
Joe: The Identity, Credential and Access Management program, ICAM is intended to make it so that we know we can trust the individual who's using the device that's about to connect to the network.
The Principle of Data Integrity
Joe: We have programs for software assurance and DevSecOps, as opposed to just DevOps now. We built security into software development so that we know we can trust the software that the trusted user is going to employ on the trusted device that's about to connect to the network.
Joe: We have the principle of data integrity. It is intended to ensure that the data, which is both the input and the output from the trusted software being used by the trusted user on the trusted device is using in that environment in fact, is continuously trustworthy.
Joe: We monitor all of those things and check them on a continuous basis and we've achieved the objective of zero trust. I can say that in a fashion and it makes it sound easier than it really is. There's a lot of things connecting there.
Carolyn: You mentioned trusting the device, and as you mentioned that my Roomba just started going. My mind works like a Roomba all over. That just makes me think about the internet of things and how that has complicated security and how you handle that.
Joe: The comply to connect program is implementing the endpoint security strategy that various entities throughout DOD have agreed upon. U.S. Cybercom identified six different device categories of which internet of things. IOT devices is one. There are also operational technologies such as would be embedded in weapons systems or industrial control systems and so forth.
Joe: The ICS, SCADA, that's part of our critical infrastructure, the military physical infrastructure. Our bases have their own overlay, if you will, of their own critical infrastructure technologies that all have to be defended.
From Hiking the Appalachian Trail to Coming Back as a Consultant
Eric: Last question for General Brendler.
Carolyn: When are you going to come ski Utah?
Joe: I suppose that'll have to wait till my next shot at retirement. This one resulted in me coming back to work as a consultant after I finished hiking the Appalachian trail.
Carolyn: You definitely need to come visit us, but how do you unwind at the end of the day? Do you still do a lot of hiking?
Joe: I do some hiking with the family. Occasionally, I do a lot of jogging. I also have hobbies that include some of the same information technology, things that we've talked about here.
Joe: I've built on in my lab of leftover computers that I have converted to a Linux infrastructure. A virtual desktop infrastructure environment, using the Xen hypervisor on a platform that's Gentoo Linux, which is source-based.
Joe: Involves a lot of compilation, but it forces you to learn the technologies. I also do robotics and I know we're on video so you can see it, but this is the device. It looks like a cutting board because it is a cutting board, but the hardware that's attached to iT.
Eric: A cutting board with wheels and eyes and a few others.
Joe: That's an ultrasonic Ping sensor for a forward view vision that’s similar to LiDAR, but it's sonar. It's sonar in the ultrasound range. It also has whiskers in case the sonar does not detect an obstacle on the periphery. It will execute on avoidance algorithm depends on the location of the obstacle is trying not to run it.
A Family Endeavor
Carolyn: It uses light to ping obstacles that might be approaching and then it never crashes into anything.
Eric: No, it uses sound.
Joe: It is pretty loud, but that's the mortars, and it doesn't have a beeper on it. It does have a little light that flashes when it detects an obstacle. So it's blinking.
Eric: So Joe, you were an electrical engineer? Then a physics professor at West Point. It sounds like you're coming back to your love here.
Joe: This also is something that can be a bit of a family endeavor because my son's also an electrical engineer now. He graduated from Virginia Tech in 2015. He's the one who showed me how to design printed circuit boards that resulted in the manufacturing of the PCB. That's the controller on that robot I just showed you.
Eric: Does it have a name?
Joe: Joe Bot III.
Eric: Nice. We've come to name our pool cleaners in my household. When they break, we get a new one and a new name.
Carolyn: My Roomba is named Darth Vader, but my dog is Han Solo. Thank you very much for joining us. I'm not going to lie. You and Eric got into some stuff that I was just like, you guys are talking in code.
Eric: It's easy. It's all about cost and weight and portability. We break it down. It really gets down to that.
Carolyn: Also, it always surprises me when I really start thinking about how complicated, secure, clear communication is. So thank you very much for joining us and thank you to our listeners.
About Our Guest
Joe Brendler Principal, Deep Water Point, LLC and Major General U.S. Army (Retired). MG (ret.) Joseph Brendler is a senior executive and thought leader with more than 30 years of experience managing large organizations. Specializing in delivery of information technology, networks, and cybersecurity solutions.
Prior to starting his consulting business, MG Brendler was Chief of Staff for the United States Cyber Command (USCYBERCOM). And prior to that the Director of Strategic Planning, Policy, and Partnerships for USCYBERCOM. In those roles, he participated in the oversight of operations and the development of US military cyber doctrine and of DoD and national cyber policy.
Prior to those assignments, he served as US Army Director of Architecture, Operations, Networks and Space under the Army CIO/G6. He was Chief of C5ISR, US Forces J6, and NATO Forces CJ6, for ISAF, in Kabul, Afghanistan. MG Brendler also served as the Chief of Staff for the Defense Information Systems Agency.