The dangers of the Pentagon’s cloud

The Pentagon has bought into the cloud computing concept and is in the process of consolidating its servers and networks to adapt to it. Moving the military onto the cloud makes sense to Defense Department leaders for two reasons: cost and agility.

Generals claim the transition to the cloud will provide a needed third capability, security. Cyber analysts, however, are not completely sold.

The Defense Department unveiled its Cloud Computing Strategy in July with its plans to move the military “from the current state of a duplicative, cumbersome, and costly set of application silos to an end state which is an agile, secure, and cost effective service environment that can rapidly respond to changing mission needs,” according to the strategy document.

In basic terms, the Pentagon’s current computer system has dedicated hardware and servers for every computer system. Under the new system, or the cloud, contractors will deliver software that is installed on the cloud or infrastructure service provider (ISP) where it runs on processing power in a consolidated data center.

Ian Malloy is the CEO for Malloy Labs. He is working to stand up cyber security operations in order to combat cyber threats such as Flame, Stuxnet, and Gauss. Mallow understands why the Pentagon is hoping to save money by moving to the Cloud, but he worries the Pentagon is setting itself up for a catastrophic failure from a cyber attack.

“The cloud infrastructure is virtually leaving little to protect full loss of data should the proper attack be performed,” Malloy said.

He worries that computer engineers have not had enough time to explore the cloud concept and the potential vulnerabilities before transferring the Defense Department’s massive infrastructure onto it.

“Though they espouse advancements in cloud security funding to initialize and begin the process of transferring operationally sensitive systems to a new realm they forget how young and insecure the cloud is,” Malloy said.

Outages seen with Amazon Web Service’s Public Cloud has made other cyber security analysts leery of the potential risks of moving large agencies onto the Cloud.

Kevin Williams works on the B-1 program for Boeing on systems engineering integration. He worries the cloud will not allow for enough redundancy and leave the Defense Department exposed by putting “too many eggs into one basket.” The Pentagon must be sure to diversify their cloud computing sources, he said.

“Most cloud providers will offer different types of redundancy within their architecture as optional features,” he said. “However, this redundancy is still contained within a single system – never put all of your eggs in the same basket.  By diversifying your cloud computing sources, you reduce your exposure to a catastrophic cascading failure from a single cloud provider.”

Protecting infrastructure from cascading failure requires the additional investment in “automatic failover.” This is an expensive addition, but it’s a necessary one the Pentagon will have to make, Williams said. That investment could bite into the expected savings the military anticipates.

The Defense Department’s Cloud Computing Strategy states the military has planned this transition to make its networks more efficient as technology and computing becomes more complex. As the amount of  networks and computing power grows, Williams is concerned the cloud could work against itself by shrinking bandwidth for some users.

U.S. military networks are spread out across the world. By consolidating the number of servers, there is the risk that too many users would be stuck on a limited number of high capacity trunk lines flowing into data centers in fewer parts of the world.

“If you have enough users, this could potentially create higher latencies and lower bandwidth speeds which can negatively impact some applications,” Williams said.

Both Williams and Malloy suggested the Pentagon is underestimating the costs associated with transitioning to a cloud computing strategy.

“Relying on creating a “secure” cloud environment as the new DoD funding initiative calls for requires too great of spending on securing the system, without even factoring in transition costs,” Malloy said.

The Pentagon can’t afford not to make those security investments with the U.S. military and government under constant cyber attacks, analysts said. A transition to the cloud computing concept could pose significant advantages for the military’s future, but Williams and Malloy have plenty of doubts the transition will occur safely.

About the Author

Michael Hoffman
Michael Hoffman is the executive editor at Tandem NSI and a contributor to He can be reached at
  • RunningBear

    Hmmm…computer experts urge moving all data to the cloud…computer experts urge data is not protected on the cloud…. both expert groups want more money for studies and programs and “job security, to ad nauseum…”;sounds like someone is chapped, they missed their turn at the “trough”. sickening! :(

    • blight_

      If you read The Hacker News enough (THN) it depresses you.

      And they’re covering all the random cyber attacks in the MidEast that DefTech seems to have given up on…for now.

  • Max

    I don’t understand the stupidity of it all. It must be true what the creator of Dilbert said about management being composed of stupid people who get promoted precisely because they’re stupid. Kind of like, birds of a feather…

    • Theadore

      Have you heard of The Peter Principal? In short it is where everyone and anyone is promoted one level above their competency?

  • yoyo

    A security system is only as secure as its weakest point…something to keep in mind.

    • rema whitecloud

      always a missing link with security….

  • Raraavis

    There is no Cloud. There are lots of clouds. Each vendor big and small has their own cloud, as well as most corporations have private clouds that host only their internal data and applications. Essentially all a cloud is, is the consolidation of processing and data to a more centralized location and depending on longer range data links. Data and processing that use to take place in each building gets consolidated a little farther away in a larger data center.

    What scares me about this article is it seems to indicate that the Pentagon isn’t going to be using it’s own private clouds but trusting third party providers with it’s data. This is an incredibly bad idea.

    • blight_

      Something about the Push to Privatize…shudder.

      • blight_

        I remember reading an article where the NSA designed some program that duplicated a off-the-shelf private sector program, and Congress got in their face and tried to make them buy the OTS program. I imagine if true, government workers no longer have the option to do things in-house.


        Edit 2:

        “(ix) Ensure that improvements to existing information systems and the development of planned information systems do not unnecessarily duplicate IT capabilities within the same agency, from other agencies, or from the private sector; ”

    • tmb2

      “What scares me about this article is it seems to indicate that the Pentagon isn’t going to be using it’s own private clouds but trusting third party providers with it’s data. This is an incredibly bad idea.”

      It’s still in the .mil domains so it’s not like the military handed the keys over to Google.

      • Paul the IT guy

        .mil can point to any system anywhere. It’s simply dns – a linking of ip addresses and names. In the case of .mil, that linking is done by the Pentagon/Gov. Policy of the Pentagon/Gov is the only barrier – a policy which now says use the cloud…

      • crazy

        Not necessarily – google GAfG… it’s happening now.

  • John Moore

    More power available at the click of a button is always a good thing.

    Placing secure and secret files on the cloud architecture is not so smart.

    Saying everything is going that way is wrong but it makes sense for some applications.

  • Ranger

    NMCI cannot even keep the Exchange Server up for an entire week without the occasional downtime – meaning you lose email until it’s back up.

    Usually a minor annoyance of a few minutes or so. But if I’m working a serious project on deadline and the necessary program goes offline – THAT is a significant pain in the posterior, including the potential of losing work already done.

    Store on the cloud, maybe. But I want MY programs on MY computer.

    • Greg

      That is not true you do not loose email. The ISP queues it for the 45 minutes or longer. Furthermore if it is an exchange failure then your spam filter which is your smtp point anyway would intercept all mail and store it on its own internal storage.

      The author hit the nail on the head when he describes automatic failover. What the author is specifically talking about is technologies like VM Ware SRM (Site Recovery Manager) and EMC’s RecoverPoint.

      The author hits another key point in the problem in how the DOD chose to purse the cloud. The problem is they are trying to do this on the cheap. They are utilizing HP as the main provider. Yes HP can provide the blade servers and the storage, but what is HP’s robust mechanism for automatic fail-over. They will have to leverage the storage array to replicate data which is darn sure not the most efficient way to replicate. Furthermore HP is a core infrastructure provider…Meaning that although the virtualiztion and cloud products run on their infrastructure they did not design the cloud products and don’t have the best integration with the cloud products because they did not design them. So the Army went for them because they are cheap.

      If the Army had selected EMC, which also owns 90% of vmware, they would have had better automatic fail-over capability via RecoverPoint and it’s tight integration with SRM. With RecoverPoint each site could actively replicate to 4 additional sites to maintain 4 additional copies of the data. You can go back in time with RecoverPoint. RecoverPoint is a snapshot appliance that can take snapshots of data like VM (virtual machines) and traditional data like NTFS that can be replayed backed up, bought up temporarily on another machine for analysis…You get the picture.

      By going cheap the screwed up big time with the ability to efficiently disperse the infrastructure which they will eventually do regardless of how cloud 1.0 turns out.

      • Ranger

        You lose ACCESS to the email until the system comes back up – which usually is not a major problem, if short-term, but can be a serious issue when dealing with short fuse issues. I’ve missed important meetings because they cahnged at the last minute – and the email didn’t come through until it was too late.

        As for HP, they’re the ones behind Navy Marine Corps Internet – and to put it charitably, they are “less than optimal.”

        There is no way I want to trust that I can access my essential programs or data from a cloud.

  • Bill

    It might sound all good and dandy, but the moment in which the cheapest and qualified cloud-computing provider is selected, you can better be sure that they will become the #1 target for those willing to test their skills.

    Scary move to do this when we haven’t fully figured out the criminal consequences of bypassing government cybersecurity.

  • The_Hand

    What’s driving the move to cloud is the fact that right now every platoon in the DOD has its own IT infrastructure, and they’re all linked together, so the whole thing is only as secure as the weakest link in the chain. You cannot enforce security on a balkanized kludge like that. I hate to even mention the guy, but look at the Manning incident. Are clients on SIPR supposed to have CD-R burners? Hell no, but Manning’s did, so all the traffic on SIPR was compromised.

    Centralization of this sort does create an eggs-in-one-basket situation, but at least the eggs are in a securable basket and not rolling around on the dance floor. It can be made secure if properly architected and operated. That’s a big if, but the threat environment is way too sophisticated for the hodgepodge we have right now.

    As for NMCI, I still have no idea why HP is allowed to have such a stranglehold on defense IT. Talk about waste and inefficiency. I’ve always just assumed they had incriminating pictures of someone.

  • TonyC

    Cyber Pearl Harbor in the making, we had all of our eggs in one basket before.
    Take out the cloud and disable multiple weapons systems, comand and control,
    and battlefield communications. Sounds like the Microsoft wants DOD work?

    • blight_

      I think you’re over-estimating what the cloud is meant to do.

  • JJMurray

    The “cloud” undoubtedly has some advantages but the bottom line is (as was seen with megaupload) if you don’t keep your stuff backed up locally you are setting yourself up to lose everything when someone cuts your connection to the cloud server(s) or knocks you off the network…and that really isn’t all that hard to do.

    • Greg

      Not true, I backup from a tertiary site then I no longer affect the performance of the production site. With fabric and gig Ethernet technologies, you can keep the prod and DR environment with seconds of each other. Fabric being obviously superior for short distances while IP more resilient to errors and able to handle longer distances. Maybe the pentagon should first talk to the professionals who live and breath this stuff before making a decision.

  • nurse2go

    Talked to a security computer geek. Asked him how secure the cloud was for Pentagon use. Answer….” use it only if you want the other party to own it”……End of discussion on security in the clouds.

  • liam

    In the simplest of terms…if DOD jumps to cloud technology, with out more study, then it is like dropping your pants and exposing yourself…and then with a very loud voice saying, “LET ME HAVE IT…PLEAS MAY I HAVE ANOTHER!!!” If it is not broken then don’t fix it…not until you are sure what you want to go to is gonna work!

  • Musson

    DELL pitched us a SECURE PRIVATE CLOUD. They maintain a ton of blade servers in a secure location and only allow us to us to access them.

    It would have allowed us to maintain secure banking data – but the upfront costs are more because they cannot rent out the unused capacity to anyone else.

  • blight_

    Considering the military already has a parallel secure intranet, it’s not a bad place to park a cloud. As long as you employ secure air gaps, how’s a hacker going to get to it?

    Of course, it’s easier to get in an autonomous worm with the classic random-flash-drive-with-worm, but it won’t help you get information out, or to operate dynamically with user commands.

  • elmondohummus

    Why did half of my responses disappear? They were polite, directly on topic, I most definitely didn’t take shots at anyone, but instead was talking about cloud computing, which I’m familiar with in my job… did I do something wrong???

  • yakoldnozson

    well, being one of those that is a “receipiant” of this “new thinking” – it ain’t NO cloud it’s HELL!!! constant program pushes/updates, constant interuptions, and the stuff is not DELL it’s HP, talk about a total cluster f*)_^)(&^k!!!
    tell the generals and the “wise” contractors and civilians to keep their “cloud” thinking to themselves and before they institute something – make sure it works!!!!!!!

  • BLWarmonger

    I take it the guys who came up with this idea never read Robert Heinlein’s “The Moon’s a Harsh Mistress.” Even in the 1960s they knew what poor security resulted from putting everything on one computer. :)

    • elmondohummus

      But the whole idea of distributed computing and storage in cloud services is the very antithesis of that. The central idea *IS* to make certain that your servers & services, applications, and data are not stored on one server or even just a single cluster, but spread out in a way that can continue to deliver your stuff even if some parts of it fail or are destroyed. The entire selling point of Infrastructure/Applications/Storage As A Service paradigms is to make sure that you’re not vulnerable to single-point failures.

  • guest

    US Defense CAN NOT risk the reliability and performance of its network and critical data to a cluster of “clouds” that are being developed with foreign money (some from not-friendly nations).
    Some of those not so friendly nations have a vested interest on gaining control or access to US Defense data, motivation enough to subsidize the creation of data clouds in order to put any real free-market competitor out of business . This effect will cause lots of consolidation and turnover of the “ownership” of those unprofitable cloud cells, creating the perfect opportunity for bad things to happen during their unstable transitions (and who knows what kind of waivers and shields from liability their attorneys will insert as part of the deals). In other words, it would be like outsourcing the storage, performance and reliability of the US Defense data to any of the well known, so called “low cost regions”, most of which are controlled by communist or dictator regimes…

  • hdhyrhfh

    Blight yes you can you have to think deep only certain people in this world are capable of thinking beyond the boundaries of what is taught. I’m not even a programmer and if I suggested the idea most would say you can’t do it. Music has patterns beats etc which can be programmed to be interpreted as characters ones and zero whatever you would like to assign them. This isn’t something you can just Google and come up within an answer.

  • hdhyrhfh

    So gdhydfh your saying some sort of program would have to be inserted that permits the microphone and program to translate the sound into code. Ok so your saying because you already know what music is going to play or playing you have a pattern to create the code. I get you.

  • D. Dieterle

    Not a good move… The government can’t even agree on a cybersecurity doctrine and they want to move DoD servers to outsourced systems? At least if they are in military hands they can control the environment and security procedures. Yes, they may save some money in the short run, but this is the worst idea I have seen to date.

  • Big-Dean

    Let’s rank DOD initiatives/project/actions on a stupid scale 1-10 with 1 having the highest level of stupid all over it. Here’s my list:

    1. Handing over the DOD network to a private contractor, i.e. moving to the cloud
    2. the entire LCS program
    3. cancelling the F-22
    4. having less than 12 carriers
    5. completing the F-35
    6. current military contracting practices
    7. over-emphasis on the “war on terror”
    8. pretending that China is NOT our enemy
    9. dropping the ball completely on proper maintenance of the fleet
    10. too DAMN many generals and admirals

  • rema whitecloud

    remember the pentagon is the machine so any innovative new approaches to archiving the past like cyber storage no worries it does not affect the guardian who watches over the clouds

  • It’s going to be finish of mine day, but before finish I am reading this fantastic paragraph
    to increase my knowledge.