The dangers of the Pentagon’s cloud

The Pentagon has bought into the cloud computing concept and is in the process of consolidating its servers and networks to adapt to it. Moving the military onto the cloud makes sense to Defense Department leaders for two reasons: cost and agility.

Generals claim the transition to the cloud will provide a needed third capability, security. Cyber analysts, however, are not completely sold.

The Defense Department unveiled its Cloud Computing Strategy in July with its plans to move the military “from the current state of a duplicative, cumbersome, and costly set of application silos to an end state which is an agile, secure, and cost effective service environment that can rapidly respond to changing mission needs,” according to the strategy document.

In basic terms, the Pentagon’s current computer system has dedicated hardware and servers for every computer system. Under the new system, or the cloud, contractors will deliver software that is installed on the cloud or infrastructure service provider (ISP) where it runs on processing power in a consolidated data center.

Ian Malloy is the CEO for Malloy Labs. He is working to stand up cyber security operations in order to combat cyber threats such as Flame, Stuxnet, and Gauss. Mallow understands why the Pentagon is hoping to save money by moving to the Cloud, but he worries the Pentagon is setting itself up for a catastrophic failure from a cyber attack.

“The cloud infrastructure is virtually leaving little to protect full loss of data should the proper attack be performed,” Malloy said.

He worries that computer engineers have not had enough time to explore the cloud concept and the potential vulnerabilities before transferring the Defense Department’s massive infrastructure onto it.

“Though they espouse advancements in cloud security funding to initialize and begin the process of transferring operationally sensitive systems to a new realm they forget how young and insecure the cloud is,” Malloy said.

Outages seen with Amazon Web Service’s Public Cloud has made other cyber security analysts leery of the potential risks of moving large agencies onto the Cloud.

Kevin Williams works on the B-1 program for Boeing on systems engineering integration. He worries the cloud will not allow for enough redundancy and leave the Defense Department exposed by putting “too many eggs into one basket.” The Pentagon must be sure to diversify their cloud computing sources, he said.

“Most cloud providers will offer different types of redundancy within their architecture as optional features,” he said. “However, this redundancy is still contained within a single system – never put all of your eggs in the same basket.  By diversifying your cloud computing sources, you reduce your exposure to a catastrophic cascading failure from a single cloud provider.”

Protecting infrastructure from cascading failure requires the additional investment in “automatic failover.” This is an expensive addition, but it’s a necessary one the Pentagon will have to make, Williams said. That investment could bite into the expected savings the military anticipates.

The Defense Department’s Cloud Computing Strategy states the military has planned this transition to make its networks more efficient as technology and computing becomes more complex. As the amount of  networks and computing power grows, Williams is concerned the cloud could work against itself by shrinking bandwidth for some users.

U.S. military networks are spread out across the world. By consolidating the number of servers, there is the risk that too many users would be stuck on a limited number of high capacity trunk lines flowing into data centers in fewer parts of the world.

“If you have enough users, this could potentially create higher latencies and lower bandwidth speeds which can negatively impact some applications,” Williams said.

Both Williams and Malloy suggested the Pentagon is underestimating the costs associated with transitioning to a cloud computing strategy.

“Relying on creating a “secure” cloud environment as the new DoD funding initiative calls for requires too great of spending on securing the system, without even factoring in transition costs,” Malloy said.

The Pentagon can’t afford not to make those security investments with the U.S. military and government under constant cyber attacks, analysts said. A transition to the cloud computing concept could pose significant advantages for the military’s future, but Williams and Malloy have plenty of doubts the transition will occur safely.

About the Author

Michael Hoffman
Michael Hoffman is the executive editor at Tandem NSI and a contributor to He can be reached at
  • RunningBear

    Hmmm…computer experts urge moving all data to the cloud…computer experts urge data is not protected on the cloud…. both expert groups want more money for studies and programs and “job security, to ad nauseum…”;sounds like someone is chapped, they missed their turn at the “trough”. sickening! :(

    • blight_

      If you read The Hacker News enough (THN) it depresses you.

      And they’re covering all the random cyber attacks in the MidEast that DefTech seems to have given up on…for now.

  • Max

    I don’t understand the stupidity of it all. It must be true what the creator of Dilbert said about management being composed of stupid people who get promoted precisely because they’re stupid. Kind of like, birds of a feather…

  • yoyo

    A security system is only as secure as its weakest point…something to keep in mind.

  • Raraavis

    There is no Cloud. There are lots of clouds. Each vendor big and small has their own cloud, as well as most corporations have private clouds that host only their internal data and applications. Essentially all a cloud is, is the consolidation of processing and data to a more centralized location and depending on longer range data links. Data and processing that use to take place in each building gets consolidated a little farther away in a larger data center.

    What scares me about this article is it seems to indicate that the Pentagon isn’t going to be using it’s own private clouds but trusting third party providers with it’s data. This is an incredibly bad idea.

  • John Moore

    More power available at the click of a button is always a good thing.

    Placing secure and secret files on the cloud architecture is not so smart.

    Saying everything is going that way is wrong but it makes sense for some applications.

  • Ranger

    NMCI cannot even keep the Exchange Server up for an entire week without the occasional downtime – meaning you lose email until it’s back up.

    Usually a minor annoyance of a few minutes or so. But if I’m working a serious project on deadline and the necessary program goes offline – THAT is a significant pain in the posterior, including the potential of losing work already done.

    Store on the cloud, maybe. But I want MY programs on MY computer.

  • Bill

    It might sound all good and dandy, but the moment in which the cheapest and qualified cloud-computing provider is selected, you can better be sure that they will become the #1 target for those willing to test their skills.

    Scary move to do this when we haven’t fully figured out the criminal consequences of bypassing government cybersecurity.

  • The_Hand

    What’s driving the move to cloud is the fact that right now every platoon in the DOD has its own IT infrastructure, and they’re all linked together, so the whole thing is only as secure as the weakest link in the chain. You cannot enforce security on a balkanized kludge like that. I hate to even mention the guy, but look at the Manning incident. Are clients on SIPR supposed to have CD-R burners? Hell no, but Manning’s did, so all the traffic on SIPR was compromised.

    Centralization of this sort does create an eggs-in-one-basket situation, but at least the eggs are in a securable basket and not rolling around on the dance floor. It can be made secure if properly architected and operated. That’s a big if, but the threat environment is way too sophisticated for the hodgepodge we have right now.

    As for NMCI, I still have no idea why HP is allowed to have such a stranglehold on defense IT. Talk about waste and inefficiency. I’ve always just assumed they had incriminating pictures of someone.

  • TonyC

    Cyber Pearl Harbor in the making, we had all of our eggs in one basket before.
    Take out the cloud and disable multiple weapons systems, comand and control,
    and battlefield communications. Sounds like the Microsoft wants DOD work?

    • blight_

      I think you’re over-estimating what the cloud is meant to do.

  • JJMurray

    The “cloud” undoubtedly has some advantages but the bottom line is (as was seen with megaupload) if you don’t keep your stuff backed up locally you are setting yourself up to lose everything when someone cuts your connection to the cloud server(s) or knocks you off the network…and that really isn’t all that hard to do.

  • nurse2go

    Talked to a security computer geek. Asked him how secure the cloud was for Pentagon use. Answer….” use it only if you want the other party to own it”……End of discussion on security in the clouds.

  • liam

    In the simplest of terms…if DOD jumps to cloud technology, with out more study, then it is like dropping your pants and exposing yourself…and then with a very loud voice saying, “LET ME HAVE IT…PLEAS MAY I HAVE ANOTHER!!!” If it is not broken then don’t fix it…not until you are sure what you want to go to is gonna work!

  • Musson

    DELL pitched us a SECURE PRIVATE CLOUD. They maintain a ton of blade servers in a secure location and only allow us to us to access them.

    It would have allowed us to maintain secure banking data – but the upfront costs are more because they cannot rent out the unused capacity to anyone else.

  • blight_

    Considering the military already has a parallel secure intranet, it’s not a bad place to park a cloud. As long as you employ secure air gaps, how’s a hacker going to get to it?

    Of course, it’s easier to get in an autonomous worm with the classic random-flash-drive-with-worm, but it won’t help you get information out, or to operate dynamically with user commands.

  • elmondohummus

    Why did half of my responses disappear? They were polite, directly on topic, I most definitely didn’t take shots at anyone, but instead was talking about cloud computing, which I’m familiar with in my job… did I do something wrong???

  • yakoldnozson

    well, being one of those that is a “receipiant” of this “new thinking” – it ain’t NO cloud it’s HELL!!! constant program pushes/updates, constant interuptions, and the stuff is not DELL it’s HP, talk about a total cluster f*)_^)(&^k!!!
    tell the generals and the “wise” contractors and civilians to keep their “cloud” thinking to themselves and before they institute something – make sure it works!!!!!!!

  • BLWarmonger

    I take it the guys who came up with this idea never read Robert Heinlein’s “The Moon’s a Harsh Mistress.” Even in the 1960s they knew what poor security resulted from putting everything on one computer. :)

  • guest

    US Defense CAN NOT risk the reliability and performance of its network and critical data to a cluster of “clouds” that are being developed with foreign money (some from not-friendly nations).
    Some of those not so friendly nations have a vested interest on gaining control or access to US Defense data, motivation enough to subsidize the creation of data clouds in order to put any real free-market competitor out of business . This effect will cause lots of consolidation and turnover of the “ownership” of those unprofitable cloud cells, creating the perfect opportunity for bad things to happen during their unstable transitions (and who knows what kind of waivers and shields from liability their attorneys will insert as part of the deals). In other words, it would be like outsourcing the storage, performance and reliability of the US Defense data to any of the well known, so called “low cost regions”, most of which are controlled by communist or dictator regimes…

  • hdhyrhfh

    Blight yes you can you have to think deep only certain people in this world are capable of thinking beyond the boundaries of what is taught. I’m not even a programmer and if I suggested the idea most would say you can’t do it. Music has patterns beats etc which can be programmed to be interpreted as characters ones and zero whatever you would like to assign them. This isn’t something you can just Google and come up within an answer.

  • hdhyrhfh

    So gdhydfh your saying some sort of program would have to be inserted that permits the microphone and program to translate the sound into code. Ok so your saying because you already know what music is going to play or playing you have a pattern to create the code. I get you.

  • D. Dieterle

    Not a good move… The government can’t even agree on a cybersecurity doctrine and they want to move DoD servers to outsourced systems? At least if they are in military hands they can control the environment and security procedures. Yes, they may save some money in the short run, but this is the worst idea I have seen to date.

  • Big-Dean

    Let’s rank DOD initiatives/project/actions on a stupid scale 1-10 with 1 having the highest level of stupid all over it. Here’s my list:

    1. Handing over the DOD network to a private contractor, i.e. moving to the cloud
    2. the entire LCS program
    3. cancelling the F-22
    4. having less than 12 carriers
    5. completing the F-35
    6. current military contracting practices
    7. over-emphasis on the “war on terror”
    8. pretending that China is NOT our enemy
    9. dropping the ball completely on proper maintenance of the fleet
    10. too DAMN many generals and admirals

  • rema whitecloud

    remember the pentagon is the machine so any innovative new approaches to archiving the past like cyber storage no worries it does not affect the guardian who watches over the clouds

  • It’s going to be finish of mine day, but before finish I am reading this fantastic paragraph
    to increase my knowledge.