Cyber threats remain a top concern of Department of Defense officials involved in procuring and maintaining C4ISR systems, according to a recent Market Connections survey of 250 decision-makers across the Pentagon. On its own, this finding is not terribly surprising. C4ISR capabilities, no matter how sophisticated, offer little war-fighting value if they are not secure. However, it has been our experience that the same approaches that foster the most effective, integrated C4ISR also create the most secure C4ISR. That is, seamless interoperability and robust security go hand in hand. Here's how our military can best achieve both.
For some time now, military officials have been calling for a shift from proprietary, closed, vendor-owned C4ISR systems to an enterprise architecture that is standards-based, open and government-owned. Under this approach, the government will own the architecture, the system and the data, thus reducing vendor lock-in and helping eliminate inefficiencies. This standards-based approach will also allow for a plug-and-play environment where vendors can bring their most innovative solutions to government for easy insertion into military networks.
As another important step, Pentagon officials have also advocated the adoption of agile, incremental delivery of modular systems with integrated capabilities. Under this approach, military organizations will shift away from the big-bang acquisition approach in which large, monolithic systems are delivered all at once by a single vendor team, often after years of development. Instead, they will acquire smaller, modular systems that are built with common interface specifications and delivered incrementally by the entire industry base. This enables program officials to insert new innovations into the integrated C4ISR solution as soon as they are invented.
What's noteworthy about this approach is that it would help to create a significantly more secure C4ISR environment. Today, the complex interfaces required to integrate independent, proprietary C4ISR systems can introduce vulnerabilities and create security holes that increase the attack surface for malicious actors. Consequently, by designing systems to interoperate through interfaces with common (and secure) standards, they will not be linked by insecure — and often makeshift — interfaces created when independent systems are integrated after fielding.
In addition, agile development enables systems developers to make cybersecurity an organic and continuing feature of each integrated system. That is, security is tested and, if necessary, improved with each modular phase. The early and continuous engagement of security issues in the design process, along with control over security standards and interfaces, ensure that security, like interoperability, is designed in rather than bolted on after a system is built. In this way, C4ISR solutions are infused with a unified and multilayered defense.
These approaches are key components of an overarching methodology for achieving "integrated C4ISR." In integrated C4ISR, all of the individual pieces are designed from the start — and then maintained throughout the life cycle — as part of an enterprise system. Integrated C4ISR is distinguished by these major features:
- Government-owned, open architectures and standardized interfaces.
- Agile, incremental delivery of modular systems with integrated capabilities.
- Collective forums that bring together operators, acquisition professionals and engineers to support agile development of solutions that are tailored to operational and technical requirements.
- Designed-in cybersecurity to infuse solutions with organic, unified and multilayered defense.
- Enterprise-oriented culture where stakeholders do not think of their roles simply from a functional perspective (i.e., as a technologist, an operator, an acquisition professional), but instead from an enterprise perspective that moves them from a siloed view of the issues to coordinated decision-making.
These features are important not just in developing and fielding C4ISR systems, but also in sustaining them over their life cycles. For example, future upgrades will be easier to integrate and keep secure using open architectures and standardized interfaces. Vibrant government labs and forums can also play a valuable role in sustaining deployed systems by bringing together the best technical experts, operators and other stakeholders to ensure superior security testing of planned upgrades. Given a large number of legacy C4ISR systems that will continue seeing service for the foreseeable future, collaborative testing and forums (such as war games, tabletop exercises and hackathons) are essential to maintaining C4ISR security.
These efforts will achieve greater success if supported by an enterprise-oriented culture that fosters stakeholder collaboration — horizontally across the joint services (U.S. Army, Air Force and Navy/Marine Corps) and vertically across strategic, operational and tactical levels — to prioritize requirements and ensure that cross-organizational mission needs are met.
Integrated C4ISR serves as a force multiplier that enables U.S. war fighters to maintain strategic and battlefield superiority, but only if our sensors, networks and systems are protected with the highest levels of security. The good news is that we do not have to sacrifice interoperability for security. Each reinforces the other.
The best way to protect our C4ISR systems is to create and sustain systems that are both interoperable and secure. Doing so will improve situational awareness and decision-making to give war fighters a decisive advantage in all their mission objectives and realize considerable fiscal savings.
Lorne Caddick is a Booz Allen Hamilton vice president and leader in the firm's Navy/Marine Corps C4ISR business.