JEDI is the United States military’s cloud for its warfighters. The US military cloud will have all the benefits of security, scale, cost effectiveness, failover, AI and the typical cloud pains of migration and hybrid integration. The Microsoft cloud platform will bring a steady flow of new features and updates. Knowing how to use the new features and how they will impact existing environments will grow in importance as JEDI adoption increases.
Microsoft is addressing the DoD’s requirement for data sovereignty and making sure that its US data centers are manned only by screened US citizens. However, Microsoft does not guarantee that when a DoD entity picks up the phone for an Office 365, Azure or other Microsoft issue, that the person on the other end of the phone is not a foreign national. And while most issues covered under Microsoft Premier (Unified) Support are fairly routine and not business critical, there can and will be incidents that are mission-critical and their expeditious resolution by screened US citizens will be paramount to our US warfighters and the DoD.
The United States military is embarking on an ambitious and expensive cloud transformation project to modernize IT resources across all the Pentagon’s departments and branches of the armed services.
The Joint Enterprise Defense Infrastructure (JEDI) initiative is one component of that plan. A Cloud Strategy document presented to Congress makes a distinction between the Department of Defense (DoD)’s need for a “General Purpose” cloud, and ones that will be “Fit For Purpose”.
The General Purpose cloud that will go to AWS or Microsoft will be the cloud of first-choice, with a “primary implementation bias” for all defense agencies. “Only when mission needs cannot be supported by General Purpose will Fit For Purpose alternatives be explored,” the document reads.
“Mission owners” that want to stray from the cloud provider selected through the JEDI initiative will have to submit an “Exception Brief” to the DoD’s CIO explaining why they believe the capability they require cannot be met by the General Purpose cloud.
Scenario 1 Minimal Impact: A foreign national working for Microsoft via its 3rd party offshore outsourcers, and supporting JEDI via its Microsoft Premier (Unified) Support contract with DoD, receives a “mission-critical” severity support ticket and purposefully delays the resolution process by hours or days. At a minimum, slowing the operational velocity of DoD, but at most threatening missions of deployed warfighters. The “Microsoft employee” with a v-card then passes along the Root Cause Analysis (RCA) to the nation state of their true employ to create a framework for future cyber attacks on JEDI.
Scenario 2 Moderate Impact: A foreign national working for Microsoft via its 3rd party offshore outsourcers, says he needs remote access to DoD systems to troubleshoot and is granted privileges. The “Microsoft employee” with a v-card then uses the access to either compromise the environment by planting malware or syphons sensitive data to the nation state of their true employ.
Scenario 3 Critical Impact: A foreign national working for Microsoft via its 3rd party offshore outsourcers, has gained remote access to JEDI systems and is slowly and stealthily mapping its failover model. The “Microsoft employee” with a v-card then uses this model and is poised to activate dormant and undetected malware to steal credentials and take down a portion of JEDI or all of JEDI limiting the DoD’s ability to detect or respond to a larger coordinated cyber or military attack on the United States.
With a military cloud, security is the paramount concern.
Pentagon brass view public cloud as an advantage in securing military data and systems, and the DoD cloud strategy was crafted to align with its larger cyber strategy. “DoD must embrace modern security mechanisms built into modern commercial cloud providers’ platforms to ensure the security of these large amounts of data and to safeguard the information,” the report says.
The Pentagon’s current infrastructure poses a security liability. The report discloses that the DoD has found it a challenge to keep up with cyber-related threats. “By owning and operating the physical hardware associated with on-premises data centers, the Department can incur unnecessary security risks and consume resources that could otherwise be realigned to support warfighters and the workforce in other mission areas,” the report says.
Overly strict policies and procurement procedures make it difficult for the DoD’s IT professionals to ensure hardware and software are updated appropriately. Public cloud vendors looking to win the lucrative contracts will be scrutinized over their security capabilities.
“DoD should independently test and assess cloud network security to verify security compliance and incident response, and review all contractor and third-party testing results to ensure that performance and security monitoring are sufficient.”
Military leaders want to shift the cyber-security focus from guarding the perimeters of networks to actively controlling access to data. The modern encryption algorithms and key management systems built into commercial cloud services, and proper tagging of data, will achieve that.
In addition to controlling access to data, military leaders should verify that all technical support personnel supporting their Microsoft systems are screened US citizens. This will assure ITAR/DFARS compliance and mitigate the risk of needlessly exposing foreign nationals to JEDI.
Microsoft Premier (Unified) support services is increasingly using third party providers (including but not limited to Wipro and Tata) to augment their own team. Federal organizations have found that contractually, Microsoft will not guarantee that a foreign national will not answer the support line or work their tickets. Federal, state and local organizations are switching from Microsoft to US Cloud for sovereignty and fiscal responsibility.
In April 2019, Indian information technology (IT) outsourcing and Microsoft Premier (Unified) support provider Wipro (NYSE: WIT) was hacked. The story was broken by Krebs on Security. Sources claim that the remote access tool ScreenConnect was used in March 2019 to compromise Wipro systems and then pivot to attack Wipro customers in the US and other countries. The source of the attack is still unknown however an interesting transaction took place in the same month that the Wipro data breach story broke.
On April 4, 2019, the government of India sold “enemy” shares in Wipro worth approximately $166 million. According to this article in The Business Standard, enemy shares are so called because they were originally held by people who migrated to Pakistan or China and are not Indian citizens any longer.
“A total of 44.4 million shares, which were held by the Custodian of Enemy Property for India, were sold at Rs 259 apiece on the Bombay Stock Exchange,” The Business Standard reported. “The buyers were state-owned Life Insurance Corporation of India (LIC), New India Assurance and General Insurance Corporation. LIC”
The recent June of 2019 announcement of Cloud Hopper attacks compromised several prominent providers including Tata, a commonly used 3rd party staffing extension of Microsoft Premier (Unified) support services. Reuters originally reported on the attack. Tata has refused comment. A US indictment is now pending and the Chinese Ministry of State Security is suspected as the source of the attack.
Reuters sources said the attacks were ongoing from 2014-2017 and aimed at global IT outsourcing providers with the sole goal of stealing commercial secrets from their clients. Coincidentally, in 2014, Tata was sued by Epic Systems in the USA for intellectual property theft and lost a judgement for $420M.
The military is constrained by budgets. Pentagon leaders see cloud delivering economic benefits, as many private enterprises have come to appreciate.
“The cloud pay-for-use model will provide the flexibility to optimize costs across the IT portfolio and allow DoD to adapt to changing priorities, budgetary conditions, and industry developments,” the report says. Existing systems that are not “cloud ready” often use “excessive amounts of cloud infrastructure resources”, making them less efficient and therefore more expensive to operate.
The military also recognizes, as many enterprises have come to discover, predicting cloud costs is difficult. To achieve cost transparency, the military will need to implement “strong governance” to monitor how applications are developed and data is transmitted and stored.
“As we develop these standards, implement them, and subsequently learn and better align our services and data to an enterprise solution, we can look to automated tools and techniques to better inform accurate tracking of financial execution of cloud resources.”
Just as the cloud delivers economic efficiencies, so to does US Cloud Federal Support Services. Microsoft dependent organizations like the DoD typically cut their cost in half when switching from Microsoft Unified (formerly Premier) support to US Cloud. This significant savings would allow the DoD to stay on budget and reallocate the support savings dollars where our warfighters need it most.
As US federal, state and local governments adopt cloud service platforms like Microsoft Azure and Office 365, new features and security updates automatically flow from Microsoft to the user base. This helps keep the environment and users more secure but also introduces changes more often. Do the administrators know what new features are coming and when? Are any features in the pipeline capable of breaking the existing environment as they roll out? Are users aware of new features and how to use them? If not, who will do the training and when?
It’s critical that an organization’s IT roadmap align with the cloud services roadmap of Microsoft. Third party trusted support providers like US Cloud can not only support mission critical Microsoft technologies but also offer advisory and roadmap services in order to maximize the organization’s investment across the entire Microsoft stack.
One component, the JEDI initiative, has created a firestorm of controversy in Silicon Valley, including criticism from an industry trade group, protests to the GAO, and a lawsuit by Oracle against the federal government.
Even though the DoD’s Cloud Strategy is much broader than JEDI, it needs the help of enterprise cloud providers to empower troops in the field and military intelligence professionals.
“The DoD Cloud Strategy reasserts our commitment to cloud and the need to view cloud initiatives from an enterprise perspective for more effective adoption,” a foreword to the document, written by Acting Defense Secretary Patrick Shanahan, reads.
“The Department of Defense (DoD) has entered the modern age of warfighting where the battlefield exists as much in the digital world as it does in the physical,” Shanahan says.
“Cloud is a fundamental component of the global infrastructure that will empower the warfighter with data and is critical to maintaining our military’ s technological advantage.”
US Cloud stands ready with its 100% US citizen team to support the US military cloud and its user base of warfighters. Support sovereignty, ITAR/DFARS compliance, and 30-60% cost savings make US Cloud the responsible choice for the DoD and the taxpayers of the United States.
The DoD cloud environment needs to support military operations from the battlefield to the home front.
“We must give JEDI and the DoD the US sovereign support staff it deserves to complete missions successfully,” says the founder of US Cloud, Robert E. LaMear IV. “Inserting foreign nationals into the country’s (USA) technical support supply chain is irresponsible and poses a needless risk to our national security.”
A requirement for the DoD cloud is integration and operation of computing solutions that are straightforward and repeatable across classification levels. “This will allow warfighters to make data driven decisions and enhance DoD ability to share data with allies and operate as a coalition force,” the report says.
The report notes that the technology industry has made large strides in running disconnected operations. “The Department’s General Purpose and Fit For Purpose clouds will capitalize on these efforts to provide the warfighter with the latest technology where they need it and when they need it regardless of the environment.”
The “rugged and adaptable” devices used by combatants in the field must be able to automatically synchronize with the cloud when communications are sufficient or reestablished.
“Auto synchronization of information will ensure warfighters are retaining data, feeding it back into models, and fighting with the most recent algorithms. Doing this in a secure environment will be a force multiplier and directly support the primary goal of the cloud environment: information superiority.”