On Oct. 21, 2014, government contractor John Reidy filed a remarkable complaint against the Central Intelligence Agency, alleging “catastrophic intelligence failures.” The exact details disappeared into the complaint’s heavily redacted text, but media speculation and quotes attributed to anonymous officials suggested that part of the data breach was the result of Iranians using a mundane Google search to find false front websites the CIA was using for communications. Worse, reports filtered out of Iran and China that large numbers of unmasked U.S. sources had been captured and killed. Reidy said government employees told him, “Upwards of 70% of our operations had been compromised.”
Data security and the protection of our data assets clearly has operational impact, just as cybersecurity measures protect our digital workplace. But it’s important to understand that data security goes beyond cybersecurity; building taller firewalls on the Department of the Navy’s networks can’t stop the Iranians from using Google. Rather, data security means staying one step ahead of the adversary by understanding your data terrain and how the adversary might try to use it to their advantage. When we protect our information we want to ensure that, even if cybersecurity controls fail and data is stolen, it will not be useful to the adversary. With this in mind, it is critical to know where your data is and its access points. Who has permission to read, modify, or delete the data? How, and over what period of time?
The Department of the Navy is moving out on data security with initiatives to catalog, understand, and protect the full range of data assets owned and managed by the DON. The recently released DON Implementation Plan for the DoD Data Strategy is clear evidence of the DON’s strategic and concerted efforts to address data holistically across the workforce, IT infrastructure, policy, and governance. Further, the DON Data Architecture sets the design pattern that program offices and systems developers should use to provide access to data while protecting it, and leverage the shared data services as services of common concern.
The central feature of the data architecture is the concept of information domains, where like data is aggregated at various levels throughout the DON data ecosphere in data hubs, and ultimately, completely integrated into the DON’s enterprise data platform called Jupiter. Through the implementation of the data architecture using Jupiter, and other programs of record, such as NOBLE AWARE and Navy ERP, the DON is building the data pipelines required to feed integrated data hubs with cleaned and curated data from across the Navy and Marine Corps.
Jupiter’s data catalog has already begun tagging, as well as registering the datasets so consumers can find, understand, and integrate the information needed to make critical decisions. Ultimately, Jupiter will strategically position data at the point of consumption for information superiority, while building superb situational awareness on the classes of data the DON is creating, managing, and sharing.
Beyond systems and solutions, the holistic approach to data management includes constructing data security policies to cut through the Gordian knot of security classification guidance. Currently, security classification guides are generally built into the silos of systems and point solutions, rather than taking the integrated approach required for seamless data sharing across warfighting domains. As an example, Joint All-Domain Command and Control (JADC2), the concept for organizing information-fueled warfare against peer adversaries, requires a new approach to data security management that focuses on connections between datasets, rather than on the datasets themselves. As information aggregates in the integrated data hubs and ultimately Jupiter, the DON Chief Data Officer (CDO) is building a threat-informed policy framework to fine-tune security controls for who can access, modify, and delete particular datasets.
The journey to highly effective data security will be a long one and has already started. The DON has a well-controlled, well-ordered enterprise data management environment in Jupiter to ensure that department data is used to strengthen national security — not misused to its detriment.
We will continue to implement the tenets of data protection and information security in systems and solutions across the DON, while consolidating and streamlining policy guidance, security practices, and data security standards. This is truly an exciting time for the DON as we make information the center of decision-making, and support the warfighter at the speed of the mission.
For more information, please see Jupiter: Bringing the Power of Data Analytics to the DON