The US Department of Defense just published its cloud browser strategy. What's yours?
On June 5, 2018, the Defense Information Systems Agency released an unclassified request for information (RFI) outlining its intent to procure a cloud browser for 3.1 million Department of Defense (DOD) employees.
The operators of the most-targeted network in the world have concluded that they'd be more secure and efficient if they kept all public web code off the department's network.
This is significant for the entire cybersecurity market, not just the DOD. With this RFI, an arguably niche, disruptive security solution becomes mainstream. Cloud browsers are now something any organization concerned with online security must consider.
DOD personnel use the web for mission-related activities, support and logistics functions, and morale and well-being. With more than 4 million users worldwide, and with many people operating out of sensitive government facilities, the DOD is also a compelling target for cyberattack. The volume of attacks the department must deal with is mind boggling. On any given day, the DOD:
- Contends with "800 million cyber incidents that threaten the network" (Pentagon spokesman Lt. Col. James Brindle)
- Responds to "360 million targeted probes, compared to the 1 million probes an average major US bank gets per month" (DOD chief information assurance officer Robert Lentz)
- Thwarts an "estimated 36 million e-mails containing malware, viruses, and phishing schemes" (Pentagon spokeswoman Heather Babb)
The Defense Information Systems Agency, or DISA, provides network services across the DOD. While the agency would like to limit support to mission-related network traffic — which it has tried to do previously — the public Internet has become a reality it must embrace.
In May 2007, the DOD started blocking access to 13 social media sites. There was strong reaction from both press and DOD insiders citing the requirement for deployed personnel to stay connected with loved ones back home, and the expectation of morale, recreation, and welfare on their personal time.
The debate continued into 2009, when the DOD announced plans to expand the ban to additional "Web 2.0" sites, such as Twitter and Facebook. This time, the rationale wasn't network efficiency — rather, the security vulnerabilities associated with military personnel using social media sites.
Even within the DOD, there was no consensus. The commands were supportive of even more aggressive blocks, but appointees within the Office of the Secretary of Defense publicly stated their support for "Web 2.0" across the DOD, saying "What we can't do is let security concerns trump doing business."
The logjam was broken in June of that year, with the decision for Army bases to stop blocking sites: "It is 'the intent of senior Army leaders to leverage social media as a medium to allow soldiers to "tell the Army story" and to facilitate the dissemination of strategic, unclassified information,'" according to a news story from Wired.
With that, the DOD was back on defense — users got access to the Web, and it was up to the DISA to keep systems secure and available. And it has spent a lot of money to do that. Over the last three years, public records show that the DOD budgeted more than $18 billion for cybersecurity in 2016, nearly 30% increase over 2015. Open RFIs and purchase data shows that it has pursued advanced endpoint solutions, sandboxing, deeper network analysis, and more.
Yet pressure hasn't waned. The volume of non-mission-related traffic has increased dramatically, requiring continual infrastructure investment and aggressive traffic-shaping policies to give priority to mission traffic. Meanwhile, cyber threats have continued unabated.
Projecting the current "spend to protect" trend doesn't end in a happy place. Cybersecurity, according to Gartner, is a $100 billion industry annually, growing at almost 9% CAGR, yet 2017 was the biggest year on record for data breaches, ransomware, and other cybersecurity failures.
DISA, as the network operator for arguably the largest private network in the world, needed to consider solutions out of the box. The result is this RFI for a cloud-based browser.
The concept of a cloud browser is obvious in hindsight. Instead of letting arbitrary web code enter the network and execute on the local device, the cloud browser executes all web code on a remote host. All rendered data is transformed into a known-safe, encrypted interactive display of the web session. This provides immediate isolation from any web threats. But a cloud browser does more: executing in a central location, regardless of the endpoint, the cloud browser becomes the point for improved network efficiency, centralized access policies, data loss prevention controls, audit and oversight of usage, full anonymity, and more.
DISA has come to the same realization that other cloud browser customers have: current cybersecurity solutions analyze and act on content after it has reached the network or endpoint, an approach that does not scale with the threat environment. Cloud browsers make network operations more efficient:
- Cloud browsers prevent any web-native code from executing locally keep malware isolated remotely, which makes them safer.
- Cloud browsers deliver compressed and optimized data to the endpoint, which results in lower bandwidth consumption.
- Not getting infected means IT has less burden with remediation and exceptions management, allowing them to focus on other tasks.
- And, cloud browsers provide centralized audit and oversight of web activity helping manage acceptable use, governance and compliance.
Authentic8 will respond to DISA's RFI. We think it's a strong message to the rest of the government — that current practices regarding web access and security aren't tenable. We also think it's a powerful signal to the commercial market as well.
DISA's network is a national security asset. It's arguably the largest private network in the world, and it's certainly the most targeted. If the DOD is moving to a cloud browser, then the category needs to be taken seriously. What's your cloud browser strategy?