JEDI: Outlook for stability uncertain as Pentagon migrates to the cloud

In March, the Defense Department released a draft solicitation for a program known as Joint Enterprise Defense Infrastructure (JEDI). This solicitation provides private-sector firms a preliminary invitation to submit proposals for a new Pentagon initiative in cloud computing. (In April, an updated solicitation was released.) The department plans to spend up to $10 billion in the coming years to establish and maintain JEDI, a project that will involve both infrastructure and platform services and cover an as-yet-undetermined span of the Defense Department’s digital landscape. According to Deputy Defense Secretary Patrick Shanahan, the contract represents a major technological advancement for the department. “It’s not that the cloud’s really cool,” Shanahan says. “[Cloud computing] creates for you the opportunity to have more security, have better access at data, [and] get at lower costs.”

Buried in the 100-page solicitation is a requirement that JEDI store not only classified information but also information designated “Q”—the Energy Department’s classification for information related to US nuclear capabilities (roughly comparable to a “top secret” clearance in the Defense Department). This linkage between cloud computing and nuclear secrets has naturally provoked concern. Even the best technologies present risks, and transformative changes rarely fail to create unforeseen consequences. These realities point toward two important questions. First, how will JEDI affect the ability of the US military to secure its nuclear secrets? Second, what will the JEDI contract and the Pentagon’s migration to cloud computing mean for international stability (specifically, could they create incentives for nuclear war)?

What is the cloud, anyway? In order to answer these questions about stability, it may be useful to start with a quick primer on the “cloud.” Despite its atmospheric moniker, cloud computing does not entail storing data in the sky. Instead, cloud computing involves outsourcing information through networks such as the Internet so it can be stored remotely in central databases that include hardware such as servers, switches, and routers. Cloud computing allows companies, individuals, or (in this case) the Defense Department to centralize data storage within one information technology infrastructure. Therefore, instead of saving pictures, documents, or nuclear secrets to one’s personal hard drive or to the servers that organizations house on site, one uploads data via a network to a series of off-site servers. These servers are managed centrally with a standardized set of software tools for encryption and database management. Cloud computing does not decrease the size of data, or change the “pipes”—telephone lines, fiber optic cables, Wi-Fi, or satellite relays—required for uploading or downloading data. Instead, it centralizes where and how data is stored in order to create efficiencies of scale. In reality, the “cloud” in “cloud computing” simply refers to the way in which information is transmitted and stored.

Another important nuance to understand is the difference between cloud computing and cloud computing services. Cloud computing may be run in-house (through a private cloud) or—as in the case of the JEDI contract—may be contracted to an outside provider. A private cloud requires an organization to physically host infrastructure. When an individual uploads personal data to an organization’s private cloud, the information is stored in the organization’s managed hardware. In contrast, when data is uploaded from one’s home, office, or mobile device to a large cloud computing service such as Amazon Web Services or Microsoft Azure, the data physically resides in large data centers that could be in cities such as Phoenix, Sao Paolo, London, or Tokyo. The JEDI contract is for cloud computing services. It does not involve building a private cloud that the Defense Department will maintain and operate.

Generally, cloud computing services operate according to one of two models. The first model provides both the infrastructure (servers, switches, coolers, and so forth) and the software platforms necessary for fully remote storage and utilization of data. A second option provides just the infrastructure backbone of data storage while customers or users provide, host, and update their own application software. In JEDI’s case, the request for proposals appears to seek both infrastructure and platform application cloud services.

A significant difference between cloud computing services is how they provide encryption. In some services, users encrypt their data before the data is uploaded to the cloud. The responsibility to secure data prior to the upload lies with the user. This means that the cloud provider does not have an encryption key to decrypt information uploaded to the cloud by the user. Therefore, while a service provider may have physical access to hardware, it does not have logical access to data. In other services, the cloud computing service encrypts the data after upload and both the user and the service retain encryption keys. The service therefore has both physical and logical access to the data. Finally, cloud computing services may also offer encryption during the upload of information via—for example—“https” or “ssl” connections.

What does all this mean for where and how Defense Department information will be processed and stored under JEDI? Despite critique from potential cloud computing services about how many companies will eventually host the department’s cloud computing, it appears that the currently envisioned contract will primarily involve a single cloud contractor. This single use contractor will use its hardware and infrastructure backbone to host department data. It will also provide platform applications. It is not clear from the contract where these database centers will be located, but the proposal implies that the data may be stored at commercially owned and operated sites. Classified information must be physically separate from unclassified and public data, but the request doesn’t specify whether classified data must be in a different building or just a different room. According to the JEDI solicitation, the department will hold the encryption key for access to data; therefore, contractors will have only physical access to the databases and not logical access. Essentially, instead of the Defense Department investing in its own hardware for storing data—or allowing units, services, or organizations to host their own data locally—all of the data will migrate to centralized locations to be consolidated by the contractor’s infrastructure. The solicitation seems to leave open the possibility that these infrastructures may be located overseas or in forward-deployed locations. Additionally, for at least some of the data, the contractor will provide software applications to search, store, and utilize data uploaded in the contractor’s cloud.

Cybersecurity and nuclear secrets. What does migration of data to the cloud mean for cyber security, particularly where nuclear secrets are concerned? Are such secrets more secure in a cloud than in locally compartmented storage?

These are complicated technical questions—and difficult ones to answer without revealing the details of current practices for storing sensitive information. Insight can be gleaned, however, by thinking through three general characteristics of cloud computing and examining how these characteristics affect overall cybersecurity. (Keep in mind that these considerations pertain to all cloud storage, both public and private, and therefore encompass more than just JEDI.)

First, utilizing a cloud service instead of storing and administering data locally entails much greater data centralization, which in turn presents different security challenges. Information hosted by a cloud service is funneled through only a few centrally controlled access points instead of through thousands of locally controlled access points. This centralization can be extremely beneficial. Imagine that your data is a medieval city surrounded by a wall. In a cloud enterprise city, you only have to devote your resources to a handful of gates. This decreases the resources you must expend on security and also ensures that you have a limited number of vulnerability points. In contrast, in a locally stored city, you have thousands of gates. Some have lots of security, some have little security, and some have no security. Standardizing security in a locally stored city requires extraordinary bureaucratic and economic resources; the chance of failure is high. But there is also an upside to security in the locally stored city—each of its thousands of gates leads into a labyrinth. Intruders (as well as defenders) are often uncertain how much information or access may be garnered by infiltrating an access point in a locally administered city. In contrast, the cloud enterprise city, with its handful of access points, is more like a city built on a grid, designed for sharing and access. Without data application innovations such as cloud containers, intruders with the keys to the cyber cloud city—or, perhaps even more dangerously, insiders with the keys—could garner much more information than from the locally administered city.

Second, if you pursue data security through maintaining a limited number of access points, encryption becomes vitally important—to a large extent, security on the cloud depends on who wins the arms race between encryption and decryption. The race is constantly evolving. For example, when the FBI was unable to decrypt a smartphone owned by someone involved in the 2015 terrorist attack in San Bernardino, California, the bureau sued Apple, attempting to force the company to help with decryption. When a third-party company used a software flaw to unlock the phone, the FBI quietly the dropped the suit. This vignette highlights how difficult it is to determine whether encryption or decryption is ultimately more likely to win this arms race. Forecasting the cryptology arms race becomes even more difficult as quantum computing emerges—indeed, in the future, one can imagine the advantage in decryption or encryption shifting over a matter of days or weeks instead of months or years.

Third, keys to data already in the cloud aren’t the only prizes in the encryption arms race; security during data upload and download is crucial too. Defense practitioners—whether located on the battlefield, at the Pentagon, or in a submarine, aircraft, or nuclear silo—still must access the cloud in order to upload or retrieve information. JEDI will utilize existing networks to create that access, meaning that warfighters will still use “pipes”—Wi-Fi, fiber optic cabling, and satellite relays. The cloud’s uploading and downloading process isn’t necessarily more secure or less secure than using a local storage option. However, relying on cloud data means that the volume of uploading and downloading will increase. This increases the potential for data interception, especially in more vulnerable network mediums. Fiber optic cabling, for example, is much less likely to be intercepted than satellite relays, but many forward-deployed operations have no access to cabling and therefore rely on satellite and line-of-sight relays to transmit and receive information. This carries a perhaps unexpected side effect—weapons platforms that may be stealthy where radar detection is concerned are increasingly noisy in other parts of the radio frequency spectrum. With the proliferation of passive sensors on adversary platforms, US datalink transmissions to and from the cloud may provide sophisticated adversary defense systems with new methods and means to detect and target otherwise stealthy weapon systems. Additionally, the volume of data transfer to the cloud may provide a tipper to foreign intelligence services about heightened operations in specific areas.

So what does this all mean for nuclear stability? A centralized cloud decreases the overall chance of information breaches, but massive amounts of data might be stolen if access is achieved. Such access will be more likely, or less likely, depending on whether encryption or decryption wins the technological arms race. If a state believes it has a decryption advantage, it could perceive incentives to conduct high-reward, high-risk exploitation attempts early in crises. The bottom line is that storing nuclear secrets in the cloud creates a lucrative and alluring target for adversaries. Still, it is difficult to say whether data stored in the cloud will ultimately be more secure, or less, than data stored through existing mechanisms. The key to success will likely be heavy investment in encryption.

Uploading or downloading information to the cloud creates a different set of considerations for nuclear stability—including considerations with significant implications for how the nuclear triad is employed. The JEDI contract does not specify which type of nuclear secrets might be stored in the cloud. But because questions surround the security of information transmitted via satellite or line-of-sight methods, targeting information for platforms that don’t have access to fiber optics—that is, aircraft and submarines—should probably be stored locally. Perhaps most significantly for aircraft, accessing the cloud—even when no nuclear secrets are involved—will increase adversaries’ detection and targeting abilities. Dual-capable aircraft will need to develop concepts of operations for nuclear alert or nuclear missions that minimize datalink transmissions. Training in line with such concepts will need to be conducted.

The cloud, efficiency, and nuclear stability. One of the greatest advantages of moving data to cloud computing is the ability to utilize big-data analytics and artificial intelligence to process the consolidated data. Instead of allowing data to reside in applications that don’t communicate with one another, cloud computing standardizes the storage and sorting of data, making it much easier to design software applications that can parse information quickly. Such capabilities are a major impetus for the JEDI initiative. As Brig. Gen. David Krumm explained in an April interview with Breaking Defense, “When we look at AI machine learning, what we’re really talking about is the ability to glean information from what is a massive amount of data, coming from all sorts of sources, that gives us the advantage in making decisions really quickly.” Additionally, platform service providers such as Amazon, Microsoft, and IBM can offer off-the-shelf artificial intelligence applications as part of the service, passing on to the Defense Department top-of-the-line big data techniques at market speed and at heavily discounted prices.

But is “making decisions really quickly” good or bad for nuclear stability? This is a complicated question that comes down to the relationships among offense, defense, and incentives to launch a first strike. Imagine that JEDI provides a platform in which intelligence and warning information about missile launches or nuclear movements are brought together from diverse sensors for real-time processing. Theoretically, JEDI could augment available indications and warnings and thereby furnish decision makers with more time to launch a response to an incoming nuclear attack. JEDI could also, on the offensive side, enable war planners to better integrate information from diverse sensors to choose targets—and pass information in real time to weapons commanders who might conduct counterforce strikes against adversary mobile systems.

It’s not clear whether JEDI would qualitatively advantage defense or offense, but it is clear that it would provide capabilities for quick decision making in the face of an attack. That might marginally increase the effectiveness of ballistic missile defense (which suffers from physics challenges in intercepting moving missiles—not sensor/data limitations). However, it would significantly increase the effectiveness of counterforce targeting, especially when the counterforce attack is conducted before the adversary can degrade any cloud connectivity or storage capability. Speeding up decision making therefore creates incentives for first strike, which may have destabilizing effects.

Another goal of JEDI is to create more dependable infrastructures for information technology. How reliable is cloud computing? Reliability generally depends on a provider’s ability to ensure that hardware remains functional (or is backed up in the event it fails to function) and that software applications or changes in infrastructure don’t threaten users’ ability to access, upload, or work with their data. Companies that choose to outsource to the cloud often do so because large cloud services demonstrate greater reliability due to their superior day-to-day maintenance and control.

But cloud computing is certainly not foolproof. Cloud computing services such as Amazon have a track record of providing consistent information technology support, but even the best services experience failures. Moreover, compared to locally fragmented storage alternatives, cloud computing outages can affect massive amounts of data across a service’s information enterprise. An Apple iCloud outage in 2015 affected 2 million users, while a Microsoft failure in the same year spanned most of the central and eastern United States. As recently as March of last year, Amazon Web Services experienced a major half-day outage that affected thousands of websites and applications. In order to manage this trade-off, many large information-dependent institutions rely on multiple cloud services to create reliable data back-ups. This has been a major critique of the current JEDI solicitation, which seems to favor contracting with a single cloud service. As Sam Gordy of IBM Federal has argued, “No major commercial enterprise in the world would risk a single cloud solution, and neither should the Pentagon. IBM will continue to urge that America’s defense cloud be multi-layered, robust, and consistent with the best practice of the world’s major cloud users.”  Further, the more data the Defense Department stores with one provider, the more difficult and expensive it becomes to later host that data with multiple cloud storage services.

Civilian entanglement. The migration of defense data, particularly sensitive data, to civilian infrastructure presents a complicated new challenge to stability. The JEDI solicitation implies that a cloud computing service may use its own infrastructure to host defense information. It is unclear whether that infrastructure will be geographically separated from the rest of the company’s civilian-facing services. Such an arrangement would greatly decrease the cost to the Defense Department, but it also presents troublesome questions—such as whether the cloud computing service hosting JEDI becomes a viable target in armed conflict. Does the utilization of a civilian computing service increase the possibility that states will view civilian companies as legitimate targets in crises?

The separation of civilian and military infrastructure has always been a gray zone in the law of armed conflict, which prohibits attacks on civilian infrastructure but allows for necessary, proportional attacks on dual-use infrastructure. The distinction is tricky because, for example, highways that transport school buses and ambulances can easily be converted to move tanks and mobile missile systems. Railways in the 19th and early 20th centuries famously intertwined states’ military ambitions with their commercial enterprises. Throughout World War II and Vietnam, the United States conducted strategic bombing to degrade dual-use infrastructure. London endured massive attacks from the German Luftwaffe during the Battle of Britain. Quite often, states can make large logical leaps to classify infrastructure as dual-use and therefore as a legitimate military target. Hosting defense data on civilian infrastructure could certainly be framed as dual-use; such reasoning could justify attacks on civilian infrastructure.

In the past, the United States has not needed to think very much about differentiating civilian from military infrastructure because only a few nations—those with the most advanced weaponry—have been capable of striking the US homeland. The advent of cyber operations, however, has changed that dynamic. Both state and non-state actors now have the ability to target US infrastructure. Under the Obama administration, the State Department propagated a norm stipulating that states would not attack each other’s critical infrastructure outside of war. The concern was that the United States, whose economy is highly dependent on digital capabilities, would be asymmetrically vulnerable to attack. The introduction of a civilian provider for military cloud computing would exacerbate this concern. It would create incentives, especially for large states during crises, to attack the cloud computing service as a legitimate dual-use target. These incentives for first strike become more pressing as an opposing state becomes more dependent on and capable in cloud computing. In turn, civilian companies would face a dilemma—and might feel a need to hack back, or use proxies to degrade the offensive cyber capabilities of US adversaries. This scenario raises the specter of inadvertent escalation driven by cyber attacks on increasingly entangled civilian infrastructures.

The paradox. If scholars of war know anything about conflict and the integration of new technologies, it is that states rarely anticipate how technological changes will influence stability dynamics. In this article I’ve highlighted a few potential implications of the JEDI cloud computing service currently proposed. In the end, I cannot say with certainty that JEDI will make nuclear secrets more or less secure. However, I can say that establishing a JEDI system represents a series of trade-offs where stability is concerned—in particular, a trade-off between efficiency and security. Cloud computing can create massive gains in military effectiveness, but it also creates an extraordinarily lucrative target for adversaries. Its centralization of both security and data processing might create incentives for a first strike—though the degree of danger associated with that incentive will largely depend on whether future cryptographic developments benefit encryption or decryption. Further, the consolidation of data and the entanglement of civilian and military infrastructure vastly increase the efficiency of decision making—potentially at the expense of escalation control.

This dynamic highlights what I call the Capability-Vulnerability Paradox of digitally enabled warfare. I have found that, over history, technologies have created destabilizing incentives when the resources required to utilize the technology have also generated vulnerabilities that an adversary could exploit. This was certainly the case with oil and the mechanization revolution—but information has always been different from oil in that information has been decentralized and has created few choke points or vital nodes to incentivize a first strike. However, as data migrates to cloud computing solutions, the paradox moves closer to a dangerous vulnerability in which nations less capable than the United States might feel pressure to launch first strikes at civilian infrastructure in order to win potential conflicts. Further, if the United States chooses to house its nuclear secrets within the cloud or to make its nuclear delivery platforms dependent on data from the cloud, it may also incentivize itself to launch preemptive conventional or nuclear strikes if it believes these platforms may not be able to launch without access to the cloud.

These are not unsolvable problems. They don’t require going back to carrier pigeons and floppy disks—or even abandoning JEDI and migration to the cloud. But these problems do require systematic thought about what information the Defense Department stores in the cloud, where the department requires that hardware be located, how the Pentagon plans and trains for sensitive operations to interact with the cloud, and what redundancies the department builds into dependencies on data. If the Defense Department goes about it right, it can use the cloud and civilian services to create incentives for stability. If done wrong, JEDI may inadvertently create dangerous incentives for nuclear war.

Note: The views presented here are the author’s own and do not represent those of the Naval War College, the US Navy, or the Defense Department.