While the military's main computer network -- the NIPRNET -- is "hopelessly compromised," and the Pentagon has not decided how much risk it can accept to its classified network, the SIPRNET, a vigorous tug of war is also underway between the military, which jealousy guards its Title X responsibilities, and the Department of Homeland Security.
DHS was given responsibility in 2003 to protect national infrastructure, a broad concept that includes everything from power grids and computer networks to agriculture. Part of the problem lies in the fact that that policy effectively makes DHS responsible for drawing up standards for protecting Pentagon computers -- as well as overseeing that they are protected.
The military, which already faces problems hashing out exactly what DISA, Strategic Command, NSA and each service must do, is resisting what it regards as interference from a civilian agency. The White House drafted National Security Policy Directive 54 back in January giving the National Security Agency the lead to detect attacks against US computers, which seemed aimed at fixing this problem -- and making an agency with much greater expertise in detecting computer attacks the government lead. That directive is classified but I understand making NSA the lead has not solved the problem in part because the signals community does not like to share information, even within the military.
Meanwhile, the increasing pressure of repeated attacks from Russian and Chinese sources -- among others -- on the relatively unprotected NIPRNET has left cyber warriors concerned it should not be used to share logistics information, which is crucial to day to day operations. Using the more secure SIPRNET --a physically isolated and classified network that runs parallel to the Internet -- would be extremely cumbersome.
At the same time, a source tells me that the NIPRNET is "hopelessly compromised" largely because it is, effectively, part of the Internet. That leaves the military weighing the difficult task of weighing just how much risk it should accept in putting information on a relatively insecure network. A more complicated issue is just how much risk to accept to the SIPRNET, which I understand has been proven vulnerable to attacks made possible by insiders who violate security protocols and allow the introduction of compromised memory sticks or CDs.
