DND Finally Admits Their Timelines Don't Work
ADM-CIO of DND disclosed some important information at the recent CGAI conference on NORAD Modernization
Raj Thuppal, Assistant Deputy Minister and Chief Information Officer at the Department of National Defence (DND), recently spoke at the Canadian Global Affair’s Institute’s Implementing NORAD Modernization: Partnering for Success and revealed some interesting information.
That information is a revelation that they are finally starting to recognize DND cannot wait until 2030 to have a secret cloud to support DND and the Canadian Armed Forces (CAF’s) digitization efforts.
This begins to align DND’s thinking more with the CAF and the CAF Digital Campaign Plan. While details remain limited, it was suggested that they are in talks with the United States and potentially some industry to stand up a form of pilot cloud to enable an initial capability to support digital modernization.
The intent is to have an initial capability by 2025, which aligns with a broader DND/CAF-wide centralized digital modernization effort as detailed in the CAF Digital Campaign Plan. What this capability is going to be in terms of architecture and governance will have major implications for digital modernization for the rest of the forces and the eventual procurement of a full cloud capability.
As a result, it may be why DND is hesitant to rely on industry for an initial capability lest it looks to be favoring a particular firm. The major players in this are Google and Amazon/AWS. The last that I was told is that Microsoft’s Azure does not fully meet the security requirements to meet the secure and classified cloud needs, but it remains to be seen if this is enough to break the Microsoft-reflex that many in the government possess. Update November 1: To clarify, this is the opinion of sources who are operators and experts involved in this process, in cloud security, or offensive security experts. This is not a view held by myself. This, of course, is not the position held by Microsoft who is very happy to inform me how wrong and prejudicial I am.
Update July 2024: The United States Cyber Safety Review Board has confirmed just how bad Microsoft’s security is: https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023.
Update 2 November 1: It is important to note that there is no singular “cloud” capability project, but is diffused across multiple project under the previous defence capability blueprint (With ITI in Sp of C2 being the primary secret cloud project). These plans and what the project/program will look like is a moving target. For this reason, there is no definitive set requirements yet because DND/CAF does not fully know what they want or need yet. What the requirements will be is dependent upon a lot of variables and the use of the cloud in question. For this reason, Azure remains an option for some aspects of DND/CAF cloud, but my sources believe that Azure will have difficultly meeting more restrictive security requirements. The network/cloud architectures used are not all made one and the same, and we do not want all to be the same as not all have the same purpose. One cloud product may be good for some, but not for others.
As I have received a lot of people reaching out, I will clarify that the specific classified/protected cloud being referred to here is having the infrastructure and capacity to handle data intensive projects that come with the CAF Digital Campaign Plan (such as the F-35). While DND/CAF have access to cloud presently, it does not presently have the capacity or infrastructure to handle its current digital plans. For more details on this, read my analysis of the 2022-23 DND/CAF Departmental Results.
Update 3 April 5 2024: The headline speaks for itself:
M. Rudolph, could you clarify your definition of a Classified B cloud mentionned in your text please ? Either you have classified information related to GoC (which would be surprising to see outside of the GoC), or PROTECTED informaiton that pertains mainly of personnal informaiton such as Protected A and/or Protected B (which would be logical and common) as referred to below:
GoC levels of security
https://www.tpsgc-pwgsc.gc.ca/esc-src/protection-safeguarding/niveaux-levels-eng.html