DSB Task Force on Globalization and Security

Executive Summary

WHAT IS GLOBALIZATION?

Globalization-the integration of the political, economic and cultural activities of geographically and/or nationally separated peoples-is not a discernible event or challenge, is not new, but it is accelerating. More importantly, globalization is largely irresistible. Thus, globalization is not a policy option, but a fact to which policymakers must adapt.

Globalization has accelerated as a result of many positive factors, the most notable of which include: the collapse of communism and the end of the Cold War; the spread of capitalism and free trade; more rapid and global capital flows and more liberal financial markets; the liberalization of communications; international academic and scientific collaboration; and faster and more efficient forms of transportation. At the core of accelerated global integration--at once its principal cause and consequence--is the information revolution, which is knocking down once-formidable barriers of physical distance, blurring national boundaries and creating cross-border communities of all types.

HOW DOES GLOBALIZATION AFFECT DOD?

Globalization affects DOD in two distinct, if overlapping, ways. First, it is altering fundamentally--the composition of DODíS supporting industrial base while, in turn, necessitating a reengineering of DOD acquisition and business Ďpractices. Second, and perhaps more significantly, it is reshaping the military-technological. environment in which--DOD must compete. These twin trends present DoD with both opportunities and challenges to the maintenance of global military dominance.

Globalizationís Impact on DODíS Supporting Industrial Base

DOD once depended upon, and could afford to sustain, a dedicated domestic industrial base for the development, production and provision of its equipment and services. Today, the "U.S. defense industrial base" no longer exists in its Cold War form. Instead, DOD now is supported by a broader, less defense intensive industrial base that is becoming increasingly international in character. This transformation is due largely to the confluence of four factors: (1) deep cuts in U.S. defense investment in the Cold Warís wake (procurement and R&D are down 70 percent and 25 percent in real terms, respectively, since the late-1980s), (2) an explosion in commercial sector high-tech R&D investment and technological advancement, (3) a sustained DoD acquisition reform effort; and 4) a shift in procurement emphasis from weapons and platforms, per se, to the sophisticated information technologies so amplifying their capabilities.

Yesterdayís U.S. defense industry is, with few exceptions, reconstituting itself into a global, more commercially-oriented industry. The traditional core of the defense industrial sector--those firms still focusing nearly exclusively on the defense market--comprises firms that will focus increasingly on the integration of commercially-developed advanced technology to produce military capabilities. That which remains of the traditional U.S. defense sector:

l has undergone an intense period of consolidation;

l has already begun--although mainly in the lower industrial tiers--the process of integration across national borders, via mergers, acquisitions, joint ventures and strategic partnerships with European counterparts, who are themselves in a period of rationalization and consolidation; and

l is now supplied to a significant degree by the commercial sector and is increasingly dependent on commercial business and defense product exports for growth and good health.

The commercial sector, which pays scant attention to national boundaries, is now driving the development of much of the advanced technology integrated into modem information-intensive military systems. This is especially true of the software and consumer microelectronics sectors. Accordingly, future U.S. military-technological advantage will derive less from advanced component and subsystem technology developed by the U.S. defense sector than from the military functionality generated by superior, though not necessarily U.S.-based, defense sector systems integration skills.

The economic and technological imperatives for increased DOD reliance on the commercial sector have also necessitated a reengineering of the Departmentís acquisition and business practices. Acquisition reform initiatives launched in the early 1990s had evolved by late 1997 into a broader, ongoing Defense Reform Initiative. The most striking aspect of DODíS business practice reengineering is the ongoing, Defense-wide transition to an all-electronic business operating environment. Within just a few years, virtually all DOD business operations, and many critical military functions (e.g., logistics), will be conducted over the Internet and World Wide Web.

Benefits and Risks of Industrial Base Globalization

The potential benefits of globalization are manifold. Increased use of the commercial sector cannot be separated from the effects of globalization. Nor is increased DOD reliance on the commercial sector reversible without sacrificing the huge gains in capability achieved through rapid insertion of leading-edge commercial technology (particularly information-related), and comparable gains in efficiency through use of commercial services. Greater commercial reliance also has the potential to increase the pace of modernization by reducing system acquisition cycle time. The DOD experience of product development cycles for defense systems of 18 years contrasts sharply with much shorter such cycles for most commercial products.

Moreover, commercial acquisition could lower substantially the cost not only of new systems, but also of system upgrades and operational support. Indeed, the impact on DOD capabilities of the post-Cold War decline in defense resources has been manageable only through greater use of commercial products and services. Finally, the Departmentís adoption of "world-class" commercial business practices-enabled by the full exploitation of Internet-based information technologies-could enhance dramatically DODíS organizational efficiency and effectiveness. This could allow DOD to cut overhead costs and reinvest the savings in force modernization, and to improve its logistical support to the warfighter.

Cross-border defense industrial integration-and transatlantic links in particular--can help spread the fiscal burden of new system development and production and, from a U.S. perspective, facilitate greater access to our alliesí technology and capital. Competition between transatlantic industrial teams-each consisting of both European and U.S. members--could yield innovative, high-quality products, and, for domicile governments, a greater return on defense investments. Such competition would likely stimulate innovation and create the incentive to adopt the industrial and acquisition-related efficiencies that generate downward pressure on system cost and acquisition cycle-time. Transatlantic defense industrial links are a potential source of greater political-military cohesion within NATO and of a stronger alliance industrial underpinning, and thus would help to promote more uniform modernization and thus enhance U.S.-European interoperability.

Such links could also amplify NATO fighting strength by enhancing U.S.-European interoperability and narrowing the U.S.-European technological gap. Perhaps most important, strong transatlantic industrial links could help DOD avert a distinctly negative outcome: the emergence of protectionist "Fortress Europe-Fortress America" defense trade blocs that could serve to widen the U.S.-European military-technological gap and weaken overall NATO integrity.

To be sure, there are risks to DOD in relying more heavily on a fully globalized commercial sector and on a transnational defense industrial base. On balance, however, the Task Force found these risks to be manageable and noted comparable vulnerabilities in DODíS traditional approach to defense procurement-reliance on a captive U.S. defense industry. But while the Task Force deemed the risks manageable, it recommends more aggressive and accountable management of those risks.

The Departmentís transition to an Internet-based business operating environment--designed in part to enhance civil-military integration--places most of DODíS digital activities and information within the cyber-reach of any and all who want to rapidly gather intelligence on the United States and/or who wish us harm. Such global interconnectivity could provide potential adversaries an open-source intelligence boon. Adversaries scanning DOD websites will likely exploit electronic data mining and aggregation capabilities to piece together rapidly and inexpensively information on U.S. capabilities, operations and personnel that heretofore would have taken much more time, effort and resources to obtain.

Global interconnectivity can also provide adversaries an electronic penetration pathway into U.S. information systems to harm the confidentiality, integrity or availability of essential information and functionality. Such activities are now referred to broadly in national security parlance as information operations. The principal risk associated with commercial acquisition is that DODíS necessary, inevitable and ever-increasing reliance on commercial software--often developed offshore and/or by software engineers who owe little, if any allegiance to the United States--is likely amplifying DOD vulnerability to information operations against all systems incorporating such software.

Commercial software products--within which malicious code can be hidden--are becoming foundations of DODíS future command and control, weapons, logistics and business operational systems (e.g., contracting and weapon system support). Such malicious code, which would facilitate system intrusion, would be all but impossible to detect through testing, primarily because of softwareís extreme and ever-increasing complexity. Of equal concern is the ubiquity of exploitable, though inadvertent, vulnerabilities in commercial software. In either case, the trend toward universal networking increases the risk. Inevitably, increased functionality means increased vulnerability.

Compounding matters, the current personnel security system is ill-configured to mitigate the growing information operations risks. The problems lie generally in the over-classification of information (which skews allocation of security resources), and the inherent limitations of the security clearance model (which provides little, if any, monitoring of personnel for five to 10 years after the clearance is granted). The current security model deals principally with the confidentiality of information, neglecting the integrity and availability of information and information systems.

Information technology has also outpaced some of the core concepts upon which the traditional DOD security system is based: the control of physical access, and the distinctions between classified and unclassified information. Security programs have focused on the control of physical access to information and materials, because the spies of the past generally have exploited their physical access to the material they wanted to compromise. However, the practices and tools of physical access control (e.g., access to facilities, controlled areas, or photocopiers) are ineffective against the remote cyber-spy and trusted insider cyber-traitor. The current personnel security system also tends to focus primarily on classified information and activities. It is clear today, however, that the classified world is not the only one with a security requirement. DOD has a number of unclassified systems that are, in every sense, "mission critical" (e.g., wartime blood supply management networks) yet essentially unprotected by the existing security system.

The traditional risk associated with cross-border defense industrial integration is the unauthorized or unintended direct or third-party transfer of "sensitive" U.S. military technology. However, the strong compliance record of foreign-owned, controlled or influenced (FOCI) firms operating in the U.S. under DOD security agreements (e.g., Security Control Agreements, Special Security Agreements, Voting Trusts, or Proxy Board Agreements) indicates that the risks are manageable. Several U.S. government studies, in fact, conclude that our risk mitigation measures have been very successful. Indeed, the evidence shows that regulatory compliance has been of a higher order for domestic subsidiaries of foreign parents than for domestic firms. To be sure, unauthorized technology transfer is a serious problem. Yet, it is a longstanding and, in all likelihood, enduring one that comes from all azimuths, including U.S. citizens cleared to the highest levels and legitimate exports. So long as the established security mechanisms are in place, the risk of unauthorized disclosure can be mitigated, if imperfectly.

Beyond unauthorized technology transfer, the risks associated with cross-border defense linkages are less clear-cut. To the extent that foreign direct investment in the U.S. defense sector leads to the offshore relocation of domestic development and manufacturing facilities, it could result in the erosion of certain domestic defense industrial skills. There is legitimate concern about potential disruptions in the supply of critical components or subsystems should sole industrial sources for such articles move offshore or come under foreign ownership. And, there is a related concern about potential loss of DOD influence over weapon system design should cross-border consolidation result in a very few large transnational firms selling to dozens of major buying nations (thus reducing DODíS market share). The Task Force examined these potential risks, but found none of them new, nor compelling when cast against the potential benefits of transnational defense industrial integration.

Globalizationís Impact on the International Military-Technological Environment

From a long-term strategic standpoint, globalizationís most significant manifestation is the irresistible leveling effect it is having on the international military-technological environment in which DOD must compete. Over time, all states-not just the U.S. and its allies-will share access to much of the technology underpinning the modem military.

The international conventional arms market, once driven mainly by political imperatives, is now driven increasingly by economic imperatives. This is perhaps less true of the United States--the Arms Export Control Act requires conventional arms transfers to be consistent with U.S. foreign policy and national security objectives--but the U.S. defense sector is far from immune to the trend. The economic pressure on firms to export, combined with their governmentsí willingness to let them do so and with the increasing level of cross-border collaboration, will progressively erode the effectiveness of conventional arms and defense technology export controls worldwide. When combined with the black and gray market availability of most types of defense products, and the pressure on already export-minded firms to offer their most sophisticated equipment, these trends suggest that, with few exceptions, advanced conventional weapons will be available to anyone who can afford them.

The technology DOD is most anticipating leveraging to maintain military dominance is that which the United States is least capable of denying its potential competitors. Access to commercial technology is virtually universal, and its exploitation for both civil and military ends is largely unconstrained. The most important enabling technologies for information-intensive U.S. concepts of warfare-access to space, surveillance, sensors and signal processing, high fidelity simulation, and telecommunications-are available to the U.S., its allies, and its adversaries alike. Indeed, owing to the proliferation of military technology, the commercialization of former military-specific technology, and the increasing reliance of militaries worldwide on commercially-developed technology, and the general diffusion of technology and know-how, the majority of militarily useful technology is or eventually will be available commercially and/or from non-U.S. defense companies. The so-called "Revolution in Military Affairs" is, at least from a technology availability standpoint, truly a global affair.

Potential competitors are exploiting their newfound access to militarily useful technology in a manner strategically detrimental to DOD. They are not trying to match U.S. strengths or achieve across the board military parity with the United States. Rather, as several recent DSB Summer Studies have pointed out, potential competitors are channeling their more limited defense resources into widely-available capabilities that could allow them to exploit a fundamental weakness of American power projection strategy: the absolute reliance of most U.S. forces on unimpeded, unrestricted access to and use of theater ports, bases, airfields, airspace and coastal waters. By 2010-2020, potential adversaries, exploiting a truly global military-technical revolution, will likely have developed robust and unconventional-for disrupting U.S. homeland preparations to deploy to the theater of conflict; denying U.S. forces access to the theater; degrading the capabilities of the forces the U.S. does manage to deploy; and, in the process, raising, perhaps prohibitively, the cost of U.S. intervention. In short, technological leveling--globalizationís most strategically unsettling manifestation from a U.S. perspective--is clearly the engine of the emerging "anti-access" threat.

Consequently, there is growing risk inherent in U.S. power projection and force modernization strategy. Left unchecked, this may lead to a decline in the U.S. militaryís utility for influencing events abroad or protecting U.S. global interests at acceptable cost-a serious erosion of military dominance. At the root of the problem are the inherent limitations--namely, sluggish deployment times and heavy dependence on theater access--of the legacy, primarily short-range, general-purpose force elements to which the vast majority of the Servicesí modernization funding is currently dedicated. Viewed in this light, the continued budgetary, strategic and force structuring primacy of legacy systems in DOD budgets has a clear and high opportunity cost: the investment agiIity necessary to transform U.S. strategy and forces to meet the emerging strategic challenges posed by global military-technological leveling.

Compounding this problem are the continuing declines in DOD research, development, test and evaluation (RDT&E) and defense industry internal research and development (R&D) spending, and the related skewing of such R&D investment toward near-term priorities and away from fundamentally new capabilities. The result is severely depressed U.S. military-technological innovation at a time when the premium on innovation has never been higher.

Theoretically, the U.S. could mitigate the undesirable effects of global military-technological leveling by coordinating with its allies the multilateral control of conventional military and dual-use technology exports. This approach worked reasonably well during the Cold War through the Coordinating Committee on Export Controls (CoCom). However, multilateral controls today are no longer a significant factor affecting access .to highly sophisticated dual-use technology and they have been only marginally more successful in the conventional weapons arena. CoComís success derived from its members facing a common threat--the Warsaw Pact and, to a lesser extent, China--and sharing a common objective: retarding Warsaw Pact and Chinese technological advancement. CoCom also benefited from the disproportionate leverage the United States, its leading advocate, held over the other members as the guarantor of Western security. The Cold Warís end undermined this cooperative impetus, and the U.S. can no longer count on its allies, its closest competitors in the high-tech sector, to follow Americaís lead. The lukewarm success of CoComís successor, the Wassenaar Arrangement, is a testament to the declining utility of multilateral technology controls in the post-Cold War era.

The strategic significance of global military-technological leveling cannot be overstated. It presents a direct challenge to perhaps the fundamental, if subliminal, assumption underlying the modern--and certainly post-Cold War--concept of U.S. military superiority: that the United States enjoys disproportionately greater access to advanced technology than its potential adversaries. This assumption also underpins the logic holding that technology controls are the sine qua non of U.S. military dominance.

The reality is that the United Statesí capability to effectively deny its competitors access to militarily useful technology will likely decrease substantially over the long-term. Export controls on U.S. technologies, products and services with defense/dual-use applications will continue to play a role in the pursuit of U.S. foreign policy objectives. However, the utility of export controls as a tool for maintaining the United Statesí global military advantage is diminishing as the number of U.S.-controllable militarily useful technologies shrinks. A failure by U.S. leadership to recognize this fundamental shift--particularly if masked by unwarranted confidence in broad or even country-specific export controls--could foster a false sense of security as potential adversaries arm themselves with available technology functionally equivalent to or better than our own. 

Clinging to a failing policy of export controls has undesirable consequences beyond self-delusion. It can limit the special influence the U.S. might otherwise accrue as a global provider and supporter of military equipment and services. This obviously includes useful knowledge of, and access to, competitor military systems that only the supplier would have, and the ability to withhold training, spares, and support. Equally obvious, shutting U.S. companies out of markets served instead by foreign firms will weaken the U.S. commercial advanced technology and defense sectors upon which US. economic security and military-technical advantage depend.

KEY TASK FORCE RECOMMENDATIONS

DOD has not been aggressive in capturing the benefits of or mitigating the risks posed by globalization. Change has come slowly due to a range of factors, including cultural impediments, legal and regulatory obstacles, and restrictive and unclear policies. The Department needs to change the way it does business in a number of areas:

The Department needs a new approach to maintaining military dominance

Globalization is irresistibly eroding the military advantage the U.S. has long sought to derive through technology controls. Accordingly,- the more the United States depends on technology controls for maintaining the capability gap between its military forces and those of its competitors, the greater the likelihood that gap will narrow. To hedge against this risk, DoDíS strategy for achieving and maintaining military dominance must be rooted firmly in the awareness that technology controls ultimately will not succeed in denying its competitors access to militarily useful technology.

DOD must shift its overall approach to military dominance from "protecting" militarily-relevant technologies--the building blocks of military capability--to "preserving" in the face of globalization those military capabilities essential to meeting national military objectives. Protection would play a role in an overall strategy for preserving essential capabilities, but its primacy would be supplanted by three other strategy elements: direct capability enhancement, institutionalized vulnerability analysis and assessment, and risk mitigation efforts designed to ensure system integrity.

To shift its approach from technology protection to essential capability preservation the Task Force recommends that DOD: 1) establish a permanent process for determining a continuously evolving "short list" of essential military capabilities, and 2) develop strategies for preserving each essential capability. Both the list of essential military capabilities and the strategies for their preservation are needed to inform the development of U.S. warfighting strategy and the forces to underpin that strategy (by identifying how and with what the U.S. will need to fight to remain dominant), DOD positions on technology and personnel security (by helping to identify those capabilities and/or constituent technologies which DOD should attempt to protect and how vigorously they should be protected); and DOD acquisition risk mitigation measures (by identifying those systems that should be the focus of intense efforts to ensure system integrity).

DOD needs to change substantially its approach to technology security

The United States has a national approach to technology security, one in which the Departments of State and Defense both play essential roles. The Task Force does not challenge the propriety of the Department of Stateís statutory obligation to evaluate proposed defense technology transfers against U.S. foreign policy objectives. That said the leveling of the global military-technological playing field also necessitates a substantial shift in DODíS approach to technology security, the principal objective of which is to help maintain the U.S. military-technical advantage.

DOD should attempt to protect for the purposes of maintaining military advantage only those capabilities and technologies of which the U.S. is the sole possessor and whose protection is deemed necessary to preserve an essential military capability. Protection of capabilities and technologies readily available on the world market is, at best, unhelpful to the maintenance of military dominance and, at worst, counterproductive (e.g., by undermining the industry upon which U.S. military-technological supremacy depends). Where there is foreign availability of technologies, a decision to transfer need only be made on foreign policy grounds by the Department of State. DOD should no longer review export license applications as part of its role in the arms transfer process when foreign availability has been established. This will allow the DOD licensing review to concentrate on cases where the availability of technology is exclusive to the United States.

Moreover, military capability is created when widely available and/or defense-unique technologies are integrated into a defense system. Accordingly, DOD should give highest priority in its technology security efforts to technology integration capabilities and the resulting military capabilities themselves, and accordingly lower priority to the individual technologies of which they are comprised.

For those items and/or information that DOD can and should protect, the Task Force believes security measures need improvement. The means for such an improvement might come from a redistribution of the current level of security resources/effort, whereby DOD relaxes security in less important areas and tightens up in those most critical. In short, DOD must put up higher walls around a much smaller group of capabilities and technologies.

DOD must realize fully the potential of the commercial sector to meets its needs

To leverage fully the commercial sector, DOD must do more than simply acquire available commercial products and adopt commercial practices. In some cases, DOD must engage commercial industry in an effort to shape the development of new products and services to better meet its needs. In many cases, DOD must adapt its often-bloated system requirements to, and develop new concepts that fit, operationally acceptable commercial solutions. The Task Force makes two primary recommendations designed to help DOD meet this overarching objective.

First, the Secretary of Defense should give commercial acquisition primacy and broader scope by establishing it as the modernization instrument of first resort. DOD should seek to meet its modernization needs, whenever possible, with commercial solutions (including integrated services, systems, subsystems, components and building-block technologies) acquired using commercial acquisition practices. The Secretary should grant waivers to the acquisition of commercial products and services only when program managers can demonstrate that either no commercial options exist or that available commercial options cannot meet all critical performance requirements. DOD should employ commercial acquisition practices in all cases. The Task Force recognizes that some integrated, military-specific systems (e.g., precision-guided munitions and combat aircraft) are not and will likely never be provided by the commercial sector. Even here, DOD should meet its needs, whenever possible, with commercial components and subsystems. DOD can and should tap the commercial market to support virtually all of its modernization requirements.

Second, the Under Secretary of Defense for Acquisition and Technology should form and routinely employ "Commercial Acquisition Gold Teams" to provide and manage advocacy for expanded DOD leverage of the commercial sector. The Task Force believes that Gold Teams should be employed during the earliest stages of the acquisition process (the concept definition phase), where they will have the best opportunity to reduce both the time and cost of developing and fielding new systems. Gold Teams should be focused initially on the commercial industry sectors from which the Task Force believes DOD can derive immediate and profound benefit: air and sea transportation; logistics and sustainment; communications and information systems; space-based surveillance and high-efficiency ground transportation. The organizational character and composition of the Commercial Acquisition Gold Teams are best determined by the USD(A&T). Teams could be either standing or ad hoc in character. Personnel could be either in-house (i.e., DOD), drawn from the contractor/FFRDC community, or a mix of the two.

In addition to these two core recommendations, DOD must also: 1) engage proactively in commercial standards management; 2) conduct a comprehensive review of the Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulations Supplement (DFARS) with the intent of asking Congress to eliminate remaining statutory barriers to DOD procurement of commercial products and services and also commercial sector disincentives for doing business with DOD; and 3) field on the World Wide Web interactive "distance-learning" software that would allow commercial firms to quickly familiarize themselves with the FAR/DFARS; rapidly determine which regulations apply to their specific contracts; and comply fully with those regulations.

DOD should take the lead in establishing and maintaining a real-time, interagency database of globally available, militarily relevant technologies and capabilities

Such a database, which would facilitate rapid and authoritative determination of the foreign availability of a particular technology or military capability, would serve two principal functions. First, it would allow those involved in the export licensing and arms transfer decisionmaking process to determine which technologies and capabilities are available abroad and thus no longer U.S.-controllable. Second, it would facilitate enhanced access by U.S. government and industry weapons developers to the global technological marketplace by illuminating potential foreign sources and/or collaborators.

DOD must ensure the integrity of essential software-intensive systems

With DODíS growing reliance on commercial software increasing its vulnerability to information operations, the Department must redouble its efforts to ensure the integrity of essential software-intensive systems. To this end, the Task Force makes two primary recommendations. First, the Secretary of Defense should affirm the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) as responsible for ensuring the pre-operational integrity of essential software-intensive systems. In turn, the ASD(C3I) should develop and promulgate an Essential System Software Assurance Program which:

l identifies a point organization for software acquisition review to promote the purchase of commercial software while monitoring its vulnerabilities;

l identifies unambiguously the point in the acquisition process where a systemís operator should assume responsibility for its integrity throughout its operational life;

l updates guidance concerning program managersí software integrity assurance responsibilities and declare such integrity a Key Performance Parameter (KPP);

l considers the "clean room" acquisition of certain essential systems or subsystems (i.e., one-hundred percent DOD-controlled system development and production);

l introduces "red-teaming" and independent vulnerability analysis procedures into the acquisition process for all essential systems;

l develops specifications and guidelines for the certification of software trustworthiness at a set of pre-defined levels;

l sponsors research at DARPA and NIST on trust certification and management in software, software design methodology, proof of software correctness, taxonomy of vulnerability, and smart (if non-exhaustive) testing; and

l considers using public (hacker) testing to test algorithm, code and system resilience.

Second, the Secretary of Defense should reaffirm the responsibility of essential system operators to ensure the integrity of those systems throughout their operational life, and assign to the OASD(C3I) Defense Information Assurance Program (DIAP) office the tasks of monitoring and establishing incentives to ensure operator compliance, and of overseeing the administration of the resources required for this purpose. The OASD(C3I) DIAP office should be upgraded (in terms of personnel, equipment and funding) and assigned the full responsibility of overseeing program office/operator identification, programming and execution of the required resources, and of submitting a consolidated information assurance budget. In turn, the operators should:

l ensure that intrusion and anomaly detection systems are in place, current, and operating at peak efficiency;

l ensure that sufficient excess capacity is available to counter expected denial-of-service attacks, and/or that other measures are taken to improve recovery and reconstitution of essential systems;

l ensure that systems originally intended as independent backups are still independent given changes in technology and threat by using dedicated vulnerability-analysis "red" teams;

l ensure adequate configuration control of essential systems; and

l deny unauthorized access--using physical, technical and personnel security measures.

The Task Force also recommends that DOD: 1) expand its red-teaming and vulnerability-assessment capabilities; 2) ensure a sufficiently staffed, trained, and motivated workforce to acquire and operate essential systems; and 3) enhance security and counter-intelligence programs to deal with the new challenges presented by relying on commercially purchased systems and subsystems of foreign manufacture.

DOD should facilitate transnational defense industrial collaboration and integration

Greater transnational, and particularly transatlantic, defense-industrial integration could potentially yield tremendous benefit to the United States and its allies. The Task Force, however, identified a range of factors working to inhibit foreign industrial interest in greater integration with their U.S. counterparts. These include insufficient clarity in DOD policy on cross-border defense industrial mergers and acquisitions, and an overly burdensome regulatory environment surrounding both foreign direct investment in the U.S. defense sector and the transfer of U.S. defense technology, products and services.

The Task Force makes three principal recommendations to erode these barriers to effective defense sector globalization. First, DOD should publicly reaffirm, on a recurring basis, its willingness to consider a range of cross-border defense industrial linkages that enhance U.S. security, interoperability with potential coalition partners and competition in defense markets. Special attention should be paid to illuminating--to the extent practicable--DODís broad criteria for merger and acquisition approval, and DODíS policy rationale (e.g., the national security benefits of cross-border defense consolidation). Second, the Department of Defense should engage the Department of State to jointly modernize the regulatory regime and associated administrative processes affecting the export of U.S. defense articles. Third, DOD should also modernize the administrative and regulatory processes associated with foreign direct investment (FDI) to facilitate FDI in the U.S. defense sector.

The Task Force also recommends that DOD adapt existing bilateral industrial security arrangements to respond to the emergence of multinational foreign defense industrial organizations. The change in the structure of the defense industry raises a question about whether the existing security practices are appropriate to its inevitable globalization.

DOD needs to reform its personnel security system

Personnel security is the foundation upon which all other safeguards must rest. However, the Task Force is convinced that, with far more information than necessary being classified by the Original Classification Authorities, the DOD personnel security program is forced to sweep too broadly and is consequently spread thin. Over-classification also leads to an over-allocation of security resources to the protection of classified information at a time when greater resources must be devoted to developing new types of security measures tailored to the challenges created by global information technology. DOD should make a serious commitment to developing a coordinated analytic framework to serve as the basis for classifying information, and for implementing that framework rigorously.

DOD personnel security also depends too heavily on the security clearance process. The clearance process does provide a vital initial filter, weeding out individuals with criminal records or other conspicuously irresponsible conduct. Beyond that, however, its utility fades precipitously--a fact with which the Department must come to grips. Unrealistic expectations of the clearance process have inadvertently undermined the very alertness, accountability and situational awareness necessary for security in a networked world.

In the dynamic, networked environment created by global information technology, DOD needs to develop an enhanced situational awareness approach to personnel security that considers new vulnerabilities, threats, and response requirements. Emerging information technologies (e.g., near real-time data mining of financial and foreign travel databases) hold the seeds of effective defensive options. Compartmentation is also a valuable security instrument. DOD should place a premium on protecting information that is properly determined to require control in codeword compartments. Also needed is an appropriate security program for government and defense industry personnel who occupy "sensitive but unclassified" information technology positions (e.g., those critical for protecting information systems from hostile disruption or manipulation via the global information infrastructure). Here, monitoring on-the-job performance may be more important than full field background investigations.

In the information age, no single set of personnel security countermeasures will suffice; DOD must achieve a complementary mix of technical, procedural, human resources management and traditional personnel security measures. To this end, the Task Force recommends that DOD:

l Adapt its personnel security system to the information age by streamlining the security classification and clearance processes; ensuring that classifications are justified to mitigate the problem of over-classification; and moving away from a rigid clearance structure.

l Compartmentalize its most sensitive information and activities by restoring the "need to know" principle for classified data stored on electronic systems (taking advantage of security, privacy and intellectual property rights management developments in the e-commerce sector.)

l Institute a situational awareness approach to personnel security combining technical monitoring and human resources management tailored to positions presenting the greatest risks and vulnerabilities.

l Develop a new situational awareness program for personnel in sensitive (classified and unclassified) information technology positions.

l Work with the Intelligence Community to develop more effective situational awareness measures to address the insider threat at the classified level, making greater use of outside research and independent threat/vulnerability evaluation.

***********

Globalization brings with it opportunity and risk. Boldness is required to meet this challenge and to capture the benefits of globalization while mitigating its risks. Leadership is the key. Success will hinge on DODíS ability to establish clear policy guidance that is understood within the Department and across U.S. Government agencies, in the Congress, in U.S. industry, and by allies and friends abroad.