NASHUA, N.H. - We live in a digital world that depends increasingly on technology and the systems that keeps the digital world connected. It also is incumbent on the military and the intelligence community to keep malicious actors at bay from the homeland’s connected infrastructure.
The cyber domain comprises civilian comforts like home appliances, video games, and streaming video services like Netflix and Hulu. However, comforts take a back seat to keeping our connected power grids, hospitals, logistics, satellite communications, and even our own representative democracy.
Last month, the American people participated in a nationwide general election that was protected from outside actors by the U.S. Cyber Command and National Security Agency (NSA).
“We’re looking at the spectrum of all of our adversaries, Russia, China, Iran, and ransomware actors,” said Dave Imbordino, the NSA election security lead ahead of the 3 November election during the 2020 DEF CON computer hacking conference. “There’s more people in the game. They’re learning from each other. Influence is a cheap game to get into now with social media. It doesn’t cost a lot of money. You can try to launder your narratives online through different media outlets. That’s something we’re laser-focused on as well.”
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a 12 November statement, the 2020 election was “The most secure in American history,” and that “There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
Beyond the ballot box
Of course, the purview of the military and intelligence cyber security apparatus extends well beyond the protection of homeland infrastructure. The military and
Because militaries around the world always are looking for an advantage over current and future foes, keeping that edge can make the difference between success and failure. As soon as the first computers were put to use in war rooms and operation centers, there was an interest in adversaries accessing them to control or compromise the technology.
Now, with increasingly connected equipment, malicious actors do not need to be in the same hemisphere — much less the same country — to try and compromise systems or acquire intellectual property and trade secrets.
According to the U.S. Department of Defense (DOD), some of the main actors in malicious cyber activities include China, Russia, Iran, and North Korea. Of the quartet, China appears to have the most robust ability. The U.S. Department of Justice (DOJ) estimates that more than 90 percent of economic espionage cases involve China, as well as two thirds of trade secret theft.
China pledged in 2015 not to use espionage to further its economic interests, but this year the DOJ announced indictments related to China’s malicious cyber activity — including allegations of stealing terabytes of data that included COVID-19 research.
There are non-state actors, including terrorist groups that use cyberspace to disseminate propaganda, recruit extremists, and raise funds for operations. More run-of-the mill criminals use ransomware to extort public and private institutions.
A new approach
In the fall of 2018, the DOD announced the new National Cyber Strategy for the first time in 15 years. The strategy, according to the DOD, is founded on four pillars: protecting the American people, the homeland and the American way of life; promoting American prosperity; preserving peace through strength; and advancing American influence.
For example, if an adversary were able to shut down a power grid, life in the homeland would be turned upside down. Hospitals would have to rely on generators to keep ventilators running, medicines at proper temperature, and monitoring equipment running. Water plants would be shut down and potable water from the tap would be compromised. Traffic controls would be taken off line, and cellular phone towers likely would be overwhelmed. In short: chaos.
In addition, if the power generation station were damaged with the attack, that chaos would be extended from hours to days and weeks.
In 2003, a software bug in the alarm system of an energy provider in Ohio caused a power surge and resulted in the loss of power for approximately 45 million people in the northeast United States and southeast Canada. The outage lasted from two hours to four days, depending on the location.
The summary also notes that “investments will prioritize developing resilient, survivable, federated networks and information ecosystems from the tactical level up to strategic planning. Investments will also prioritize capabilities to gain and exploit information, deny competitors those same advantages, and enable us to provide attribution while defending against and holding accountable state or non-state actors during cyberattacks.”
Keeping confidentiality
Embedded computing safety and security experts at Green Hills Software in Santa Barbara, Calif., were awarded Evaluation Assurance Level (EAL) 6+ security
Richard Jaenicke, director of marketing for Green Hills, says that “The INTEGRITY-178 tuMP RTOS is a security-hardened OS that provides a Multiple Independent Levels of Security (MILS) environment. That MILS environment provides foundational security policies: data isolation between applications; control of information flow between applications; resource sanitization before switching applications; and fault isolation so a failure in one application will not affect any other part of the system. All of those controls are non-bypassable, evaluatable, always invoked, and tamperproof (NEAT).”
Jaenicke says that trusted military systems adhere to the “CIA” triad: confidentiality, integrity, and availability.
“So, if you’re trying to break confidentiality, you’re trying to steal secrets — otherwise known as espionage — or you’re breaking integrity, in which you’d change the data or the behavior in the system and thereby influencing your military decisions and actions,” Jaenicke explains. “Then you attack the availability — denial of service attacks or crashing the computer.
“Even in a real-time system, you’re just delaying it enough that it doesn’t need its real-time deadline causes that actions to happen,” Jaenicke continues. “So I think that’s that those are the basic ones. And then if you train ones that are a little bit more complex and put a couple of them together, you end up with things ultimately taking over physical control of a system so that you can fire a weapon or crash a vehicle or create some other kinetic effect.”
Information security
In addition to compromising the efficacy of military systems, state and non-state actors also are interested in obtaining useful information. The 2018 National Defense Strategy says that non-state actors can even viewed as something relatively “positive” in regard to cyber security.
Embedded computer expert Steve Edwards, director of product management at the Curtiss-Wright Corp. Defense Solutions division in Ashburn, Va., notes that hackers want to compromise, augment, or recreate the system.
“You’re listening in to see what you want to do with information,” Edwards says. “You might be trying to disrupt, or you might be trying to just learn about the system so that you recreate it down the road or come up with countermeasures.”
End goals and uses for hackers depend on what sort of access they have, points out Charlie Kawasaki, chief technical officer for Pacific Star Communications Inc. (PacStar) tactical communications company Portland, Ore. Curtiss-Wright Defense Solutions acquired PacStar in September.
“With encryption, the threats to data at rest, you have to have access [to the system],” Kawasaki says. “It’s a gold mine. Where the threats for ‘data in transit’ come into play, you’re trying to capture information and decrypt it in a situation where it’s flying around with radio waves.”
Breaking in
With connected systems, malicious actors have myriad ways to try and access information or capabilities.
Curtiss-Wright data storage senior product manager Steve Petric says that by using relatively low-risk, high-reward emails to trick authorized users into passing along their legitimate credentials — known as “phishing” — adversaries can sneak their way past data security.
“That’s an incredibly successful attack,” Petric says. “The DOD is under those types of threats too. If you’re trying to use a denial-of-use, you can do that over the airwaves.”
Green Hills Software’s Jaenicke says other entry points for would-be spies comes from malware in maintenance computers, or “you can even have malicious code in from the beginning or malicious hardware because of supply chain attacks.”
Beyond the DOD, phishing and similar attacks can impact businesses and disrupt the supply chain. As the United States defense apparatus embraces commercial solutions to military problems, the DOD recognizes that protecting the private sector is instrumental to maintaining military superiority.
“New commercial technology will change society and, ultimately, the character of war,” DOD experts say in their summary of the 2018 National Defense Strategy document. “The fact that many technological developments will come from the commercial sector means that state competitors and non-state actors will also have access to them, a fact that risks eroding the conventional overmatch to which our Nation has grown accustomed. Maintaining the Department’s technological advantage will require changes to industry culture, investment sources, and protection across the National Security Innovation Base.”
Objectives and options
The DOD National Defense Strategy lists 11 main objectives. They are:
Sustaining Joint Force military advantages, both globally and in key regions;
Deterring adversaries from aggression against our vital interests;
Enabling U.S. interagency counterparts to advance U.S. influence and interests;
Maintaining favorable regional balances of power in the Indo-Pacific, Europe, the Middle East, and the Western Hemisphere;
Defending allies from military aggression and bolstering partners against coercion, and fairly sharing responsibilities for common defense;
Dissuading, preventing, or deterring state adversaries and non-state actors from acquiring, proliferating, or using weapons of mass destruction;
Preventing terrorists from directing or supporting external operations against the United States homeland and our citizens, allies, and partners overseas;
Ensuring common domains remain open and free;
Continuously delivering performance with affordability and speed as we change
Departmental mindset, culture, and management systems; and
Establishing an unmatched twenty-first century National Security Innovation Base that effectively supports Department operations and sustains security and solvency.
Cyber security is instrumental in achieving all of those goals. So how does the mil-aero industry help protect the cyber domain? Robust software, isolating sectors, and deterrence.
Alion Science and Technology Corp. in McLean, Va., provides solutions to U.S. defense, civilian, and intelligence agencies. The company’s senior vice president and general manager of its cyber network solutions group, Katie Selbe, notes that speed is paramount to stopping malicious actors.
“Engagements in cyberspace take place at machine speed,” Selbe says. “There are too many attacks for humans to detect and react to in a timely manner. Therefore, countering machine speed attacks requires use of software analytics that differentiate between normal traffic and attacks in fractions of a second. Alion is a leader in creating software analytics, large data environments (BDP) to deploy these analytics, and complex applications to make sense of this data. Alion also provides the experienced researchers to conduct forensics on adversary software, attack vectors and who create counters to this rapidly evolving threat.”
System segments
“If you have a sufficiently motivated, talented, and well-funded group of attackers, they’re probably going to find a way in. You need to isolate them and restrict the effects of it,” Jaenicke says. “The key is to make sure that they don’t get very far and that you isolate them and restrict the effects of it. There are broader parts of the solution where you’d like to know that this happened so that you can shut that down, repair any damage, assess any losses. But the way our software will provide the isolation and limit the damage, even if you didn’t ever notice that the attack.”
With Green Hills Software’s INTEGRITY-178 real-time software, Jaenicke says that the operating system provides a MILS environment.
“That means if a cyber-attack manages to corrupt an application, such as one connected to external communication, that application cannot corrupt any other application or access its data,” Jaenicke explains. “Because every application is isolated from the rest of the system except for predefined communications patterns, every application executes in a “zero trust” environment. The level of trust in INTEGRITY-178 that comes from the breadth and depth of that certification enables INTEGRITY-178 to host multi-level security (MLS) applications such as cross-domain solutions (CDS).”
“What we have realized is there’s a growing need and market in this space for secured encryption — certifiable inscription solutions,” informs Curtiss-Wright’s Petric. “A lot of our customers are debating which way to go. We see ourselves at data at rest, we push ourselves to be the best in that market place.”
“From the processing board space — encryption is a big deal, especially encrypting of the application,” says Curtiss-Wright’s Edwards. “I would add to that making sure your card boots into a known good state — that might mean running only signed software.”
PacStar’s Kawasaki says that “If you can’t trust your computer, all bets are off. But where PacStar comes in is, we assume that we can trust the computer because we use suppliers and hardware [that are trustworthy]. So, once you have that trust in the underlying hardware, then what you need to do is you need to deploy a wide variety of security technologies in order to make sure that the computer can accomplish its goals without the application layer or the security layer software ... So what we what we do in PacStar is we take this trustworthy hardware and we work with the industry-leading cybersecurity companies to validate that their software meets government requirements to integrate it into complete solutions. And then we make it available in military ready, tactical ready environments where now you can deploy the best of enterprise class cybersecurity technologies, entrusted hardware configured and validated to security duty requirements.”
Curtiss-Wright Defense Solutions its Data Transport System (DTS1) network-attached data storage device for harsh-environment applications like high-altitude unmanned aerial vehicles (UAVs) that must operate at altitudes as high as 40,000 feet.
The DTS1 is a commercial off-the-shelf (COTS) data-at-rest storage solution that supports two layers of full disk encryption in one device.
The data storage system has been tested and validated for operation in extended temperatures from -45 to 85 degrees Celsius per MIL-STD-810G. It is a
The DTS1 has two layers of AES 256-bit encryption, making protection of Top-Secret data more cost effective and low risk than traditional NSA Type 1 device development.
PacStar offers its scalable Secure Wireless Command Post to provide, as the name suggests, secure access to Wi-Fi on forward bases.
“So, you can use if you use a laptop, you can use a mobile device, you fire it up, you connect to Wi-Fi, you turn on the client and voila, you have access to classified networks,” says PacStar’s Kawasaki. “It allows the organizations to instead of stringing 17,000 feet of cable all over the place in order to get a command post set up, they just drop off our [Secure Wireless Command Post] and five minutes later, you’ve got you’ve got wireless access for all the people in the command post.”
Deterring adversaries
Beyond isolation and encryption, PacStar’s Kawasaki notes that deterrence starts with physical deterrence — keeping bad guys off of the base and out of server rooms or kept from accessing technology. However, if adversaries get past physical means, robust encryption and isolation, nefarious actors can deter even the most motivated hacker.
“Limiting the effect always has some level of deterrence because then it changes the cost benefit calculation,” says Green Hills’ Jaenicke. “And waging that attack, if you have to put a ton of effort in and you get very little out of it, that’s a form of deterrence. The operating system can play part of that creates a secure environment. A more general solution could be thinking about ... a large network of satellites. It creates a mess if one of the satellites is compromised, [but] it is a lot more different than if you only have one or two big satellites and one of those becomes compromised. You’ve lost a lot of capability. So, the having the having more resilience in your systems means that you’ll have a smaller effect. And therefore, it creates some deterrence.”
