NASHUA, N.H. - Founding father, inventor, author, and statesman Benjamin Franklin introduced several lasting thoughts and inventions in his storied lifetime. In his adopted home of Philadelphia, Franklin told fellow residents they would be wise to support his volunteer fire company -- the first in what would become the United States -- in 1736. Franklin sold his idea with a pithy saying: "An ounce of prevention is worth a pound of cure."
Perhaps nowhere is this saying more impactful than in keeping the vital equipment, systems, and secrets secured. After all, robust cyber security can keep nefarious actors at bay, but so long as systems remain connected to one another, corporate and state-sponsored spies will attempt to learn their secrets, vulnerabilities, and ways to destroy or takeover components, networks, and even entire weapons systems.
In October, President Joseph Biden Jr. released his administration's 48-page National Security Strategy (NSS), in which the president lays out a multi-point plan to keep the United States ahead of rival and semi-adversarial nations like Russia and the People's Republic of China (PRC) while ensuring the nation can keep itself rolling technologically if those rivals -- China in particular -- become adversarial.
Security priorities
The NSS document notes that "Our starting premise is that a powerful U.S. military helps advance and safeguard vital U.S.
The PRC looms large in President Biden's NSS, as the document says that China is the "only competitor" in the world with both the intent and power to reshape the international order.
"Beijing has ambitions to create an enhanced sphere of influence in the Indo-Pacific and to become the world’s leading power," the NSS says. "[China] is using its technological capacity and increasing influence over international institutions to create more permissive conditions for its own authoritarian model, and to mold global technology use and norms to privilege its interests and values. Beijing frequently uses its economic power to coerce countries. It benefits from the openness of the international economy while limiting access to its domestic market, and it seeks to make the world more dependent on the PRC while reducing its own dependence on the world."
Pillars of security
The 2018 U.S. Department of Defense (DOD) cyber strategy embraced Benjamin Franklin's "ounce of prevention" as the military intended to help all networks, including those outside the branch, when malicious attacks happened; update critical infrastructure networks; and streamline public-private information sharing.
"We can’t do this mission alone," wrote the DOD. "So, the DOD must expand its cyber-cooperation by:
-- building dependable partnerships with private-sector entities who are vital to helping support military operations;
-- sharing information with other federal agencies, our own agencies, and foreign partners and allies who have advanced cyber capabilities. This will increase effectiveness;
-- looking for crowdsourcing opportunities such as hack-a-thons and bug bounties to identify and fix our own vulnerabilities; and
-- upholding cyberspace behavioral norms during peacetime.
"I think we've thwarted a good number of attacks by our intelligence sharing and your sharing of information about things going on in your network," David McKeown, DOD's chief information security officer and deputy chief information officer for cyber security told their industrial/commercial partners at a March 2022 town hall.
Trust issues
One way industry and the DOD are keeping defense and industrial secrets under wraps is to embrace a "zero trust" environment with networked systems. In August, DOD acting deputy chief information officer Lily Zeleske spoke at an industry event hosted by Worldwide Technology and Intel, where she noted an enterprise modernization approach is a priority.
"Our ability to deliver information at resilience and speed, as well as [delivering] secure information to our people, is paramount to staying ahead of adversaries," Zeleske said, and noted that funding the technologies within budget constraints achieves a balance between cost and mission effectiveness. "We're working for the public and for the country. I emphasize that resources and costs are critical, but the mission is just as critical, so it is a balance between cost effectiveness and mission effectiveness for us."
One way to make commercial IT components and systems secure from state actors who can buy them off the shelve and probe for vulnerabilities is to embrace a "zero trust" strategy. Zero trust architecture (ZTA) removes the implicit trust that a user should get access to the system solely because they, for example, know the correct passcode. The DOD has set a target of 2027 to implement ZTA across itself and its services, according to Richard Jaenicke, who is the marketing manager of Green Hills Software (GHS) in Santa Barbara, Calif.
"Zero trust assumes your perimeter and networks have been breached and implements a high-level policy to 'never trust, always verify,'" Jaenicke says. "In an enterprise setting, that includes continuous validation of users and devices. In embedded systems, zero trust includes not implicitly trusting each application but limiting access and communication to the least privilege necessary to get the job done.
He continues, "A proven security solution that provides the foundation for a ZTA in an embedded system is a separation kernel, where applications run in partitions isolated by the separation kernel. A separation kernel is very small in size because it implements only the four fundamental security policies required to support higher security functionality running in user mode. Those four security policies are data isolation, control of information flow, resource sanitization, and fault isolation. A separation kernel uses a static configuration file to define permitted applications and communications patterns using the principle of least privilege. Because the separation kernel is the only software running in kernel mode, it cannot be bypassed or tampered with. The small size enables it to be scrutinized and evaluated to the highest security levels."
The NSA-defined Separation Kernel Protection Profile (SKPP) provides the security assurance and security functional requirements for a separation kernel to meet their definition of high robustness. That protection profile is based on a mix of Common Criteria objectives from Evaluation Assurance Levels (EAL) 6 and 7, with EAL 7 being the highest level.
At the system level, Raise the Bar (RTB) is a set of cyber security standards published by the National Cross Domain Strategy and Management Office (NCDSMO) in the NSA. First published in 2018, the RTB standards are a set of security guidelines and requirements for cross domain solutions (CDS) deployed by the U.S. government to protect National Security Systems (NSS). The RTB standards go well beyond the Risk Management Framework (RMF) controls that many government agencies implement. RTB standards ensure systems are at low risk of failing, even under persistent attack."
Scott Miller, a scientist with Mercury Systems in Andover, Mass., explains that by seeking out potential vulnerabilities, it is possible to not only eliminate them, but utilize them to send enemies on something of a digital snipe hunt.
"The increase in connected technologies definitely presents new cyber security challenges, but there are ways to identify the exploitable vulnerabilities," Mercury's Miller says. Although not encouraged as a primary strategy, 'security through obscurity' can mitigate risk as a secondary one, if it is thought that code may bear vulnerabilities. This strategy requires a careful balance, though, as broad exposure is often the most effective path to discovery and remediation of vulnerabilities.
Miller continues, "The controversial strategy of employing disinformation, where software systems intentionally misreport their configuration, can be effective in confounding adversaries who are selecting attacks know to be effective against particular software versions or configurations. But it can also confound patching and maintenance efforts to make the right decisions contrary to what the software self-reports."
Limitations in trust
While the "zero trust" movement gains traction in the DOD and its industry partners. Dominic Perez, the chief technology officer (CTO) for Curtiss-Wright Defense Solutions in Ashburn, Va., explains that the concept is less a panacea for cyber security -- it's more an architecture.
On top of that, Perez says that even the name is somewhat of a misnomer, as "the first thing you're doing is establishing trust, and what you're doing is reestablishing trust whenever certain attributes of the communication session or the user change or appear to have changed. And I think most people have encountered something like this; you get a new phone and you log on to your bank's website and it asks you those security questions that it probably hasn't asked you for many months because it has noticed something different about this session.
"I think people should just caution that zero trust is going to solve all of their security problems," he continues. "It is a powerful tool and a powerful concept, and we have lots of partners that enable various pieces of the zero-trust ecosystem like Cisco and Aruba and Palo Alto, but it's not going to by itself solve all of your security issues."
On the move
Like the commercial off-the-shelf (COTS) revolution that has fueled field-replicable and upgradable hardware components, the National Security Agency (NSA) looked to commercial solutions for cyber security. The NSA's Commercial Solutions for Classified (CSfC) program allows agencies and military services to communicate securely using a diverse set of commercial products.
NSA experts say the CSfC program provides NSA designed and approved solutions, leveraging a cadre of vetted, trusted system integrators; NIAP-validated components; and collaborative protection profile requirements, validated against the international Common Criteria; enables clients to keep pace with technological progress; and employs the latest capabilities
The CSfC program also helps reduce the time it takes to build, evaluate, and deploy solutions by using mature technologies already available to the commercial sector. Potential cost savings may be realized through marketplace competition and rapidly deployable, scalable commercial products.
Other CSfC benefits include open, non-proprietary interoperability and security standards; situational awareness about components use and location, as well as documented incident handling procedures; and technical expertise NSA’s team of system engineers, threat analysts, and cyber experts.
With the NSA's CSfC, Curtiss-Wright Defense Solutions's Perez says that warfighters -- including those at the front lines -- can use wireless technologies that civilians have taken for granted for decades now.
Cyber security was the impetus to keep DOD systems off the airwaves and keeping systems tethered together with Ethernet cables to allow information sharing between computers.
"From the advent of Wi-Fi at the tail end of the '90s until just a few years ago, no one in the military would be allowed to use WiFi," Perez points out. "But with the NSA CSfC program, we are able to deploy WiFi and other wireless commercial technologies like 4G LTE, and even 5G now in a secure manner. What that really does is it dramatically speeds-up the deployment of a secure network.
"In [Curtiss-Wright's] Pac Star group, we are focused on enabling these forward operators -- either in the tents that they're
In addition to rapid deployment, Curtiss-Wright's Perez says that going wireless affords the DOD with significant cost savings as many of the miles of Ethernet cable used in the field, which was rarely if ever reused, can be eliminated.
Reliability in redundancy
With Wi-Fi making use of radio frequency (RF) technology, all sorts of sensitive and classified information is flying through the air. How do the DOD and their industry partners keep it out of the hands of bad actors who wish to obtain it? In short, trustworthy hardware and redundancy in encryption.
Curtiss-Wright's Perez explains that redundancy is achieved by using multiple equipment manufacturers with different ways of encryption.
"So, let's just say one layer is a VPN developed by Cisco and another layer is a VPN developed by Aruba," Perez says. "By running the traffic between the first tunnel and then taking the tunnel traffic and running it through the second tunnel, they have prevented a lot of the vulnerabilities that might be present in just one of those solutions."
Perez's colleague Steve Edwards, who is Curtiss-Wright's director of secure embedded solutions, likened the redundancy to overlapping pieces of Swiss cheese.
"So, each of those solutions on their own have certain vulnerabilities, but because they're independently developed, they're going to have different vulnerabilities from each other," Edwards says. "And so the idea is you layer them on top of one another. It's like putting two pieces of Swiss cheese together. The holes don't line up, so you've actually reduced your vulnerability surface quite a bit by doing [this]."
The CWDS duo notes that in some instances, the NSA will grant certification from the same company so long as the systems were not co-developed the same way.
"There are a significant number of additional requirements in order to become registered with the NSA for one of these encryption solutions," CWDS' Perez explains. "However, the premise is the dual layer of encryption... [Our] persistent storage division has actually gone and gotten a waiver because we were able to show that our two layers are developed independently. So, the NSA says, 'OK, it says Curtiss-Wright on the box for both of them,' but one came from an internal development, and then one is an open source program that we manage and make it meet requirements. So, while the premise is that you need two different vendors, there are just a couple of waivers that the NSA has given out for that. And Curtiss-Wright has one of those."
Eyes on supplies
One way industry and the warfighters that use connected technology can get some peace of mind is by assuring their source for components and software aren't built with back doors built-in by countries and companies who may not be entirely trustworthy.
President Biden has made domestic chip and other technology manufacturing a priority in his first two years in office as a way to reduce dependency on overseas sources in the wake of the COVID-19 pandemic.
"The software cyber security problem is hard enough; but consider if you can't trust the hardware executing the software. This is why DARPA ERA and the CHIPS bill is so important -- these seek to preclude the need to consider intentional manipulation of component hardware designs from which modules are composed," says Mecury's Miller. "However, much like social engineering produces an 'accidental insider,' accidental hardware vulnerabilities will remain a concern."
The president told the Ohio crowd that in addition to Intel, Micron in Boise, Idaho; GlobalFoundries in Santa Clara, and Qualcomm in San Diego, Calif.; and Wolfspeed in Durham, N.C. were investing billions into manufacturing chips at home for consumer goods.
The president also explained to the crowd that earlier in 2022, he had visited the Lockheed-Martin Javelin missile plant in Troy, Ala. Those missiles were among the materiel assistance the U.S. has provided to Ukraine as it battles an invasion by neighboring Russia.
"We need semiconductors not only for those Javelin missiles, but also for the weapons systems of the future that are only going to be more reliant on computer chips," President Biden said. "This goes well beyond commercial need. Unfortunately, we produce zero — zero — of these advanced chips in America. Zero. And China is trying to move way ahead of us in manufacturing them."
China has loomed large in the minds of security-minded professionals looking to prevent the Asian power from building exploitable weaknesses into hardware.
Emil Kheyfets, who is the director of mil-aero business development at Aitech in Chatsworth, Calif., explains that "It is a big concern, especially since infiltration can come from external and internal system resources. To highlight the magnitude of it, note that DoD programs prohibit the use of Chinese EEE parts to prevent internal infiltration. Protection of all external interfaces, as found in the [Aitech's] AiSecure architecture, is crucial to combat infiltration of secure systems."
Adversarial ambitions
Of course, keeping prying eyes off data is job number one, as Benjamin Franklin notes. But what happens if nations like China and Russia overcome physical security at sensitive sights, bypass physical barriers, or defeat cyber security systems? And if they do, what would an adversary seek to do with access to the sensitive systems that warfighters count on? According to E. Egon Rinderer, the CTO of Shift5 in Arlington, Va., it's not what Hollywood puts on the screen.
Rinderer explains that a "Die Hard" scenario is unlikely to play out where a person or country gets control of a vehicle remotely and crash it.
"What I want to do is simply keep your entire fleet on the ground when you need it in the air," Rinderer says, speaking as a hostile actor. Or I want to stop an entire brigade of ground vehicles as soon as they roll across the boundary, invisible GPS boundary that represents my border. The way that I'm going to do that, I'm going to do very sophisticated attacks that get me persistence on those platforms very quietly. And supply chain is a great way to do that. I can bake something in at a hardware level that's completely hidden, isn't doing anything. It's completely dormant as well and it has some sort of wake-up effect at some point, which you may or may not ever see. But I need to be able to detect if that thing behaves differently than it should."
Shift5 provides a system-monitoring platform in rail, defense, and aerospace vehicles that logs every "conversation" between components and flags abnormalities it discovers.
For instance, Rinderer provides an example where five vehicles in a fleet of 300 are flagged as having computing processes acting differently than the other 295. By finding commonalities between the "abnormal" vehicles, like they're the only in the fleet that have had a particular component replaced with something new, it can be effectively audited down to the bus level to see if there's been a security breach. In addition, Rinderer provides an example of vehicles traveling to a particular area known for attempts to break in to systems.
"Maybe those five vehicles all transit the Strait of Hormuz through a known offensive cyber operations hotspot," says Shift5's Rinderer. "And since coming back now they're exhibiting that behavior they're affected...We conduct what's called full take data capture. I want every single frame of data that's put on that bus by any device. So, we watch things passively at the bus level because it's, number one, ubiquitous, and number two, it's unobtrusive. And so, what I can do is I can say, okay, great, we're watching everything. We detected this anomaly on these five vehicles ever since they transit in this area. Take me to the first occurrence of that anomaly, and then I want to see all the bus messages that led to that."
With an eye on supply chains, manufacturing, deployed systems -- and the redundant systems that protect them – today’s cyber security experts are bringing more than an ounce of prevention to today’s technologies. With proactive monitoring, perhaps that “pound of cure” will come in a little lighter, too.
