Industry software vendors deliver advanced technologies to secure and protect classified and mission-critical information in the digital age.
By Courtney E. Howard
Information and information systems are under attack. Someone somewhere is trying to access information that does not belong to him at virtually any given moment, 24 hours a day, 7 days a week, 52 weeks a year –always. It is a harsh reality, but one that cannot be ignored.
Malicious attacks on information and information systems occur at an alarming rate all over the world. In just the past year alone, the passport files of three U.S. presidential hopefuls were accessed illegally, Sarah Palin’s Yahoo e-mail account was hacked, and President Barack Obama’s cell phone records were illegally accessed and campaign networks hacked. When systems are infiltrated on an individual or enterprise level, the result can be dramatic; but, when military and aerospace information systems are compromised, it can be catastrophic.
Hackers in Russia shut down the Estonian government’s computer systems for a full week, before hijacking government computers in Lithuania and Georgia. Hackers tapped the mobile phones of Greek Prime Minister Costas Karamanlis and several ministers for more than a year. FBI officials have reported that, in the U.S., the Air Force, Marine Corp, FBI, and FAA inadvertently purchased Chinese counterfeit Cisco routers, which could potentially be used to compromise government and military networks.
U.S. Central Command’s One Box-1 Wire (OB1) project employs separation kernel and hypervisor technologies to manage intelligence and networks of varying security levels on a single workstation.
U.S. congressmen confirmed that Capitol Hill computers were illegally accessed by Chinese hackers seeking dissident information. Computer warfare also threatens the success and effectiveness of the U.S. Department of Defense’s (DoD’s) doctrine of network-centric warfare.
Information sharing vs. information security
Just two months ago, DoD computers fell victim to what senior military leaders describe as “a severe and widespread electronic attack.” The digital assault involved malicious software, or malware, specifically targeted at military networks that penetrated protected and highly classified computer networks, including those of U.S. Central Command and computers used by warfighters in combat zones.
“Network-centric warfare is characterized by the application of information technologies to dramatically transform military effectiveness,” admits David Kleidermacher, chief technology officer at Green Hills Software in Santa Barbara, Calif. “The increased reliance on information technology, however, brings with it unprecedented risk from asymmetric cyber threats and therefore requires a drastic improvement in information assurance (IA) posture in order to effectively manage and mitigate this risk.”
The invasive malware, called agent.btz, spread rapidly across defense and national security computer systems and networks via flash drives. Pentagon officials responded with a drastic ban on external drives and recordable CDs and DVDs on military computers. As a result, officers in the field in Afghanistan and Iraq no longer carry critical information on flash drives hung on lanyards about their necks, and information sharing on the battlefield has grown increasingly challenging.
“The challenge is getting the right information to the right person at the right time,” says Keith Rhodes, chief technology officer of the QinetiQ North America Mission Solutions Group in McLean, Va. “For this to work, the message, the messenger, and the recipient all have to be verified. The total system must be verifiable end-to-end in order for the message transaction itself to be trusted.” As a result, it is important to focus on the complete transaction system, not just the final transmission. “No single part of the process is most important. It is, rather, the entire process that must be secured.”
Security is of paramount importance in a network-centric battlefield environment, explains Jim Waldron, DoD sales director for Citrix Federal in Bethesda, Md. “The very nature of the network paradigm makes it vulnerable to malicious intrusion and detection,” he says, “and outside forces are continually investing in technology to penetrate our networks.”
The geek squadron
Some experts liken today’s environment of information warfare to software developers locked in an electronic battle between good and evil. “All current platforms are vulnerable to attack as the technology wars between the implementers and the attackers continue,” says Waldron.
Software engineers, whether working independently or on behalf of a government or military power, are hard at work advancing software technologies not only to protect their own information assets, but also to infiltrate and expose those of other entities.
In the U.S., computer warfare specialists are concentrating on defense of government and military information systems and networks. At the same time, military organizations are tapping hackers for offensive maneuvers. In May 2008, officials at the Department of the Air Force, Air Force Materiel Command Office at the Air Force Research Laboratory–Rome Research Site issued a public solicitation for “Dominant Cyber Offensive Engagement and Supporting Technology.”
The solicitation, backed by $11 million, stems from a desire to gain remote and undetected access to open and closed computer information systems for information-gathering purposes. According to the solicitation notice, the “objective includes the capability to provide a variety of techniques and technologies to be able to affect computer information systems through Deceive, Deny, Disrupt, Degrade, Destroy (D5) effects.” These efforts “should convince every other country that they need a similar program, if they don’t already have one,” says Dan O’Dowd, founder, president, and CEO of Green Hills Software. After all, he points out, “the really dangerous people are the ones you never know hacked your computer.”
The human interface
The fundamental problem with data security is twofold, according to Waldron. “First, it is impossible to secure every end-point computing device that requires access to the network, even if access is restricted to the point of virtual un-usability,” he says. “Secondly, many data security breaches have nothing to do with malformed packets or firewall traversals, but rather stem from misuse of information by those that legitimately have network access. There is a delicate and critical balance between the access and usability of a network and security.”
Green Hills Software’s Integrity PC software platform is employed in intelligent munitions, unmanned aerial vehicle command-and-control systems, and next-generation electronic flight bags.
The human element, often jokingly referred to as the I-D-ten-T (ID10T) factor, cannot be discounted. “It is important to realize that IT solutions and security solutions are increasingly convergent,” says Rhodes. “They are no longer separate, easily distinguishable domains. With that realization comes, we think, another one: the human dimension is more important than ever. There is no purely technical fix for a security challenge. It’s always about the people.”
Just the sheer number of people tied into an information system, each giving little thought to using portable flash drives, can be a security nightmare. According to Rhodes, today’s greatest security threat is the ever-increasing number of access points, such as USB drives, Internet Protocol-based mobile devices, social networking services, smart phones, and various other handheld devices with their own internal hard drives. “These are the distribution vectors for attacks. Currently, the main countermeasure to these threats is to reduce, as much as possible, the number of access points,” says Rhodes. Organizations are establishing bans on portable devices and limiting the numbers of systems that access the Internet, but they are not dealing with the underlying issue: the need to train users and administrators.
“Trying to solve the data-at-rest problem by implementing full disk encryption is good,” Rhodes continues. “Moving from passwords to token-based access controls is good. However, making systems more and more complex in order to be more and more secure is not good. Users will always come up with clever ways to get around the controls, and if they come to view security as a mere impediment, a drag on their ability to do their job, the security will motivate the very breaches it was instituted to prevent. If, however, users are well-trained and well-motivated to keep their systems safe, then technical solutions have a far greater chance of success.”
Even the most highly trained, diligent staff cannot adequately and consistently protect an organization’s information systems from attack without technology. Today’s software tools –such as those that take advantage of separation kernels, hypervisors, and virtualization –are integral to effective information security.
Computer consolidation
Network-based attacks are clearly the biggest threat today, reveals Kleidermacher. “The inexorable drive to connect assets, from embedded systems to handheld mobile devices, to enterprise desktops and servers, enables attackers to take maximum advantage of the multitude of vulnerabilities in common operating systems, communications protocols, client-side applications (such as browsers), and server-side applications like Web applications. In order to meet this mammoth security challenge, we need high-assurance solutions that can guarantee the security of high-value information, even against the most sophisticated threat agents.”
Officials at U.S. Central Command (USCENTCOM) sought to consolidate computers that manage networks and intelligence of varying security levels. A variety of reasons provided the impetus, including the reduction of workstation and network infrastructure for fast administration, a smaller footprint, reduced power consumption, and separation of network classification domains for increased information security. USCENTCOM personnel desired the ability “to access separate networks (SIPRNET, NIPRNET, CENTRIXS, JWICS, and Bilateral Networks) on a single workstation, connected to a single wire, connecting data centers for each network,” says retired Army Col. Bud Jones, a consultant to USCENTCOM.
U.S. Central Command’s OB1 project is intended to consolidate multiple computers and wires into a single cost-saving solution.
USCENTCOM officials, recognizing the need to share and protect information in a dynamic environment, launched OB1, the One Box–1 Wire project, Jones explains. Personnel elicited the help of the research-and-development community to meet the challenge of consolidating “the mass of wires and multiple computers” sitting on Action Officers’ desks into a one-box, one-wire system. Engineers at Green Hills Software and Objective Interface Systems (OIS) in Herndon, Va., delivered a solution for the OB1 Joint Capability Technology Demonstration.
“[Green Hills Software’s] Integrity PC forms the basis of the OB1 JCTD that was spearheaded by CENTCOM, which has a need to consolidate computers managing information of varying security levels and varying coalition releasability,” Kleidermacher says. “Expected cost savings of OB1 in terms of IT hardware and maintenance are immense.”
The OB1 solution employs Integrity separation kernel and secure hypervisor technologies and the OIS Virtual Ether Driver to enable a single workstation to host multiple, disparate, and commercial off-the-shelf (COTS) operating systems, applications, devices, and drivers.
In September 2008, the National Security Agency (NSA) certified Green Hills Software’s Integrity-178B securely partitioned real-time operating system (RTOS) to Evaluation Assurance Level 6+, reportedly the highest level of Common Criteria security assurance ever achieved by an operating system. “The EAL 6+/High Robustness certification represents the level of security required to protect high-value resources against determined and sophisticated attackers,” Kleidermacher notes. “This achievement sets a new standard for security to which all net-centric information technology efforts can aspire.” The certification of an operating system is particularly important, he says, because it bears a tremendous amount of the information-security burden.
“By having an EAL 6+ high-robustness foundation in control of the computer, we can apply techniques that separate security-critical portions of IT infrastructure from the legacy portions that we must continue to support,” says Kleidermacher. “We can apply high-assurance principles selectively and at low cost while achieving a dramatic improvement in overall system security. For example, we can make network transactions absolutely secure, while still allowing the use of standard browsers, such as Internet Explorer or Firefox.”
The technical manager for the OB1 JCTD, designated a “Rolling Start” JCTD by the Office of the Secretary of Defense, is the Space and Naval Warfare Systems Center (SPAWAR) Atlantic. SPAWAR Atlantic currently is establishing a test lab for the certification of OB1, which is expected to benefit warfighters with faster information delivery, rapid network set-up in the field, and reduced size, weight, power, and cost (SWaP-C).
Mil-aero virtualization
Virtualization has become a hot topic in information security, including within the military and aerospace communities, Kleidermacher recognizes. “Virtualization has great potential in enabling military and aerospace applications to take advantage of general-purpose COTS software, such as Microsoft Windows and Linux, while still improving security and reliability –key concerns for most military and aerospace systems,” he says.
Green Hills Software’s Integrity PC solution uses a high-assurance EAL 6+ certified microkernel, the company’s Integrity technology, to control the computer while employing virtualization technology in the application layer. This approach enables users to take advantage of virtualization while maintaining separation between security domains. The secure platform also enables developers to include their own safety or security-critical applications that cannot be trusted to run on a general-purpose “guest” operating system; the applications can run natively on the microkernel, describes Kleidermacher. The architecture also enables the intermixing of hard real-time and general-purpose applications, making it viable for a variety of applications.
Integrity PC currently is employed in such mil-aero applications as intelligent munitions, unmanned aerial vehicle command-and-control systems, and next-generation electronic flight bags. The company’s Integrity technology also enables secure communications aboard the F-35 Joint Strike Fighter; standalone communications devices, such as JTRS and Type-1 encryptors; and multi-level secure PCs for information management and sharing.
FCS and SDR
The U.S. Army’s Future Combat Systems (FCS) program, as well as several secure software-defined radio (SDR) communication systems, harness virtualization via tools from LynuxWorks Inc. in San Jose, Calif. The company’s LynxOS-SE time- and space-partitioned RTOS and LynxSecure separation kernel and embedded-system hypervisor are employed in SDRs, military consoles and workstations, and cryptography applications.
Officials at Lockheed Martin in Bethesda, Md., selected LynxOS-SE 5.0 and Luminosity 3.0.6, LynuxWorks’ Java-based integrated development environment (IDE) based on the open-source Eclipse platform, for the company’s Medium Extended Air Defense System (MEADS). MEADS is designed to replace Patriot systems in the U.S. and Germany and Nike Hercules systems in Italy. Lockheed Martin engineers will use the two software solutions to create, edit, compile, manage, and debug real-time and embedded system applications. Company officials chose LynxOS-SE RTOS, in part, for its ability to run POSIX, ARINC 653, and Linux applications simultaneously.
“LynxSecure’s hypervisor capabilities allow customers to move existing systems running on other operating systems (e.g., Linux, Windows, Solaris, and proprietary OSs) onto a secure foundation with isolation and information flow control provided by LynxSecure,” says Steve Blackman, director of business development for military and aerospace at LynuxWorks.
LynuxWorks executives, such as Blackman, are seeing increased customer demand in the traditional DoD embedded market and the intelligence community, where secure desktops and servers provide both SWaP and cost savings. The company’s software solutions deliver a secure (EAL 7) separation kernel and hypervisor that uses virtualization technology when available and supports multicore silicon with core affinity (allocate guest operating systems to specific cores) and symmetric multiprocessing (SMP), Blackman explains.
“This is the first time that LynxOS- Security Enhanced has been implemented by Lockheed Martin for one of the company’s air defense systems,” says Gurjot Singh, CEO of LynuxWorks. “LynxOS-SE is designed to help companies meet the stringent security needs and requirements inherent in complex systems.”
Security criticality
Citrix Federal’s Waldron, like Blackman, notes increased interest in virtualization for improved system performance and security in mil-aero environments, including the battlefield. “Optimizing the secure delivery of applications to users when and where they are needed is going to be critical, and virtualization is a main part of that optimization,” Waldron says. “Virtualization allows an organization to simplify its IT environment with a single architecture for application delivery. It optimizes the delivery of applications to users when and where they are needed and accelerates the ability to keep pace with constantly changing business and mission needs. The adoption of technologies such as virtualization that secure the core application platforms in centralized datacenters and separate from the end users will continue at an increased rate.”
Citrix XenApp and Citrix XenDesktop, software solutions delivering application and desktop virtualization, provide the ability to run applications and desktops in a centralized datacenter and securely deliver a view of the application or desktop to the endpoint. The application-hosting platform is secured in the datacenter, whereas the transport layer is secured through encryption technologies and delivered to the end user. “The end benefit is that all mission-critical applications and desktops are available anywhere, to any device, on any type of network connection while information remains secure in the datacenter,” Waldron says. “In essence, the datacenter becomes an application delivery center that provides each user with unique, up-to-date, secure applications at each log-in session.”
Waldron predicts that diskless devices will be deployed to the battlefield as part of overall virtualization adoption. “These devices will derive their intelligence from applications running in application delivery centers remote from the battlefield,” he explains. If lost or stolen, these devices are useless without secure connectivity to an application delivery center.
Server virtualization solutions also hold tremendous potential in battlefield environments. Software tools, such as Citrix XenServer, enable the optimization of server resources and separation of the application workload from the server hardware. A thin software layer is installed directly on the hardware, or bare metal, and is inserted between the server’s hardware and the operating system, describes Waldron. It provides an abstraction layer that allows each physical server to run one or more virtual servers, effectively decoupling the operating system and its applications from the underlying physical server. The result is a reduction in the amount of servers, power, and cooling necessary to run the datacenter.
“Because server virtualization can combine different functions onto a single piece of hardware, it will allow the military to be less platform-dependent and more flexible with regard to how each system or platform is built and deployed,” Waldron explains. “Systems that once required multiple servers and were of significant size and weight can now be deployed in much smaller, more portable ways, which may assist in the tactical deployment of systems to support the warfighter.”
Separation for security
Separation kernels lie at the core of system security. “Protecting the operating system kernel is essential to protecting the overall system because the kernel is the operating system’s starting point,” notes Rhodes. Applications are ultimately subject to the kernel’s control, which is why developers, such as those at QinetiQ North America, ensure that the instructions going to the kernel are valid, and that the instruction will not generate any malicious action.
Similarly, says Rhodes, building separate instances of a system through virtualization solves some important security problems. This practice addresses the challenge of monitoring an infected system without infecting all other systems. “The multiple instances allow us to run different operating systems, which means that a single exploit will not be able to compromise all the systems,” he says. “Also, should one instance come under attack, we can watch the attack from another partition, which helps us collect the attack’s attributes.”
Virtualization also solves the challenge of running multiple specialized environments without compromising security. “Specialized environments can have their own unique security rules and requirements, which may conflict with other environments,” Rhodes says. “For example, the roles defined in one system may not translate into another environment. Using multiple instances can overcome conflicts that can weaken security.”
Demanding digital battlefield
The digital era, especially on the battlefield, ushers in a greatly increased need for innovative, effective software solutions designed to deliver mission-critical information quickly and securely. It is not unrealistic to assume that our information is constantly under attack. Enough evidence exists to suggest that people who intend to do us harm will. They will use our information and information systems against us –that is, unless actions are taken to prevent such malice.
“One to two years ago, most [mil-aero] programs were requesting ‘roadmaps to security’ but are now requiring security in their solutions,” Blackman notes. “With greater information access across broader networks, there will be more attempts to compromise security and increased attention paid to security across the military, intelligence, and homeland defense.”
A sense of urgency to protect classified information exists, both on and off the battlefield, and today’s software developers and technology companies are delivering the essential tools and technologies.
Federal software security efforts
The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) established under the National Information Assurance Partnership (NIAP) a program –the NIAP Common Criteria Evaluation and Validation Scheme for IT Security (CCEVS) –to evaluate information-technology product conformance to international standards.
The Evaluation Assurance Level (EAL) of an information-technology system or solution is a grade, ranging from EAL 1 to EAL 7, that is assigned upon the completion of a Common Criteria security evaluation. The EAL score indicates at what level the system meets the requirements of the Protection Profile.
For additional information, visit www.niap-ccevs.org.