Military capabilities are an attractive target for cyberwarfare. The uncertainty surrounding the extent of the threat is a deterrent in itself: The overwhelming fear is that of unexpected cyberintrusions that cause a cascade of operational problems. Another concern is that technological capabilities may have been compromised—but in ways that are invisible until combat begins.
Many defense contractors, subcontractors and major acquisition programs, including sensitive and classified projects, have been breached and compromised by cyberattacks since the Advanced Persistent Threat—the favored euphemism for China-based cyberespionage—was detected in the mid-2000s. Targeted and highly efficient data collection may now be bearing fruit, given the rapid development of the Chengdu J-20 and Shenyang J-31 stealth fighters, which bear a close resemblance to theand .
U.S. Air Force Maj. Gen. Christopher Bogdan, deputy leader of the F-35 program, noted in the course of his harsh September review of the project's status that the Autonomic Logistics Information System (ALIS)—which combines logistics, mission planning and many other functions, and without which the F-35 cannot be operated—had gone through a development pause and redesign because of “vulnerabilities” discovered in a security review.
The JSF program office will not talk about these vulnerabilities in detail, saying only that “theis fully aware of evolving cyberthreats and is taking specific action to counter them for all fielded systems.” However, ALIS (as Bogdan noted) includes a colossal amount of sensitive information, including details of the performance of stealth systems on each individual aircraft, mission plans and locations. It has important elements that operate over Wi-Fi links and that communicate over the public Internet, and it (ultimately) will have thousands of access points open to tens of thousands of users.
Those users, increasingly, are the focus of cyberdefense efforts. Passwords, remote-access controls, virus-hunting software and even powerful forensic tools like Elbit's Wise Intelligence Technology (WIT) (see page 46) can accomplish a great deal, but systems remain vulnerable to ever changing types of malware disguised as an attachment to an apparently innocent email.
The threat continues to evolve, notes Craig Jensen, a program manager with Dynamics Research Corp. (DRC) who directs security efforts on behalf of theand other agencies. The “attack surface,” he notes, is expanding ever faster with the number of mobile devices connected to the Internet, while new threats are emerging. “There is another group working on a diversified Wikileaks,” he says, that is less vulnerable to national actions against servers, and “in the last 60 days” a search engine called Shodan, which can look for unprotected devices, has emerged.
Jensen stresses the need to use the right tools against insider threats and malware. “Good quality logging” is important to detect inappropriate activities: Like many security people, Jensen believes quite simple tools would have stopped alleged Wikileaks source Bradley Manning, simply by observing an anomalous volume of downloaded data.
Another lesson is that systems should operate even when degraded. “You have to assume—and people have a difficult time with this, because it takes the security blanket away—that you are being penetrated at this moment,” notes Keith Rhodes, chief technology officer forNorth America's services and solutions group. “If we try to protect everything all the time, we will fail. Guns, guards, gates and the Maginot line” will not be enough, he says.
Targets need to define “what the critical information is,” Rhodes says. “I need to understand that there are things in my order of battle that I have to give up. I'll always lose information—but what information do I really, really not want to lose?”
Jensen points to two contrasting historical examples from World War II and afterward: “We cracked the German code and the Germans never found out about it. But the Rosenbergs gave away the atom bomb. One was compromised and the other was not.” The difference may have been culture rather than technology.
That information may be critical because it concerns classified technology, but it may also be critical because (like ALIS) its unimpeded flow is essential to operations. “You need a small collection of people to state what is critical, then define alternate paths in a time of stress,” Rhodes says.
Despite guards and backups, however, the biggest threat “is the careless user or the lazy system administrator,” says Alex Cochran, director of cyber and signals intelligence analysis for. As with DRC and Qinetiq, this is driving the development of security training aimed at the mass of computer users.
“My greatest shortfall in my Army career was having officers who understood planning and could integrate cyber with it,” notes Cochran. Most training courses, adds BAE's director of tradecraft advancement, Robert Tomes, “are focused on ones and zeroes, information assurance, malware and so on. What's missing are the rest of the folks who write code, policymakers, risk analysts and operational planners.”
As the BAE experts observe, studies have shown that less than 5% of cyber-threat warnings in industry originate with corporate security departments. For that reason, the company has launched training programs aimed at users—in a sense, converting as many people as possible into “cyber-reservists” who understand the threat enough to resist and report attacks. They are also active on the Internet, day to day, meshing with another emerging cyberdefense concept: the need to carry the battle “outside the castle walls” to detect hostile activity.
“The operators and users are another sensor,” says Qinetiq's Rhodes. “If they see a system anomaly and they have not been educated, they say, 'that's just how the system runs.'” Training, he says, should tell the user, “there is information that is important here. Keep your eyes open for this or that scenario.” He compares such training to scenes from the movie The Matrix: “There may be something on the screen that looks like gibberish, until you're trained to see it.”
Both Rhodes and Jensen advise that social media are powerful tools for “spearphishing” exploits, where an insider is identified, profiled and targeted with email that appears to come from a routine correspondent but contains a malware payload. “It's not going away,” says Rhodes. “And I'm no lawyer, but the price of employment is not going to be the passwords to all your social media accounts.”
Qinetiq's training, Rhodes says, “teaches people to take the same care in social media as they do going on vacation—the equivalent of stopping the paper and holding the mail.” A message that an employee is out of town to visit a subcontractor, plus a location message, plus a LinkedIn profile and Google Maps, could “point to a nondescript building in the middle of nowhere” and clue an adversary to the existence of a secret program.
Adds Jensen: “Do I know where my resume is? What is in there?” Even the division name and location where you worked could point to classified activities, and (as net-savvy journalists know) it's not unknown for an undisclosed program name to pop up in a resume or profile.
“The cybertraining that we do,” says Rhodes, “turns it into a personal protection process. People make distinctions between their home and work connections,” he says, but spearphishers do not. Nor, he adds, are they concerned if an individual is a chief scientist or high-level engineer. “They are just trying to figure out if you have access.”
“I have seen training work,” Rhodes adds. “Well-educated personnel will defeat opponents. People were aware of something going on and told somebody. What we want is to bring people over to the side of responsibility.” One sign that the message has been heard: “When people ask us if we can tell the same things to their kids.”
A quarter of the cybersecurity incidents reported to the U.S. Computer Emergency Readiness Team in fiscal 2011 involved malicious code. To learn more about the cybersecurity challenge facing the government, check out the digital edition of AW&ST on leading tablets and smartphones or go to AviationWeek.com/cyber