Cybersecurity Challenges in a Net-centric World
Transition to net-centricity encourages users throughout the Department of Defense to share information, but it also introduces cybersecurity vulnerabilities. Recognizing, understanding, and addressing these vulnerabilities are essential to successful transition.
As the pace and scope of decisions in the battlespace accelerate, the military increasingly depends on information and information sharing to support improved military situational awareness, offer better access to mission information, and shorten decision-making cycles. Coupled with increasing budget pressures, this urgent need for timely and accurate information by decision makers and warfighters has led to a transformation in DOD’s concept of operations for conducting its missions, which affects its procedures for acquiring, deploying, and coordinating capabilities. The transformation enables users to more effectively exploit information, more efficiently use resources, and more easily create extended, collaborative mission-oriented communities.
DOD’s approach to achieve this transformation is called net-centricity, securely connecting people and systems independent of time or location. DOD has written a number of strategies, directives, and instructions defining the net-centric approach and establishing policies and responsibilities for its implementation.
The data strategy at the heart of DOD’s net-centric approach requires trusted data to be made visible, accessible, and understandable to any potential user in DOD, including unanticipated but authorized users. Data is to be made visible by creating and associating metadata (descriptive “tagging”), accessible by making it available in “shared spaces” in accordance with Global Information Grid guidance, and understandable by publishing associated metadata in a federated DOD metadata registry. The DOD approach recognizes that cultural barriers to trust and data sharing must be addressed to effect operational change.
Making the right information available to the right people—and only to those people—involves cultural, technological, and operational changes. For example, although DOD’s standard certification and accreditation process was intended to accommodate diverse information systems in a dynamic environment, as programs have gained experience working in a net-centric environment, the process is evolving to address the new challenges encountered. As The Aerospace Corporation helps its space community customers understand the complexity of such changes, an important lesson learned is that many technological changes introduce new cybersecurity vulnerabilities. Aerospace system engineers are working with their customers to help them recognize these cybersecurity vulnerabilities and explore their impact on the technological aspects of the net-centric approach.
Increased System Connectivity
Net-centric enterprises are more effective at information sharing than traditional networks because the systems are interoperable, leading to better communication and collaboration across organizations. However, the increased level of data sharing across system boundaries requires a net-centric enterprise to provide coherent and uniform, or
at least coordinated, security policies and mechanisms governing the whole enterprise, as well as maintain or augment the diverse security mechanisms of the individual systems.
The interconnectivity of a net-centric enterprise, the vulnerabilities inherent in individual systems, and the increasing sophistication of cyberattacks create challenges to the traditional way of securing a system, which in the past was primarily by external boundary protection and defensive attack resistance. External boundary protection mechanisms may not be effective in net-centric environments where sharing data and services across system boundaries is common. For example, a single system in a net-centric enterprise may have some hidden unprotected entry points that make systems connected to it vulnerable in a new and obscure way. An actual attack scenario illustrates this inadequacy: In January 2003, the Davis-Besse Ohio Nuclear Power Plant was infected with the Slammer worm. An investigation found that the worm had entered the Davis-Besse plant through the unsecured network of a Davis-Besse contractor. The worm was then transmitted through a network connection bridging that network and Davis-Besse’s corporate network. Further analyses revealed that this connection was one of multiple entry points into Davis-Besse’s corporate network that completely bypassed the plant’s firewall.
The DOD net-centric services strategy recognizes that a service-oriented approach can facilitate an expansion of capabilities for warfighters and decision makers, thereby significantly increasing operational effectiveness. Net-centric guidelines advocate the use of service-oriented architectures in data exchanges among systems and in internal structuring of individual systems. Service-oriented architectures provide numerous business benefits and architectural advantages in building large-scale information systems. Business benefits include software reuse, development agility, increased return on software investment, and a sound basis for service-level agreements. Architectural benefits include loose coupling of services, well-defined interfaces, scalability, and extensibility. The service-oriented approach is in wide use in many industries where cybersecurity is critical, including banking and healthcare. Nevertheless, service-oriented architectures also introduce security challenges.
Assuring trust is one of the more difficult challenges to be met when implementing a net-centric environment using a service-oriented approach. The service-oriented approach implies modularity, loose coupling, and dynamicism. The combination creates uncertainties about a component’s context, through which threats to the component may be introduced. The 2008 European Commission Report, “Engineering Secure Complex Software Systems and Services,” captures this concern: “The functioning of future service-oriented architecture-driven systems will be based on loosely coupled components: groups of different software components that function independently and are assembled dynamically, at run-time, to provide the requested services.” This implies that each such module knows far less about the time, reason, and environmental conditions in which it will be invoked. Such components have to be designed and built in a way to be resilient to different and unknown threat environments, while at the same time they have to be aware of run-time system security monitoring and other relevant security events.
The service-oriented requirement that each service provider advertise its services and their specifications to enable dynamic discovery creates additional concerns. Such advertisement contradicts good practice for systems security, which is to minimize the exposure of information about the system’s internal structures and the ways to access its functions. If intruders gain access to a service specification, they may discover ways to misuse the service or penetrate the service-providing component.
A further concern is dynamic service composition in the service-oriented approach. “Encompassing” services compose other services but may employ security mechanisms different from those of the composed services. This technique needs to have a security mechanism able to ensure proper (i.e., compatible) security controls for each encompassing service as well as for the composed services.
Lastly, there is the concern of incompatibility in the growing set of security standards, some of which conflict, are evolving and/or are immature, and may even have interoperability issues. The provider of capabilities with a service-oriented architecture must make sure that these standards are used properly and in concert to avoid creating security vulnerabilities.
Uniform Design and Implementation of Common Functions
Product heterogeneity and design diversity have arisen naturally in national security space systems. As new programs have been defined to address national missions, their space systems have been developed in isolation and contain few if any common constituents. Isolation and diversity provide advantages in containing security attacks—diverse systems typically do not expose the same or even similar security vulnerabilities. On the other hand, the increased demand for cost-effectiveness is a motivator for uniform designs and common implementations of common functions.
Although net-centricity principles call for interoperability and introduce structuring principles, they do not necessarily call for uniform architectures or common functions. Nevertheless, many net-centric system designs aim at some degree of uniformity and commonality. Common services often include common functions such as timer and logging services, as well as platform services such as those provided by DISA’s (Defense Information Systems Agency) “Global Information Grid Net-Centric Enterprise Services.” Single design and implementation of common functions provide security benefits and challenges. The benefit is that developers can afford to make implementations more resistant and resilient in the face of attacks, since the investment required will be amortized over many systems. The challenge is that an adversary can use knowledge of security vulnerabilities in a common design or implementation to attack multiple systems with that same design.
Clouds in National Space Systems
Cloud computing — a utility in which multiple corporate or mission systems and data are hosted dynamically on common hardware and system environments (clouds)—is gaining acceptance by a wide variety of organizations, including government agencies, because of its simple business model and potentially significant reductions in the cost of data and service ownership. Other benefits of clouds include scalability, flexibility, data-center efficiency, and resilience in the presence of failures in software, hardware, or networks.
The most significant barrier to the adoption of cloud computing is trust. To what degree are clouds able to support critical information security and mission resilience as compared to more traditional, independent operational environments? Many analyses of cloud-based operations suggest information security issues for clouds are approximately as manageable as they are for more traditional operational environments. Some analyses even suggest that mitigations with existing software and hardware technologies may be more effective in cloud environments.
On the other hand, there are concerns about the use of public clouds (clouds owned and managed by commercial cloud providers) for space system mission-critical applications. For this reason, most migrations of mission-critical applications for DOD and the intelligence community are to private clouds (clouds owned and managed by an enterprise for the use of its organizational components). Nevertheless, some concerns about public clouds remain with private clouds.
One of the security concerns with cloud computing is that large quantities of data hosted on a cloud make it an attractive target for adversaries. Even private clouds may host a huge quantity of data owned by multiple systems and organizations. In this case, unauthorized access to a cloud would result in a much bigger payoff than a break-in to a single isolated system. However, investment in much more trustworthy security mechanisms (which may be complex and thus expensive to build and maintain) may be more feasible for clouds because of the economy of scale.
Another security concern about clouds is that a shared infrastructure introduces new potential insecurities. Cloud implementations use computing and network virtualization approaches to control the use of their resources and manage their data-center costs. The underlying virtualization implementation presents a new intrusion point that must be protected.
Security concerns about clouds also involve the fact that data protection can fail across customer domains. For example, data owned by different customers are generally hosted in different virtual servers so that one customer is not able to access the data owned by another. However, research has revealed that in some cases an attacker that has obtained access to a virtual machine can mount cross-virtual machine attacks and access data hosted by other virtual machines resident on the same physical machine.
Lastly, there is the concern that data governance may differ between data owners and cloud providers. Each user system and organization may have separate defined and tailored data-center governance policies for topics such as access control, vulnerability analysis, software upgrade management, and logging policies. When migrating to a cloud environment, data owners have to rely on the cloud provider for data governance, at least to some degree, and this may not be as extensive and inclusive as the governance of the data owners.
Because many of these security concerns may be less severe in private clouds, government agencies are primarily committing to them. DOD, for example, is migrating to clouds owned and administered by DISA. Additionally, DOD organizations such as DISA and DARPA (Defense Advanced Research Projects Agency) are working on architectural mitigation of some of these concerns, using techniques such as hardened servers, which are more impervious to attack, to achieve more resilient clouds.
Legacy Systems as Building Blocks of Net-centric Systems
Because of cost and schedule constraints, numerous net-centric defense systems have been architected by integrating legacy and reuse products, which have typically been developed with limited consideration of threats and thus may suffer from serious security drawbacks. For example, there have been numerous reports of successful attacks on today’s SCADA (supervisory control and data acquisition) networks, which demonstrates that information assurance has generally not been built into their system architecture and design.
Instead, these systems often exhibit perimeter security flaws with insecure back doors and entry points. Often the technologies used within these systems have known flaws that can be exploited, including software flaws introduced by failure to use secure coding techniques. Another problem is that obsolete hardware and software remaining in systems may not be maintained, so vulnerabilities are not always removed. These problems are often publicly exposed or easily discovered, and resolving them may require significant modifications to the system’s design and implementation.
“Wrapping” legacy-based systems with well-defined and secure net-centric service interfaces may lead to a significant reduction in vulnerabilities, but it may still be possible to penetrate these systems and misuse their insecure code. Moreover, if an advanced persistent threat can penetrate these systems, it can then infect other interacting systems. Thus an attack on a single system can readily propagate to other net-centric systems.
Vulnerabilities of legacy-based net-centric systems must be minimized through hardening of the system with security mechanisms (e.g., incorporating cryptographic solutions to address critical security needs) designed to prevent new types of cybersecurity attacks such as malware (malicious software) intrusions. Additionally, wherever cost and schedule permit, the legacy and reuse products should be refactored based on existing secure coding standards and information assurance architectures.
Commercial and Open-Source Software
Commercial off-the-shelf (COTS) and open-source software products offer essential functions for many net-centric systems. However, the popularity of these products and easy access to information about their architecture and interfaces make them an attractive target for attack. It is difficult to validate the security of commercial products because they are generally “black boxes” to their systems and there is little or no available information about their internal architectures and designs. In general, adopters of COTS software have to rely on limited published security reports about it. Also, the availability of the source code of open-source products makes them an attractive target because an adversary can easily discover their vulnerabilities.
Many modern commercial and open-source products (especially infrastructure products such as operating systems and middleware) have incorporated advanced security features that have gone through some degree of verification processes. The U.S. government is conducting several comprehensive activities to achieve verification, validation, and integration of commercial and open-source products used in its systems. The National Security Agency manages the National Information Assurance Partnership (NIAP), which is tasked with meeting the security testing needs of consumers and producers of information technology. Other DOD organizations have initiated efforts to address commercial and open-source security issues, including DISA’s Net-Centric Enterprise Services and the Air Force’s “Consolidated Enterprise Information Technology Baseline.”
Nevertheless, the widespread integration of commercial and open-source software in the process of creating net-centric systems leaves many uncertainties about its impact on the information security and resilience of those systems.
Mobile and Wireless Technologies
The emergence of affordable, smart mobile devices coupled with advances in wireless communications (e.g., 4G, WiFi, and Bluetooth®) have made ubiquitous access to the Internet a reality, with consumer and business enterprises widely adopting mobile devices. Even mission-critical enterprises (including tactical military units) are employing commercial wireless technology into their operations, although they are reluctant to integrate mobile technologies within their core mission systems. While this adoption significantly increases net-centric enterprises’ scalability, flexibility, and accessibility, it raises significant cybersecurity concerns. The increasing volume of attacks on commercial mobile devices validates these concerns: Juniper Networks’ global threat center reported that Android malware attacks increased approximately 470 percent between July and November 2011.
Mobile devices are vulnerable to a variety of security attacks because they generally have weak security mechanisms and suffer from severe resource constraints. Meanwhile, malware, the major means of attack, is becoming more sophisticated and difficult to detect. As mobile devices become more capable, they also become prey to more complex attacks (e.g., those based on the widely used “BlackHole toolkit,” which can force a mobile device to act maliciously during its interactions with other devices).
Widespread use of mobile devices to form wireless sensor networks or ad hoc mobile networks may create vulnerabilities because their wireless communication protocols are not as safe against network attacks as those used with wired media. Various wireless protocols designed for low-power operation or ad hoc (dynamic) network formation and reconfiguration may introduce additional vulnerabilities. Common attacks on wireless media include “Hello Flood” attacks, in which attackers may masquerade as trusted neighbor nodes, and “wormhole” attacks, in which network routing algorithms are spoofed to achieve person-in-the-middle packet manipulation and redistribution. Additionally, dependence on minimally protected short-range protocols (such as Bluetooth®) can be exploited to penetrate a device and alter the device’s behavior.
Mobile device manufacturers and mobile software platform providers are constantly increasing their devices’ resilience during known attacks, but at the same time, attacks are becoming more sophisticated and adaptive.
To enable the large population of mobile devices based on the Android operating system to be used securely in military and emergency response operations, George Mason University and the National Security Agency have developed a hardened secure kernel for the Android operating system. This kernel, called Security Enhanced (SE) Android, has gone through testing and certification for use in military (and perhaps civilian) secure networks. The emergence of SE Android makes it more feasible to integrate such devices into existing military and civilian network infrastructures. In addition to hardening mobile devices, DOD has established policies and standards to reduce the likelihood of successful mobile attacks.
Perhaps the most intractable cybersecurity threat for net-centric and other military and intelligence systems is the nearly universal lack of control and insight into the supply chain through which the components of the systems are created and distributed. It has long been known that adversaries may try to implant in the supply chain hidden vulnerabilities into elements of any of the national defense systems. Nevertheless, all military and intelligence systems are still composed of hardware and software components manufactured throughout the world whose trustworthiness is extremely difficult to certify.
The widespread transition to net-centric paradigms is challenging system and software architects and information-assurance practitioners to change the way they think about system security, information protection, and mission resilience. New strategies for handling the technical advances and cultural changes are needed. This highly interconnected environment demands that components be designed for resilience from cyberattacks and threats. The world has changed, and space system practitioners must change too.
R. Choo, “Cloud Computing: Challenges and Future Directions,” Trends and Issues in Crime and Criminal Justice, No. 400 (Oct. 2010).
“Department of Defense Net-Centric Data Strategy” (May 9, 2003), http://dodcio.defense.gov/docs/net-centric-Data-strategy-2003-05-092.pdf (as of Jan. 23, 2012).
“Department of Defense Net-Centric Services Strategy” (May 4, 2007), http://dodcio.defense.gov/docs/Services_Strategy.pdf (as of Jan. 23, 2012).
“DOD’s Move to the Cloud Keeps Security Experts Up at Night,” Defense System http://defensesystems.com/articles/2011/08/22/feat-dod-disa-cloud-security.aspx (as of Aug., 2011).
“Engineering Secure Complex Software Systems and Services,” Report of the European Commission Information Society and Media (Brussels, Apr. 23, 2008), ftp://ftp.cordis.europa.eu/pub/fp7/ict/docs/security/20080423-engineering-secure-sw-systems-report_en.pdf (as of Dec. 27, 2011).
Homeland Security Department, “Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies” (Oct. 2009), http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf (as of Dec. 28, 2011).
J. Jensen et al, “SOA Security: An Experience Report,” The Norwegian Information Security Conference (2009).
H. F. Lipson, “Survivability: A New Security Paradigm for Protecting Highly Distributed Mission-Critical Systems,” IFIP WG 10.4 (June 2000).
C. Miller, “Security Considerations in Managing COTS Software,” Cigital, Inc. (2006), https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/legacy/623-BSI.html (as of Dec. 28, 2011).
“NIAP and COTS Product Evaluations,” http://www.nsa.gov/ia/business_research/partnerships_with_industry/niap_and_cots_product_evaluations.shtml (as of Dec. 28, 2011).
T. Ristenpart, “Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds,” ACM Conference on Computer and Communications Security (2007).
R. Tsang, “Cyber Threats, Vulnerabilities and Attacks on SCADA Networks,” University of California, Berkeley, Working Paper, http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf (as of Dec. 28, 2011).
The authors thank Dan Balderston, Frank Belz, and Mary Nichols for their contributions to this article.