Cybersecurity paper - Temple Fox MIS
advertisement
Securing the Virtual Battleground: Cybersecurity Issues of the United States Department of Defense Adam Alalouf Paul Pagliaro PHILADELPHIA – June 20, 2011 Temple University, Fox School of Business & Management Department of Management Information Systems Cyber Security and Risk Management 1 Introduction The United States, with the most formidable military organization in the world, accounts for 43 percent of global military spending, or roughly as much as the next top fourteen nations combined (1). Total military spending in the United States reached $708 billion in 2011 (1). In recent times the United States and the rest of the world are awakened into a battlefront that evades traditional military lines and borders. In the last month alone there have been instances of attacks on information systems that had a critical impact, both financially and militarily, on entities in the United States and around the world. In May of this year, unknown hackers broke into military systems at Lockheed Martin Corporation, which store extremely sensitive information on military technologies and weapon systems (2). Lockheed Martin is the largest supplier to the Department of Defense in contract dollars (3). In a similar fashion, systems that contain highly classified information pertaining to several nations at the International Monetary Fund were subject to sophisticated and large-scale attacks (4). The threats that arise from increasingly complex cyber tactics are demanding the attention of military and government leaders, both domestically and abroad, and cyber security is expanding both in funding and in its application to function in areas of military risk management, asset protection, and national defense. “Without question, developments in cyberspace have redefined the front lines of national security… Within a few short years, information technology has transitioned from a support function to a strategic element of power in its own right. As a result, future conflicts will unquestionably have a cyber dimension. The doctrine, organizational structure, and resource allocation of our defense ministries must change to reflect this new reality.” —Deputy Defense Secretary William J. Lynn III (5) 2 The Department of Defense and Information Risk Management The Federal Information Security Management Act of 2002 (FISMA) has assigned the National Institute of Standards and Technology (NIST) with the task of establishing standards and guidelines for federal agencies in managing their information risks (6). The FISMA names three security objectives in its publication: confidentiality, integrity, and availability. It defines three levels of potential impact in the event of a breach of one of the aforementioned elements of information security; those levels are low, moderate, and high, and they are measured by their potential adverse effect on the organization’s assets, its ability to operate, and individuals. In addition to the physical and information assets of the Department of Defense, which are valued in the billions of dollars, the impact of attacks on any of the Department’s information systems, networks, or infrastructure potentially includes the loss of human lives and the compromise of freedom and sovereignty. Therefore, the implications of security threats on the Department’s risk management plan can always be assumed or argued to be of high impact. The Department of Defense is the largest government agency and the single largest employer in the United States, with 1.4 million men and women on active duty and 718,000 civilian employees (7). The national defense budget totaled $549 billion in 2011 and total actual military spending reached $708 billion (1). The assets of the Department of Defense can be divided into people assets, knowledge assets, and physical assets. The physical assets include the complex systems of computers, networks, weapons, plants, buildings, equipment and vehicles in the Army, Navy, Air Force, Marine Corps, National Guard and U.S. Coast Guard. All of these systems in some form or another rely on information systems that run over the Global Information Grid for operation, maintenance and command. Finally, the Department of Defense states that its mission is “to provide the military forces needed to deter war and to protect the security” of the nation (7). In addition to the responsibility for its active members and employees, the Department is charged with securing the welfare of the American people. 3 Information Assurance: Availability, Confidentiality, Authenticity, Integrity, and Non-repudiation The ability to access information in a timely and meaningful way is one of the fundamental requirements of any information system and is the chief consideration that must be made against security considerations. Achieving this balance of security and operability is as crucial in the military as it is in any industry. The five areas of information assurance are availability, integrity, authentication, confidentiality, and non-repudiation. These elements are expressed in the mission of the U.S. Army Reserve Element (USARE) of the Defense Information Systems Agency (DISA), as well as in the Department of Defense Strategy for Cyber, Identity, and Information Assurance (CIIA) (8) (9). Availability describes the level of ease with which an authorized user of a system can gain access to information. The military is the best-known user of data classification schemes, and is responsible for many of the developments in information security (INFOSEC), operations security (OPSEC), and communications security (COMSEC) (10). The task of making information available in the context of data classification schemes is a complex and crucial one. Availability is disrupted whenever user access to information is disrupted or blocked, as is discussed in the upcoming Lockheed Martin example. Disruption to availability can cause highly adverse situations if the need to access is time-sensitive, as is the case with many war-related scenarios. Availability is a chief concern even in unclassified information platforms. Authenticity is the quality of information that is genuine and unaltered by storage or transmittal, and is of a valid and legitimate origin. In phishing scams, online attackers often attempt to cheat people by creating a sense of authenticity to lure their victims into divulging sensitive information, such as bank account numbers, social security numbers, and login credentials. In 2007, the Department of Defense was targeted in a “spear phishing” scam, to which it responded with an awareness training manual to notify everyone of the nature of the attack. The phishing e-mail contained a fake message 4 from the military division of Bank of America, which offered $20 to people who completed a survey, which contained fields to for the bank card account number, PIN, expiration date, and three-digit security code (11). Every rank and level in the military was targeted with this attack. The best safeguards against compromises to authenticity such as this are fraud prevention education, training, policies, and properly configured firewalls. Confidentiality is the condition of information disclosure strictly to authorized parties or individuals. This is extremely important in the context of classified information schemes. In order to protect the confidentiality of information, an organization must implement a top-down security policy, focus on proper training and education of employees, and apply technological mechanisms to store information on secure servers armed with firewalls, intrusion detection systems, and strong authentication policies. It is important to remember that all elements of information assurance are interrelated, and act as building blocks in the implementation of a company-wide policy (10). In the May, 2011 attacks on computer systems at Lockheed Martin, the organization experienced a compromise of availability, authenticity, and confidentiality. In the attack, hackers broke in to systems at Lockheed Martin after successfully stealing SecurID tokens. SecurID tokens are electronic authentication tools that give users access to government networks from remote locations (12). There is reasonable cause to believe that the attack is linked to a previous set of attacks on RSA Security, a subsidiary of EMC Corporation, the company that provides the security tokens to Lockheed employees, and to millions of other users, including those of the Department of Defense. The breach compromised the confidentiality of user login credentials and the information they access, interrupted the authentication mechanisms at play, and also disrupted the availability of information throughout the organization (12). The company had to re-issue authentication keys to many of the systems users, and to upgrade its security measures. In a statement issued two days after the attack, Lockheed CIO Sondra 5 Barbour announced a plan to increase security on company networks. The SecurID tokens have been updated, all user passwords have been reset, and the company is moving from four-digit to eight-digit access codes (13). Since RSA provides authentication services to the Department, this attack has direct implications on its security policy as well. Integrity is a characteristic of information that means that it is complete, uncorrupted, and trust-worthy. Various types of malware are engineered to damage information integrity during transmission or in storage. Intrusion Detection and Prevention Systems are designed to alert systems administrators to a security breach on the network. When an unauthorized user gains access to a network, he or she has the ability to compromise the integrity of the information, rendering it useless, harmful, or lost (10). In 2008, a piece of malware known as “agent.btz” infected computer systems on the US Central Command, a network that coordinates war operations in Iraq and Afghanistan. Three years later, it is still roaming around, evolving to newer forms and still wreaking havoc on military systems (14). The agent.btz worm was introduced to the network through a flash drive, inserted into a military computer by an overseas adversary in 2008, in what officials call the most significant breach of US military networks. It has since spread from military networks and computers to non-military ones, and it has compromised the integrity and confidentiality of information along the way (14). This incident is a clear example of how military information assurance issues quickly segue into national defense and war issues. Non-repudiation makes it so that parties can be held accountable for online transactions and agreements. It accomplishes this with the use of cryptographic tools, known as digital signatures, which can mathematically prove the authentic identity of the party that owns it. The standards and techniques used to create and verify digital signatures are approved by the National Institute of Standards and 6 Technology (NIST) (10). The agent.btz worm is still posing a threat to U.S. military systems because it constantly downloads new code, updates itself, and makes changes to its own signatures, and thus continues to evade anti-virus software. Officials say that it is likely to remain a threat because it remains ahead of the curve, beyond the latest anti-virus capabilities and statistics used on host networks. Developing a Long Term Security Strategy The Department of Defense has a unit dedicated to establishing, disseminating, and perpetuating a strategy for Cyber, Identity, and Information Assurance (CIIA). The strategy was first issued in 2004 and has experienced substantial growth since its inception. The Department of Defense has leveraged the power of the United States President in developing a unified, top-down mission for securing enterprise operations over the Global Information Grid. It has also formed partnerships with various Federal agencies to support the strategy, a “comprehensive national cybersecurity initiative,” which has as its main objectives the protection of Federal networks and the deterrence, mitigation, and anticipation of cyber threats (8). As part of the strategy for CIIA, the Department of Defense has launched a National Military Strategy for Cyberspace Operations (NMS-CO) for use by all of the Department’s command units and components as a blueprint for planning, executing, and resourcing cyberspace activities (15). The Department relies heavily on the GIG for its missions and operations, and without it, it has no longlasting viability. The GIG is the Department’s primary network highway; it utilizes the GIG to conduct business transactions, contract services, access medical records, deploy intelligence plans, control and disseminate commands, and develop weapons and tools critical to its success (8). The strategy for CIIA and the NMS-CO are put in place to handle the complex tasks of providing the necessary levels of availability and access, all the while creating safeguards against an endless stream of attacks. 7 “The Department of Defense (DoD) relies on cyberspace to achieve national military objectives in the areas of military, intelligence, and business operations. This reliance provides adversaries a ready avenue of approach to exploit cyberspace to gain strategic, operational, and tactical advantages over the United States. The cyberspace domain is complex and evolves at astonishing rates, increasing the challenge of ensuring strategic advantage… The NMS-CO is an important first step toward ensuring our own freedom of action in this contested domain while denying the same to our adversaries (15).” The Technologies of Risk Control There are several layers of technologies used to control and mitigate risk. The first level of information security is a firewall. Firewalls act as a barrier between non-trusted networks and the networks that need to be protected (10). Firewalls use a variety of tools to prevent malicious or suspicious content from coming through, and they must be configured in the most effective way to ensure that they allow and block content correctly. One of the weaknesses of firewalls is that they can only block content according to the configurations of the systems administrators (16). One of the tools used by the Department of Defense is a network firewall that allows secure access to knowledge sharing. In an effort called milSuite, the Department has created a way for the entire organization to share and collaborate in ways that were not possible before. It bases its model on social media and knowledge sharing platforms (17). In addition to milSuite, the Department utilizes an application level firewall to obtain minimum security requirements. The Department’s overall firewall strategy utilizes hybrid technologies and consists of dedicated machines and routers that perform several functions, including dynamic packet-filtering, application proxy functions, virtual private networks, and RSA authentication techniques (18). 8 The next component of securing information in a system is an Intrusion Detection System (IDS). It is part of the Department of Defense directive to implement an IDS and Intrusion Prevention System (IPS) on Local Area Networks (LAN) and Wireless Local Area Networks (WLAN). The directive states that these tools are to be put in place to assess vulnerabilities and to alert attempts to exploit the Department’s networks (19). The Navy employs two types of IDS: Netranger and Real Secure. Netranger detects unauthorized activity at the boundary layer and reports it to the Fleet Information Warfare Center in Norfolk, VA. Real Secure provides a detection mechanism for large naval ships and reports incidents to the ship systems administrators (16). This dual-system policy enables attacks to be detected by the homeland central agency and also by nautical commanders at sea. Another key tool in securing information is cryptography, and the military is a noted user of this tool. The Department of Defense relies on cryptography to traverse both classified and un-classified information across the Grid. Cryptography requirements are set forth by the National Security Agency, a division of the Department of Defense, and standards are established by the Federal Information Processing Standards (FIPS). The Department employs RSA Security solutions for its cryptography requirements. The Department of Defense directive states that the Department shall implement a unified Public Key Infrastructure (PKI) to maintain digital certificate issuance, authorization, and disposal. The Department can only use digital certificates that it issues in its PKI and must use it for authentication, verification of digital signatures, and data encryption (20). This policy ensures that the Department’s information and networks retain their authenticity, integrity, and confidentiality. 9 Cyber Warfare and the Information Battlefront In response to escalating attacks on information assets of the military and its business partners, the Pentagon announced that it will consider all means necessary to thwart and respond to attacks in cyberspace, just as it would to attacks on U.S. soil. This ethos is echoed by military leaders, spokespeople and by the Commander in Chief, President Barack Obama. In a strategy issued by the white house this month, any force available—including military, economic, and diplomatic—will be used to defend the United States, its allies, and the interests of safety and freedom (21). One of the foreboding adversaries to the U.S. and its information security objectives is found in the People’s Republic of China, however, it is unclear whether attacks in recent years are state-sponsored or initiated by independent groups of Chinese insurgents. Secretary of Defense Robert Gates admitted in 2007 that Pentagon computer networks were down after sustaining damages caused by cyber attacks, and places blame on the Chinese People’s Liberation Army (22). The ring of hackers domestically codenamed ‘Titan Rain’ has performed several orchestrated attacks on systems belonging to the Department of Defense, and Pentagon sources report more than three million scans per day of the Global Information Grid. They report that China has downloaded 10 to 20 terabytes of data from the Non-Classified IP Router Network, seeking ways to enter the network using a vulnerable entry point or stolen credentials (23). The prevailing sentiment is that the Chinese agenda is spurred by rhetoric that is hostile and contrary to U.S. objectives, and as such, it will be a key enemy to monitor in coming years (22). A possible implication of modern warfare in cyberspace is that, in addition to defensive tactics, offensive tactics may be deployed. The U.S. and its allies are under constant threat, but 10 some instances may indicate a pro-active approach using cyberspace to deter rogue regimes from advancing in developing weapons of mass destruction. One example is the Stuxnet virus that thwarted uranium-enrichment activities in Iran. The virus attack is generally attributed to military collaboration between Israel and the United States. The attack caused uraniumenrichment centrifuges to spin out of control, causing a loss of about 1,000 such centrifuges, or roughly 20%. The virus infiltrated the Iranian Intrusion Detection Systems and caused them to allow the attack to go unnoticed. Trends In order to defend its supply chain and its security mechanisms, the Department of Defense is looking for new ways to speed up the process of deploying new technologies for controlling cyber risks. The Department’s largest contractors have been making large bids to acquire cybersecurity firms. In the past year, BAE Systems has spent billions on such acquisitions, buying up Norkum Group, Detica, ETI A/S, and Stratsec.net. Also in 2011, Raytheon bought Applied Signal Technology to the tune of half a billion dollars. Raytheon also bought BBN Technologies. Boeing made a purchase of Argon ST for $775 million. Lockheed Martin and Northrop Grumman have stated plans to acquire cybersecurity experts. The Department announced that it will devote $3.2 billion of its 2012 budget to cybersecurity. Actual spending may be even higher (24). These figures include plans to sustain the conventional information assurance qualities (availability, confidentiality, authenticity, integrity, and non-repudiation) and also plans to avert any yet-to-be-defined threats posed to national security as a result of cyber activities (24). 11 Conclusion The Department of Defense, its subsidiaries, and its business partners are awakened to the urgent need to secure their information networks. The frequency and complexity of threats are on the rise, and it is an integral part of the Department’s mission to stay abreast in monitoring and controlling the risks posed to its information systems. The conventional elements of information assurance, availability, confidentiality, authenticity, integrity, and nonrepudiation are as important now as ever. Without guaranteeing them, the Department cannot continue to operate with information carried over the Global Information Grid. By far, the most important factor in achieving and maintaining is a top-down policy that emphasizes and provides all the necessary education and training to succeed. Security in the military is like all other military functions; it follows the chain of command; it starts with the Commander in Chief, the President of the United States of America, and it trickles down to every officer and member of the world’s greatest military organization. 12 Bibliography 1. Shah, Anup. World Military Spending. Global Issues. [Online] May 2, 2011. [Cited: June 20, 2011.] http://www.globalissues.org/article/75/world-military-spending#USMilitarySpending. 2. Jansen, Mark. U.S. Military Invaded by Hackers, Future Weapons Systems at Possible Risk. Financial Feed. [Online] May 28, 2011. [Cited: June 20, 2011.] http://www.financialfeed.net/u-s-military-invaded-by-hackersfuture-weapons-systems-at-possible-risk/853274/. 3. Arthur, Charles. Cyberwar Heats Up with Pentagon's Virtual Firing Range. guardian.co.uk. [Online] June 17, 2011. [Cited: June 20, 2011.] http://www.guardian.co.uk/technology/2011/jun/17/pentagon-virtual-firing-range. 4. Fischer, Sebastian and Reissmann, Ole. Germany Arms Itself for Cyber War. Spiegel Online. [Online] June 16, 2011. [Cited: June 20, 2011.] http://www.spiegel.de/international/germany/0,1518,768764,00.html. 5. Banusiewicz, John D. Deputy Secretary Lynn Details Anti-Cyber Threat Strategy. Military Avenue. [Online] American Forces Press Services, June 16, 2011. [Cited: June 20, 2011.] http://wiki.militaryavenue.com/Articles/Deputy+Secretary+Lynn+Details+Anti-Cyber+Threat+Strategy-37369.aspx. 6. Department of Commerce. Standards for Security Categorization of Federal Information and Information Systems. National Institute of Standards and Technology. [Online] February 2004. [Cited: June 20, 2011.] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf. 7. Secretary of Defense and Deputy Secretary of Defense. About the Department of Defense. U.S. Department of Defense. [Online] [Cited: June 20, 2011.] http://www.defense.gov/about/#mission. 8. Lentz, Robert F. Deputy Assistant Secretary of Defense for Cyber, Identity, and Information Assurance Strategy. Information Assurance Support Environment. [Online] August 2009. [Cited: June 20, 2011.] http://iase.disa.mil/policy-guidance/dasd_ciia__strategy_aug2009.pdf. 9. Department of Defense. U.S. Army Reserve Element. Defense Information Systems Agency. [Online] [Cited: June 20, 2011.] http://www.disa.mil/mps/usare.html. 10. Whitman, Michael E and Mattord, Herbert J. Principles of Information Security. Third. Boston : Course Technology, 2009. 978-1-4239-0177-8. 11. Army.com. E-mail Phishing Targeting DoD Bank. Army.com. [Online] October 17, 2007. [Cited: June 20, 2011.] http://www.armyreal.com/articles/item/3318. 12. Drew, Christopher and Markoff, John. Data Breach at Security Firm Linked to Attack on Lockheed. The New York Times. [Online] May 27, 2011. [Cited: June 20, 2011.] http://www.nytimes.com/2011/05/28/business/28hack.html?_r=1. 13. —. Lockheed Strengthens Network Security After Hacker Attack. The New York Times. [Online] May 29, 2011. [Cited: June 20, 2011.] http://www.nytimes.com/2011/05/30/business/30hack.html. 14. Stewart, Phil and Wolf, Jim. Worm that attacked US military refuses to die. Dawn.com. [Online] The Dawn Media Group, 2011. [Cited: June 20, 2011.] http://www.dawn.com/2011/06/17/worm-that-attacked-us-militaryrefuses-to-die.html. 13 15. Chairman of the Joint Chiefs of Staff. The National Military Strategy for Cyberspace Operations. US Army War College. [Online] December 2006. [Cited: June 20, 2011.] http://www.carlisle.army.mil/DIME/documents/National%20Military%20Strategy%20for%20Cyberspace%20Opera tions.pdf. 16. Smith, Lt. Cmdr. Irene M. Military Report on the Computer Security Threat. Dark Government. [Online] 2011. [Cited: May 30, 2011.] http://www.darkgovernment.com/news/military-report-on-the-computer-security-threat/. 17. Heininger, Claire. Platform Provides Collaboration Behind Firewall. U.S. Department of Defense. [Online] [Cited: June 20, 2011.] http://www.defense.gov/news/newsarticle.aspx?id=63083. 18. National Security Agency. Validated Product - CyberGuard Firewall/VPN Version 6.1.2. The Common Criteria. [Online] June 24, 2005. [Cited: June 20, 2011.] http://www.niap-ccevs.org/st/vid3035/. 19. Department of Defense. Commercial Wireless Local-Area Network (WLAN) Devices, Systems, and Technologies. Defense Technical Information Center. [Online] November 3, 2009. [Cited: June 20, 2011.] http://www.dtic.mil/whs/directives/corres/pdf/842001p.pdf. 20. —. Public Key Infrastructure (PKI) and Public Key (PK) Enabling . Defense Technical Information Center. [Online] May 4, 2011. [Cited: June 20, 2011.] http://www.dtic.mil/whs/directives/corres/pdf/852002p.pdf. 21. Aashish. The Pentagon ready to fight for Cyber Attacks on US Army. Tech Extant. [Online] June 1, 2011. [Cited: June 20, 2011.] http://www.techextant.com/the-pentagon-ready-to-fight-for-cyber-attacks-on-us-army/. 22. Keller, John. The importance of military information security. Military and Aerospace. [Online] October 1, 2007. [Cited: June 20, 2011.] http://www.militaryaerospace.com/index/display/article-display/309174/articles/militaryaerospace-electronics/volume-18/issue-10/departments/trends/the-importance-of-military-informationsecurity.html. 23. Onley, Dawn S and Wait, Patience. Red storm rising. Government Computer News. [Online] 1105 Government Information Group, August 17, 2006. [Cited: June 20, 2011.] http://gcn.com/articles/2006/08/17/red-stormrising.aspx. 24. Defense Industry Daily, LLC. DoD Cybersecurity Spending: Where’s the Beef? Defense Industry Daily: Military Purchasing News for Defense Procurement Managers and Contractors. [Online] June 14, 2011. [Cited: June 20, 2011.] http://www.defenseindustrydaily.com/dod-cybersecurity-spending-wheres-the-beef-06882/. 14
