1
Background—Naval Network-Centric Operations, Information Assurance, and Current Cyberthreats

NETWORK-CENTRIC OPERATION AND ITS DEPENDENCIES

Multiple definitions exist for the term “network-centric,” all being largely equivalent. To be specific, in this study the National Research Council’s (NRC’s) Committee on Information Assurance for Network-Centric Naval Forces adopts the following definition from prior NRC reports conducted under the auspices of the Naval Studies Board (NSB):

Network-centric operations are military operations that exploit state-of-the-art information and networking technology to integrate widely dispersed human decision makers, situational and targeting sensors, and forces and weapons into a highly adaptive, comprehensive system to achieve unprecedented mission effectiveness.1,2

The NSB’s report Network-Centric Naval Forces further characterizes network-centric operations in the following manner:

Forward deployment of naval forces that may be widely dispersed geographically, the use of fire and forces massed rapidly from great distances at decisive

1

Naval Studies Board, National Research Council, 2000, Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities, National Academy Press, Washington, D.C., p. 1.

2

For additional reading on this topic, see National Research Council, 2006, C4ISR for Future Naval Strike Groups, The National Academies Press, Washington, D.C., pp. 36-37; and National Research Council, 2005, FORCEnet Implementation Strategy, The National Academies Press, Washington, D.C., p. ix.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 12
1 Background— Naval Network-Centric Operations, Information Assurance, and Current Cyberthreats NETWORK-CENTRIC OPERATION AND ITS DEPENDENCIES Multiple definitions exist for the term “network-centric,” all being largely equivalent. To be specific, in this study the National Research Council’s (NRC’s) Committee on Information Assurance for Network-Centric Naval Forces adopts the following definition from prior NRC reports conducted under the auspices of the Naval Studies Board (NSB): Network-centric operations are military operations that exploit state-of-the-art information and networking technology to integrate widely dispersed human decision makers, situational and targeting sensors, and forces and weapons into a highly adaptive, comprehensive system to achieve unprecedented mission effectiveness.1,2 The NSB’s report Network-Centric Naval Forces further characterizes network-centric operations in the following manner: Forward deployment of naval forces that may be widely dispersed geographi - cally, the use of fire and forces massed rapidly from great distances at decisive 1 Naval Studies Board, National Research Council, 2000, Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities, National Academy Press, Washington, D.C., p. 1. 2 For additional reading on this topic, see National Research Council, 2006, C4ISR for Future Naval Strike Groups, The National Academies Press, Washington, D.C., pp. 36-37; and National Research Council, 2005, FORCEnet Implementation Strategy, The National Academies Press, Washington, D.C., p. ix. 12

OCR for page 12
13 BACKGROUND locations and times, and the dispersed, highly mobile operations of Marine Corps units are examples of future tasks that will place significant demands on networked forces and information superiority. Future naval forces must be sup - ported by a shared, consolidated picture of the situation, distributed collaborative planning, and battle-space control capabilities. In addition, the forces must be capable of coordinating and massing for land attacks and of employing multi- sensor networking and targeting for undersea warfare and missile defense. 3 The idea of network-centric operations4 has become centrally embedded in naval concepts and plans for operations. This is manifested, for example, in the stand-up of the Naval Network Warfare Command and the evolution of the Marine Corps Network Operations and Security Command. It is also apparent in the development and use of the FORCEnet concept; the program priorities of the Office of the Chief of Naval Operations (N6) and Marine Corps; program development by the Assistant Secretary of the Navy for Research, Development and Acquisition (ASN[RDA]); and experiments conducted in the Trident Warrior experimentation program. Since network-centric operations involve, for example, the synchronized execution of distributed operations and the widespread sharing of situational awareness and decision-making data, they require a dependable underlying infor- mation and communications infrastructure. This requirement is made explicit in the three goals for network-centric operations that the Assistant Secretary of Defense for Networks and Information Integration has established for the entire Department of Defense (DOD): Goal #1—Make information available on a network that people depend on and trust. Goal #2—Populate the network with new, dynamic sources of information to defeat the enemy. Goal #3—Deny the enemy comparable advantages and exploit weaknesses.5 FORCEnet can be regarded as the naval means for achieving the goals listed above. It is envisioned by the Navy and Marine Corps as the naval element of 3Naval Studies Board, National Research Council, 2000, Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities, National Academy Press, Washington, D.C., p. 12. 4 The Department of Defense uses the term “net-centric” rather than “network-centric” in its more current documents. For the sake of editorial consistency, this report will use the term “network-centric” as it first appeared publicly in a 1998 U.S. Naval Institute Proceedings article entitled “Network- Centric Warfare: Its Origin and Future,” January, by VADM Arthur K. Cebrowski, USN, and John Gartska. 5 Written statement by Lt Gen Charles E. Crooms, Jr., USAF, Director, Defense Information Systems Agency, before the U.S. House Armed Services Committee, April 6, 2006. Available at . Accessed November 11, 2008.

OCR for page 12
14 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES the Global Information Grid (GIG) jointly existing on the GIG with other non- FORCEnet elements. This concept envisions that naval forces will be an integral part of a much larger joint, coalition-based, interagency and commercial network that will enjoy magnified support opportunities from the network because of its expanded scope. Within the GIG, naval nodes will be tightly integrated with non-naval nodes. Naval nodes will rely on information and services provided by non-naval elements, just as they will contribute uniquely naval capabilities to the wider GIG. The following examples of network-centric operations make explicit their dependency on a dependable underlying information and communications infrastructure: • Synchronized execution of operations—depends on connectivity among distributed force elements. Examples of such operations are those executed according to the Marine Corps concept for distributed operation of small units. 6 • Situational awareness drawing from distributed sensors—depends on con- nectivity for data access and on the integrity of those data. An example of such situational awareness is the air and undersea “picture” maintained by naval strike groups. • Combat system operation responsive to the command-and-control system— depends on fault-free operation of hardware and software and on the integrity of data. An example of such a combat system would be that controlling the defensive missiles aboard an Aegis cruiser. • Distributed, collaborative planning—depends on connectivity for collabo- ration among command elements and for access to data and services to develop courses of action, and on the integrity of those data and services. An example of such planning would be that conducted for naval forces as part of joint operations in regional warfare (e.g., scenarios that might occur in Iraq or Afghanistan). • Supporting data drawn from a large variety of distant sources—depend on reach-back connectivity to the continental United States and other distant loca - tions, and on the integrity of data received. An example of such data would be intelligence, surveillance, and reconnaissance data collected by national means. The disruption or denial of computation or communications connectiv - ity and the corruption or destruction of data would highly degrade or even render ineffective the network-centric approach to operations. The greater the dependence on information-sharing and communications capabilities, the more attractive become attacks against them—by both highly sophisticated and less sophisticated adversaries—to undermine U.S. operations. As a result, information assurance (IA), provided by protecting information and communications systems against the threats of adversaries, is seen as a vital 6 Commandant,U.S. Marine Corps (Gen Michael W. Hagee, USMC). 2005. A Concept for Distrib- uted Operations, Headquarters, U.S. Marine Corps, Washington, D.C., April 25.

OCR for page 12
15 BACKGROUND part of network-centric warfighting capabilities.7 The FORCEnet Functional Concept states this need as follows: FORCEnet must therefore include the capability to protect command and control activities against efforts to deceive, exploit or otherwise attack them. This capability should include the abilities to detect, locate, and identify hostile information operations, defeat or counter those efforts, and mitigate the effects of successful hostile efforts. Information assurance also applies to accidental corruption of information. It should include the ability to recover to an earlier information state from any kind of information corruption.8 Both the current and future potential threats that must be confronted to realize these objectives and thereby ensure the successful execution of network-centric modes of operation are substantial, as the next section describes. Box 1.1 describes the unique naval mission element requirements of Sea Strike, Sea Shield, Sea Basing, Expeditionary Maneuver Warfare, and Sea Warrior, Sea Enterprise, and Sea Trial as they relate to naval forces’ IA. NATURE OF THE CYBERTHREAT The cybersecurity threat environment, in terms of possible attack techniques, is effectively limitless. Many malicious exploits have been identified that have taken advantage of military information systems environments. Comprehensive implementation of information assurance practices must protect against a signifi - cant portfolio of potential threats. This section describes in a manner appropriate for public release the understanding of the threat developed by the committee. Broad Categorization of Threat Types At the top-most level, the cyberthreat can be broken into four types: as described below, they involve remote access, close access, life-cycle or supply chain insertion, and insiders. The intended purpose of these threats is to disrupt system functions (e.g., degrading or denying communications connectivity), to modify data (e.g., corrupting or falsifying data), and/or to steal data. 1. Remote access. Remote access refers to penetrations of or other disrup- tive actions to an information system gained through that system’s connectivity 7 Inthe committee’s work, cybersecurity vulnerability and information assurance vulnerability are viewed as inseparable and are therefore treated in this report as equivalent. 8ADM Vern Clark, USN, Chief of Naval Operations; and Gen Michael W. Hagee, USMC, Commandant of the Marine Corps. 2002. FORCEnet: A Functional Concept for the 21st Century, Department of the Navy, Washington, D.C., February 2. Available at < http://www.navy.mil/navydata/ policy/forcenet/forcenet21.pdf>. Accessed November 10, 2008.

OCR for page 12
16 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES BOX 1.1 Naval Missions and Information Assurance: A FORCEnet Viewpoint Operationally, FORCEnet refers to the systems and processes for pro- viding effective networked naval command and control in the 2015-2020 time frame. Command and control constitute the means and methods by which a commander recognizes what needs to be done in any given situation and sees that appropriate actions are taken. Every area of naval warfare, as described in the Naval Operating Concept for Joint Operations, Naval Power 21, Sea Power 21, and Marine Corps Strategy 21 will require FORCEnet to provide command-and-control functionality as follows: • Sea Strike: FORCEnet will provide synchronization of distributed strike and assessment assets for Sea Strike’s projection of offensive power from the sea. The collection, integration, and dissemination of sur- veillance, targeting, planning, and assessment information will facilitate the decision-making process through real-time collaborative planning and intelligent decision aids. FORCEnet will support the Joint Task Force Commander’s task of coordinating and controlling the tempo and effects of complex and simultaneous joint assets and events. FORCEnet will enable the Commander to select and apply the most appropriate tactic and system to achieve the desired effect, whether kinetic, nonkinetic, strategic, operational, or tactical. • Sea Shield: FORCEnet will enhance naval contributions to home- land defense and support assured access for joint, allied, and coalition forces overseas. Through capabilities provided by FORCEnet, Sea Shield will defend the sea battlespace and project defensive power from the sea over friendly forces ashore. FORCEnet will provide a common, inte- grated, user-tailored, and real-time operational picture coupled with rapid combat identification and near-real-time speed of command. Real-time collaboration and intelligent decision aids will complement all aspects of Sea Shield. FORCEnet will allow for threat engagements beyond a single platform’s organic capability, and will allow carrier and expeditionary strike groups to act as single integrated and distributed combat systems. • Sea Basing: Sea Basing increases the operational maneuver space and independence of naval and joint forces, improves speed of maneuver and reconstitution, and facilitates personnel and logistics sustainment functions without vulnerable shore footprints. FORCEnet’s robust collaboration and planning capabilities and the seamless flow of large volumes of secure information supporting readiness, total asset

OCR for page 12
17 BACKGROUND visibility, and sustainment will be key benefits to Sea Basing. FORCEnet capabilities will significantly enhance the ability of Marine forces to con- duct Expeditionary Maneuver Warfare, Operational Maneuver from the Sea, and Ship to Objective Maneuver from a sea base. FORCEnet will allow joint commanders to exercise command and control in secure and mobile facilities, while allowing forces to arrive and be sustained on scene at maximum possible readiness. FORCEnet will yield access to informa- tion and total visibility and speed of delivery to Sea Basing activities for all classes of readiness and sustainment support. • Expeditionary Maneuver Warfare: FORCEnet allows for collabora- tive planning while en route to and closing on objectives. FORCEnet will allow deployed forces to exchange critical information with other U.S., allied, and coalition forces during joint and combined operations. Dur- ing ship-to-shore movements, forces that are virtually connected to the platforms from which they were launched, other forward-deployed forces, and distant sites will collect and share intelligence data for current and future operations. Forces will gain tremendous advantage through more rapid collection and dissemination of information, enabling more rapid and decisive decision making during sustained operations ashore. FORCEnet will incorporate appropriate capabilities from the Expeditionary Maneuver Warfare Capabilities List. FORCEnet will allow Marine forces to serve as the nucleus of, and provide an operating force for, a Joint Task Force Headquarters. • Sea Warrior, Sea Enterprise, and Sea Trial: FORCEnet’s robust, collaborative, information sharing, distributed services, and decision superiority benefits will also extend to the non-warfighting enterprise domain. FORCEnet provides Sea Warrior with near-real-time information services for personnel and personnel management, training, medical sup- port, professional growth, and other personnel considerations. FORCEnet provides Sea Enterprise with the ability to transform business and financial processes and to produce essential infrastructure efficiencies. FORCEnet extends to Sea Trial a shared and time-sensitive environment in which to collaborate and validate new concepts and technologies. ____________________________ SOURCE: Department of the Navy Enterprise Architecture Management View. Available at . Accessed February 27, 2009.

OCR for page 12
18 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES to a publicly accessible network (e.g., the Internet). An example of these remote access operations would be ones conducted against systems on the Non-Classified Internet Protocol Router Network (NIPRnet). Depending on the techniques used, these operations could gain access to a limited set of the system resources (e.g., files owned by one user) or to all the resources on a local area network (e.g., those controlled by a system administrator). Short of actual penetration, the operations could cause a degradation of network connectivity (i.e., denial of service) either by flooding the interfaces to the external networks with large amounts of network traffic or by disabling the operation of some intermediate network components (e.g., routers). Perpetrators of these remote access operations run all the way from “script kiddies”9 through criminals and terrorists to world-class nation-state adversaries. The number of attempted remote penetrations of U.S. government and naval systems has escalated over the past few years. The committee has had access to data and briefings indicating that these attempted intrusions into government and private networks have also become more sophisticated and more malicious. Such tactics as targeted “spear-phishing”10 are now a common occurrence. Remote access operations are the most commonly discussed means of penetration or other degradation, probably because they are the most visible. That does not mean, however, that the other means of penetration may not have consequences that are just as serious, if not more so. 2. Close access. Close access refers to penetrations effected against “closed” (typically classified) systems—that is, those not directly accessible through public networks. The Secret Internet Protocol Router Network (SIPRnet) would be an example of such a network. Close access could be achieved through direct physi- cal tapping established through human or mechanical means, or through electro - magnetic interaction with the closed system. Access to these “closed” systems might also be possible through remote means that exploit software vulnerabilities, as such systems may only be logically, not physically, separated from the public networks. Historically, the DOD has paid more attention to the detection of remote access penetrations than it has to close access detections, since the “closed” sys - tems were felt to be safe by virtue of their physical and cryptographic isolation. Recently, for reasons discussed later, the DOD has begun to pay more attention to the possibility of close access penetrations. 9 “Script kiddie” is a term applied to an amateur hacker, typically one seeking opportunist exploits. 10 “Spear-phishing” is an e-mail spoofing fraud attempt that targets a specific organization, seek - ing unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear-phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear-phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient’s own organization and generally someone in a posi - tion of authority.

OCR for page 12
19 BACKGROUND 3. Life-cycle (or supply chain) insertion. Life-cycle insertion is the sur- reptitious insertion of modified hardware or software components into network components and information systems during their manufacture or maintenance. 11 The purpose of the inserted components would be to provide “back doors” for clandestinely exfiltrating information or, on receiving some sort of cue, disrupt - ing the operation of the networks or information systems. These risks stem from the fact that potential adversaries play a key role in the offshore development and life-cycle support of commercial off-the-shelf (COTS) technology components 12 that are a critical part of the DOD’s information architecture. Such activities have provided the basis for actual cases of embedding disabling technologies as part of seemingly normal technology products. This risk is exacerbated by certain adversaries who have the necessary design skills to embed disabling technologies in ways that are extremely difficult to dis - cover and who are able to incorporate disabling technology updates at the normal and rapid rates of product enhancement. Life-cycle insertion activities thus pose a serious threat because they are beyond the hypothetical and, if applied in certain operational circumstances, can significantly reduce U.S. military warfighting capability. 4. Insiders. Insiders are individuals within an organization who have access to its information systems and networks and who act in some way to the detri- ment of the system. They range from legitimate users who carry out harmful acts inadvertently to individuals who act with highly malicious intent. An inadvertent user could be one who, unknown to that individual, inserts a memory stick con - taining “malware” that would allow a compromise of the information system and associated network, potentially including “closed” networks. Instances of such activities have been regularly reported.13 A malicious user could be one recruited by a foreign intelligence agency or other adversarial party who would provide that agency or party with access to the network. In the worst case, this recruited insider would be one who has special knowledge of the technical details of the network or the information held on it and who passes that information on to a foreign intelligence agency. Recently, 11 Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and yuanyuan zhou. 2008. “Designing and Implementing Malicious Hardware,” Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Francisco, Calif., April. Also available at . Accessed February 18, 2008. See also, Defense Science Board, 2007, Mission Impact of Foreign Influence on DOD Software, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., September. 12 The committee defines commercial off-the-shelf (COTS) technology to include commercial open-source developments. 13 For example, see Bill Whitney and Tara Flynn Condon, 2008, “Five Ways Insiders Exploit your Network,” NetworkWorld, May, at . Accessed November 10, 2008.

OCR for page 12
20 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES the DOD has emphasized the need for increased counterintelligence activities to protect against this class of threat. Examples of Cyberthreats Commercially available cybersecurity tools are predominantly reactive in the sense that they are used to address known vulnerabilities and threats that have been identified and characterized. Security patches are a major part of the current reactive response process. Patches are developed and deployed to address vulnerabilities that have been exploited and identified, but do not address zero- day attacks.14 Exploits that are “noisy” are relatively easy to identify. Increasingly, exploits are being discovered that are “quiet” by design, as the motivation for malicious code has moved to hacking for money and to running covert operations for gain- ing intelligence. As a result, well-resourced teams of engineers are designing, implementing, and vigorously testing malicious codes prior to releasing them, not unlike well-funded commercial software development firms.15 These threats are very difficult to discover because they are engineered to live in harmony with the host while evading host-level sensors. Figure 1.1 provides some examples of cyberthreats. As seen in the figure, these threats and their variants are growing rapidly. No limiting factor has been identified that can be expected to “cap” the threat environment. As discussed above, commercial technology responses to these threats are primarily reactive and hence, at best, can barely keep up with the advancing threats. The situation for the Department of the Navy (DON) is worse because its technology deployment processes are generally slower than those of commercial industry.16 The preceding observations are summarized in the following finding. FINDINg: Cyberthreats change on a timescale much shorter than the typi- cal Department of Defense acquisition life cycle for developing and deploying 14A“zero-day” attack takes advantage of targeted computer application vulnerabilities before a patch has been created or applied. It is named zero-day because it occurs before the first day the vulnerability is disclosed. 15 Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and yuanyuan zhou. 2008. “Designing and Implementing Malicious Hardware,” Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Francisco, Calif., April. Also available at . Accessed Feb- ruary 18, 2008. 16 For example, a 2007 report from the Navy’s Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I) states that the average age for Navy C4I networks is 6.7 years, and the average time to market for new capabilities is 2 to 3 years. See < http:// www.afcea-sd.org/C4ISR2007SymposiumArchive/C4ISRDownloads/2007C4ISRPresentations/ Day%202/Day%20PM%20Keynote/070523_AFCEA_Symposium_FINAL.ppt>. Accessed Febru- ary 26, 2009.

OCR for page 12
Linear Growth of MALWARE Variant MALWARE Explosive Growth 2016: IPv6 Threat Increased sophistication: Exploitation User Introduction of risk: • 2002 ~ 100 malware detections/wk • Unauthorized software • 2007 ~ 2600 detections/wk Second Authentication (IM, P2P, etc,) Supply -Chain • 2008 - 300% malware increase Stealing • Personal computers on Chip Interdiction • 1 new driver written every 4 min. network, flash drives, etc. Instant Anti -Malware Detector • New threat vector: • Spillages and Encrypted Malware • Networking technology • Insider Threat Runtime Packer: • Encrypted malware Lives and executes • Anti -malware detection in running memory • Foreign language malware Obfuscation Automated • Black market PII Tools Rootkits Technology Polymorphic Malware STORM Worm Instant Malware Capability via CHAT IO Live -Fire Exercise Hacking of OSD New technology risk: Social Engineering Acquiring cyber businesses • VOIP, Blackberry, (P2P) Malware Lenovo, communications cable “ hotels” Wireless, Web 2.0, Password Stealer Growth Naval War College Intrusions Vir tualization, IPv6 ß SIGNATURE Capability BEHAVIOR à 2007 Year of the Browser May 2007 —Estonia attacked with JMSDF Aegis Data Spill common hacker tools via P2P “Winny ” Malware 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 FIGURE 1.1 Trends in the growing quantity and sophistication of adversaries’ cyberthreats and cyberattacks. NOTE: Acronyms are defined in Appendix A. SOURCE: RADM(S) David G. Simpson, USN, Director, Navy Networks, Deputy Chief of Naval Operations, Communica - tion Networks (N6), “Next Generation Enterprise Network (NGEN) and Consolidated Afloat Networks and Enterprise Services (CANES),” 21 presentation to the committee, May 29, 2008, Washington, D.C. Figure 1-1 R01471 vector editable

OCR for page 12
22 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES cybersecurity technologies. Several trends presented to the committee point to continuously increasing risks from these threats. Because the Navy is increasingly conducting warfighting using commercial information technology systems, these cyberthreats represent a serious threat to the Navy’s warfighting capability. Employment of Cyberattacks by Potential Adversaries Reports of computer network intrusions by various adversaries continue to increase. Likewise, estimates of the number of adversary nation-states and other bodies (e.g., terrorists) skilled in the necessary computer technology to conduct intrusions are also increasing.17 Significant among the reports of intrusions are numerous penetrations of networks owned by the U.S. government. Although these intrusions may not explicitly be attacks (i.e., they may not lead to damage or destruction of information or network resources), they require the same expertise and techniques required for computer network attack, including denial-of-service and data-corruption attacks. Attribution of computer network intrusions is difficult, and it is very hard to be sure if any particular intrusion was conducted by a particular foreign govern - ment or other adversarial party. Nonetheless, special attention is currently being paid to the People’s Republic of China (PRC). The Annual Report to Congress: Military Power of the People’s Republic of China, 2008, prepared by the Office of the Secretary of Defense, states the following: In the past year, numerous computer networks around the world, including those owned by the U.S. Government, were subject to intrusions that appear to have originated within the PRC. These intrusions require many of the skills and capabilities that would also be required for computer network attack. Although it is unclear if these intrusions were conducted by, or with the endorsement of, the PLA [People’s Liberation Army] or other elements of the PRC government, developing capabilities for cyberwarfare is consistent with authoritative PLA writings on this subject. • In 2007, the Department of Defense, other U.S. Government agencies and departments, and defense-related think tanks and contractors experienced multiple computer network intrusions, many of which appeared to originate in the PRC. • Hans Elmar Remberg, Vice President of the German Office for the Protection of the Constitution (Germany’s domestic intelligence agency), pub - licly accused China of sponsoring computer network intrusions “almost daily.” Remberg stated, “Across the world the PRC is intensively gathering political, military, corporate-strategic and scientific information in order to bridge their [sic] technological gaps as quickly as possible.” Referring to reports of PRC 17 John Rollins and Clay Wilson. 2007. Terrorist Capabilities for Cyber Attack: Overview and Policy Issues, Congressional Research Service, Washington, D.C., January 22. Available at < http:// www.fas.org/sgp/crs/terror/RL33123.pdf>. Accessed February 11, 2009.

OCR for page 12
23 BACKGROUND infiltration of computer networks of the German government, German Chancellor Angela Merkel said, “we must together respect a set of game rules.” Similarly, in September 2007, French Secretary-General of National Defense Francis Delon confirmed that government information systems had been the target of attacks from the PRC. • In addition to governments, apparent PRC origin network intrusions tar- geted businesses. In November 2007, Jonathan Evans, Director-General of the British intelligence service, MI 5, alerted 300 financial institution officials that they were the target of state-sponsored computer network exploitation from the PRC.18 Cybersecurity vulnerabilities are necessitating the introduction of entirely new warfighting doctrine. This fact is illustrated by the following extract on Chinese thinking from Air Force and the Cyberspace Mission: Defending the Air Force’s Computer Network in the Future: China’s ability to wage cyberwar against the United States is no longer specula - tion; it occurs daily and is growing exponentially. Two Chinese colonels wrote a paper in 2002 titled Unrestricted Warfare, wherein they candidly proposed using cyber attack as a new form of warfare against the United States. In their paper, they analyze United States military power and assess operations over the past decades and conclude “today, the independent use of individual technologies is now becoming more and more imaginable. The emergence of information technology has presented endless possibilities for match-ups involving old and new technologies and among new and advanced technologies.”19 An important set of recent events involving Russia, Estonia, and Georgia also provide visibility with respect to the possibilities of more aggressive uses of cyberattacks as a complement to other elements of nation-state conflicts. Three cyberattack methodologies used during these events were reported in the press: first, the use of denial-of-service attacks to complicate the ability for adversaries to respond to a situation; second, through the use of the Internet, the rapid vol - untary recruitment of participants to contribute to cyberattacks; and third, taking advantage of the confusion surrounding these activities, which makes it both complicated and time-consuming to accurately assess what is really happening, including attribution. While the degree of accuracy of the above events in the specific press reports 18 Officeof the Secretary of Defense. 2008. Annual Report to Congress: Military Power of the People’s Republic of China, 2008, Washington, D.C., pp. 3-4. 19 Shane P. Courville, Lt Col, USAF. 2007. Air Force and the Cyberspace Mission: Defending the Air Force’s Computer Network in the Future, Occasional Paper No. 63, Air War College, Center for Strategy and Technology, Maxwell Air Force Base, Ala., December. Available at . Accessed November 10, 2008.

OCR for page 12
24 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES can be argued,20,21 each of the three uses is available to potential combatants, and the degree of use can certainly be escalated without incurring major costs or requiring long buildup times. Consequently, the committee recognizes that while the full-throttle use of these techniques has not yet been experienced, preparation for significant situations involving such methodologies is nonetheless necessary. Need for Enhanced Analysis of Future Threats It is well understood that the development of naval platforms must be sup - ported by projections of future physical threats to those platforms (e.g., antiship missiles, undersea detection). Such threat projections are routinely provided by naval intelligence and the larger intelligence community. Similarly, projections of future cyberthreats are required for the development of platforms and information systems. All presentations to the committee on the subject of cyberthreat, how - ever, focused almost exclusively on the current threat, apart from a few general examples of projected future threats (see, e.g., Figure 1.1). The committee discussed this absence of future threat projections with repre- sentatives from program and acquisition management offices who briefed it. These representatives indicated that cyberthreat projections were absent at a level of detail that could support requirements specification and system design. Not all repre- sentatives were mindful of the need for specific cyberthreat projections, but some considered their absence to be a significant shortcoming in system development. In the absence of threat estimates, platform designers need to postulate threats and then design to these postulated threats. The result can be that implementa - tions of information assurance vary widely, possibly resulting in systems that are vulnerable to adversarial attack. This approach also can lead to an incoherent set of system designs when looking across the entire set of naval programs. The com - mittee believes that cybersecurity future threat estimates are important and are needed in order to provide a complete and coordinated picture of cyberactivities that can then be factored into naval system designs. The preceding observations lead to the following finding. FINDINg: Intelligence community projections of future cyberthreats to naval systems do not appear to exist at the level of detail needed to support develop- ment programs focusing on cyberdefense technology insertion. Such future threat projections might be difficult to develop, given the rapidly changing nature of cybertechnology, but their development and an assessment of how they might 20 See Peter Finn, 2007, “Cyber Assaults on Estonia Typify a New Battle Tactic,” New York Times, May 19, p. A01; and John Markoff, 2008, “Before the Gunfire, Cyberattacks,” New York Times, August 13, p. A1. 21 Jason Sherman. 2008. “DOD Draws Lessons from Cyber Attacks Against Georgia,” Inside Defense, Washington Defense Publishers, November 10.

OCR for page 12
25 BACKGROUND apply in a naval context are needed. Naval program officials who briefed the com - mittee noted this absence and indicated the lack of future threat information to be a significant shortcoming for their program efforts. Development of the naval threat projections would require coordinated efforts across both the naval and the national intelligence communities. Conceptual bases for characterizing physical threats to platforms are well developed and well understood. For example, an antiship missile is characterized by speed, maneuverability, radar cross section, operational tactics of employment, and so forth. In its investigations, the committee did not find an attempt to characterize cyberthreats in an analogous, conceptual way. Rather, threats are usually discussed in terms of specific examples. There appears to be no systematic taxonomy for char- acterizing and thinking about cyberthreats (beyond the very high level categorization of remote access, close access, and so on). This absence is one of the factors that makes future threat projections difficult to develop, as noted in the above finding. One approach to such a taxonomy might be a “first principles” approach based on a systematic description of the points of vulnerability of generic sys - tems. For example, to start, one recognizes that a network could be penetrated at its end hosts, intermediate nodes (e.g., routers, Domain Name Service servers), and connecting links (International Organization for Standardization layers 1 through 4). Each of those components is then decomposed further—for example, end hosts into operating systems, applications, and hardware—with each of those being decomposed further, and so on. Finally, given this vulnerabilities decom - position, one then postulates the nature of threats that could exploit the vulner- abilities. In this way one could come upon vulnerabilities that are not exploited now but could well be in the future. While the committee discussed the need for a taxonomy, based on the scope of this study it did not take steps to derive one. Organizations involved in safety assessments and trade-offs regarding operations at risk, both within the Navy and outside the Navy (for example, the National Aeronautics and Space Administration, the Federal Aviation Administration, and the Nuclear Regulatory Commission), face issues similar to those faced by the IA community. The committee suggests that new methods can be developed by starting with well-seasoned methods and modifying them to deal with the unique aspects of IA risks.22 Any future systems development certainly should be mindful of assessing and addressing as necessary any potential future vulnerabilities identified in this man - 22 For example, one potential approach to addressing vulnerabilities is the countermeasure char- acterization (CMC) process, as described by Lubbes, which provides both the system designers and the countermeasure developer a framework process for addressing system security requirements. See Herman O. Lubbes, Network Associates, Inc., 2001, “Countermeasures Characterizations Building Blocks for Designing Secure Information Systems,” IEEE 0-7695-1212-7/01, p. 103. Available at . Accessed Febru - ary 24, 2009.

OCR for page 12
26 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES ner. In addition, an understanding of these future vulnerabilities is necessary for guiding research and development (R&D) efforts to counter cyberthreats. R&D cannot just be directed against today’s threats. The preceding observations are summarized in the following finding. FINDINg: No systematic and widely accepted taxonomy for characterizing cyberthreats appears to exist. Such a taxonomy could be based on a first-principles characterization of the potential points of vulnerability of distributed systems. A systematic taxonomy is necessary for guiding research and development efforts and for assessing systems under development for their resilience against the whole threat spectrum. ASSESSMENT OF CURRENT CYBER VULNERABILITIES The vulnerability of naval and DOD systems is discussed in the context of the threat described above. This discussion is phrased in terms of trends. growing Use of Commercial Technology for Military Applications The committee recognizes that the adoption of COTS technologies in the military for both mission-critical and noncritical systems is and will continue to be necessitated by economic advantages (related to economy of scale) and the advan - tage of speed to deployment when compared to custom-developed systems.23 However, with the widespread adoption of COTS technologies in mission-critical networks comes the shared risk of information technology (IT)-based attacks common to COTS technologies in these networks.24 For the military to gain both the economic and timely technological advantages of applying COTS communica- tions and computing technologies (both hardware and software) to mission-critical systems, a corresponding set of IA risks must be taken and a corresponding set of IA strategies must be developed for managing those risks. With the adoption of COTS products, the DON also faces the added challenge of and concern with assurances regarding how their vendors treat the security of COTS products; in 23Additional advantages of using COTS in DOD systems include the fact that recruits are familiar with the products, which translates to potential savings and efficiencies in training. 24 For additional background, see Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and yuanyuan zhou, 2008, “Designing and Implementing Malicious Hardware,” Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Francisco, Calif., April; “The State of Offensive Affairs in the COTS World,” at ; Brian Grow, Chi-Chu Tschang, Cliff Edwards, and Brian Burnsed, 2008, “Dangerous Fakes,” BusinessWeek, October 2, at ; and SecuriTeam™, Beyond Security, 2008, Kaminsky DNS Cache Poisoning Flaw (Exploit), McLean, Va., July 24. Available at . All accessed February 11, 2009.

OCR for page 12
27 BACKGROUND particular, shared or open knowledge about both hardware and software products can provide adversaries with insights into how to break into systems or disable them at the critical times when they are most needed. Furthermore, foreign manufacturing of products provides opportunities for the insertion of mechanisms to enable break-ins or disruptions on command.25 In addition, the incentives of private industry to build COTS equipment are based on priorities that are different from those dictated by DOD and DON information assurance concerns. Newer Directions in Commercial Information Technology and Naval Adoption As computing hardware and software capabilities expand, commercial products are emerging that integrate more and more functionality into single products. Embedding user-developed application computing support into com - munication switches (such as the Cisco Application-Oriented Networking product line), providing for remote monitoring and control of systems (such as in Motorola’s Supervisory Control and Data Acquisition systems), and adding more and more functionality into operating systems (such as Microsoft’s Vista) are all examples of the trend toward greater integration. In addition, driven by immediate cost and system management advantages, COTS-based systems architectures continue to emerge that organize system administration, system management, and system service capabilities into more centrally manageable configurations. For example: • Service-oriented architectures are permitting distributed hardware and software systems with centralized system management and administration, • High-performance communications switches permit a single fiber-based local area network with logically controlled and isolated communications chan - nels to replace multiple copper-based local area networks that are physically separated and have thus been administered and controlled separately, and • The employment of automated software patching systems supporting commonly configured user machines enables automated support for rapid security patching. A natural by-product of these trends is the adoption of more integrated com - mercial components into naval systems in order to gain the same advantages that commercial companies are interested in. Integration may in some cases reduce the likelihood of a successful attack; however, the potential consequences of a successful attack are greatly increased as a result of the expanded scope that the 25 Defense Science Board. 2007. Mission Impact of Foreign Influence on DOD Software, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., September.

OCR for page 12
28 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES attack might have as a result of the more extensive integration at the component and system levels.26 This study observes that this extrapolation is not hypothetical and that in fact it is in progress through a variety of naval system development activities (see Chapter 4). The discussion of this and the previous subsections is summarized in the following finding. FINDINg: The ever-growing use of commercial technology for military applica- tions increases information assurance risks. Furthermore, the newer directions in commercial information technology (e.g., greater integration in single products) and naval adoption further exacerbate these risks. Reactive Posture Against Cyberthreats New cybersecurity threats and vulnerabilities are identified almost daily. 27 As new vulnerabilities emerge, new initiatives have been introduced to counter 26 Recent articles published by the Carnegie Mellon Software Engineering Institute argue that as complexity grows, components of networked systems may sometimes process information from other systems whose intentions and trustworthiness are not always known. As a result, a hierarchical structure in a complex system has the undesirable property that every node and link of the hierarchy potentially constitutes a single point of failure for the system as a whole. That is, if the success of a function or system depends on the success of each of its components and subsystems, then an error, compromise, or failure in any one component propagates to the system as a whole and undermines system-wide success. See Carol Woody and Robert Ellison, 2007, “Survivability Challenges for Sys - tems of Systems,” Carnegie Mellon Software Engineering Institute, No. 6, Pittsburgh, Pa.; and David Fischer and Dennis Smith, 2004, “Emergent Issues in Interoperability,” Carnegie Mellon Software Engineering Institute, Pittsburgh, Pa., No. 3. Both are available at < www.sei.cmu.edu/news-at-sei/ columns>. Accessed February 25, 2009. 27 For example, see CyberInsecure.com (a posting of daily cyberthreats and Internet security news alerts), May 21, 2008: “An attack, demonstrated by Rich Smith from HP Systems Security Lab at the EUSecWest security conference in London, showed that embedded systems hardware can be damaged beyond repair. The attack could be carried out remotely over the internet”; May 12, 2008: “Security researchers have discovered a new technique for developing rootkits, malicious packages used to hide the presence of malware on compromised systems. Instead of hiding a rootkit in the virtualization layer, the rootkit can be smuggled into System Management Mode (SMM), an isolated memory and execution environment supported in Intel chips that’s designed to handle problems such as memory errors”; November 20, 2008: “Recent increase in malicious code propagating via USB flash drives forced the US Army to suspend the use of USB and removable media devices after a worm began spreading across its network. Use of USB drives, floppy discs, CDs, external drives, flash media cards and all other removable media devices has been placed on hold in order to contain the spread of Agent-BTz, a variant of the SillyFDC worm”; and January, 19, 2009: “According to warnings issued by Research in Motion (RIM), hackers can use booby-trapped PDF attachments sent to BlackBerry devices to launch malicious code execution attacks. The company shipped patches this week to address a pair of critical vulnerabilities affecting their product.” All accessed February 17, 2009. Weekly cybersecurity reports providing summaries and ratings of new vulnerabilities are also provided by the United States Computer Emergency Readiness Team; available at . Accessed February 17, 2009.

OCR for page 12
29 BACKGROUND them. A common element of these initiatives is that they are reactive to the cur- rent threats; that is, there is no element focusing on possible future threats. Many of the presentations received by the committee recognized this reactive approach and expressed a desire to “get ahead” of the threat. Alternative approaches are needed to break out of this reactive mode. Despite a nearly universal desire to do so, the committee saw little evidence of efforts or a plan to develop such alterna - tive approaches. The one significant exception is the beginning of approaches to support cyberdefense with cyber offense (see the discussion below). The reactive posture is tied to the fact that naval IA strategy is currently based on “best commercial practices,” which are largely reactive, in the sense described above. The conservative nature of the commercial marketplace has defined best practices that fall short of the security needs of the military. For example, the broad commercial marketplace for routine nonsecure applications and use will not tolerate false alarms by antivirus scanners. This has led the industry to focus primarily on signature-based detection strategies that are highly accurate at detect- ing already-known threats but that are blind to new threats never seen before. Basing naval forces IA strategy solely on such commercial practices will result in a reactive IA strategy for naval forces that is incapable of achieving realization of the strategic desire to get ahead of the threat.28 Compounding this negative impact is the possibility that naval forces may face a significantly different threat from that confronting commercial industry, especially in a situation that could involve a nation-state conflict. The above discussion is summarized in the following observation. FINDINg: Naval approaches to countering cyber vulnerabilities are primarily reactive to threats, being based largely on commercial best practices. While DON representatives who met with the committee expressed the need to “get ahead” of the threat, the committee saw little evidence that approaches to do so were being actively pursued by naval personnel. Layered Defense Strategy for Cybersecurity The committee observed many references to the use of the “layered defense” (or “defense-in-depth”) approach to cybersecurity. In its ideal form, a layered defense has mutually supporting layers of security solutions within and among its IT assets—typically with overlapping domains so that a failure of one solu - tion will not jeopardize the entire system—and would also include measures for both protection and detection. In actual fact, real-world controlled connection or 28 The committee was briefed on cyberdefense concepts being explored at both the National Secu - rity Agency and the Defense Advanced Research Projects Agency. These emerging concepts should help the DON address the need for a more proactive strategy.

OCR for page 12
30 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES air-gap implementations29 for cybersystems can sometimes be highly porous and subject to “end runs” by widely available technologies such as Universal Serial Bus (USB) drives and Wi-Fi connectivity.30 Defense in depth is critical because the effectiveness of individual layers cannot be assured, but one cannot assume that each layer will “get a shot” as would happen in the defense of physical assets (e.g., strike group defense against incoming antiship missiles). Because it is connected to the Internet, the NIPRnet introduces particular vul- nerabilities to the layered-defense approach. The relatively unrestricted NIPRnet to Internet connection, exacerbated by “non-official” uses of the NIPRnet, pro - vides an opportunity for adversaries to seek out and exploit vulnerabilities that enable elevated privileges, allowing access to inner cyberdefense layers. Even without elevated privileges, adversaries can potentially disrupt many essential functions that are carried out on the NIPRnet. Although the full set of dependen - cies on the NIPRnet for mission-critical military operations was not established by the committee, logistics support on the NIPRnet was identified as an important aspect of naval operations that is subject to potential compromise by an adversary. The DOD is considering tighter restrictions on the NIPRnet; however, it seems that there are mixed views across both the DOD and DON about the risks of continuing with an integrated NIPRnet, many devaluing the IA concerns relative to other, morale-related benefits of its open use. Summary Assessment of Vulnerabilities There is a general recognition by the Department of the Navy of the serious - ness of cybersecurity vulnerabilities, as evidenced by the commission of this study. This recognition has resulted in increased attention in this area, leading to many initiatives to improve the situation. Some of these initiatives are complete and have improved the cybersecurity posture of the DON. But, naval forces are increasingly dependent on information technology systems that cannot be trusted. Mitigating the IA risks that result from this dependence will require additional approaches to supplement the reactive approach of following commercial best practices that prevails today. In the presentations that it received, the committee found little evidence of plans to develop such an alternative approach. Thus, the existing cyber vulnerabilities are expected to continue in the foreseeable future. 31 29An air-gap defense inserts a deliberate break, to be connected by manual action, in a link of the network (see Naval Studies Board, National Research Council, 2000, Network-Centric Naval Forces: A Transition Strategy for Enhancing Operational Capabilities, National Academy Press, Washington, D.C., p. 36). 30 For example, see U.S. Cyber Emergency Readiness Team, National Cyber Alert System, Cyber Security Tip ST08-001, “Using Caution with USB Devices,” updated November 4, 2008. Available at . Accessed February 23, 2009. 31The nature of the changing status of information operations and the potential impact on public and private sectors, as well as on U.S. military forces, are described in numerous reports, including unclassi -

OCR for page 12
31 BACKGROUND Recognizing the plethora of possible attacks and the corresponding effort that it would take to defend against all of them, one would see that the future is defined by an attack/defense conflict that is mismatched, with the advantage heavily on the side of the attacker. In this environment, naval forces can expect that under circumstances defined by adversaries, new attacks will appear that result in the denial or disruption of network connectivity and the corruption and compromise of mission-critical data. Procedures to “fight through” such obstacles are being explored in the fleets, and the committee wishes to acknowledge these efforts and advocate their widespread development and deployment. This assessment is summarized in the following finding. FINDINg: While valuable information assurance initiatives have been imple- mented, DON and DOD sources have indicated, in general, a significant deficiency in the ability to defend against the wide array of possible cyber penetration threats. IMPORTANT FINDINgS FROM RELATED STUDIES Several IA-related studies conducted in recent years by Federally Funded Research and Development Centers and other organizations were discussed with the committee.32 A summary of these studies is included in Appendix D of the present report. In addition, the committee was briefed in depth on two important IA-related advisory board studies (see the subsections below). The committee found that the major themes derived by each of the studies, when taken together, should form an important part of the basis for the Department of the Navy’s development of a strategy for addressing its future IA needs. Air Force Scientific Advisory Board Study The key findings of a 2007 study by the Air Force Scientific Advisory Board (AFSAB)33 on the implications of cyberwarfare are the following: fied reports to Congress. For example, see U.S. Government Accountability Office, 2007, Cyber Crime: Public and Private Entities Face Challenges in Addressing Cyber Threats, Report to Congressional Requesters, Washington, D.C., June; John Rollins and Clay Wilson, 2007, Terrorist Capabilities for Cyber Attack: Overview and Policy Issues, Congressional Research Service, Washington, D.C., Janu- ary 22; and U.S. Government Accountability Office, 2008, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588, Report to Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives (Table 2, p. 7, Sources of CyberThreats), Washington, D.C., July. 32 Michael McBeth, Office of Naval Research Advisor, and Lawrence Lynn, Center for Naval Analyses Representative, “Current Naval Research Information Assurance Studies,” presentation to the committee, April 28, 2008, Naval Network Warfare Command, Norfolk, Va. 33 Thomas F. Saunders, Chair, USAF Scientific Advisory Board Summer Study, “Implications of Cyber Warfare,” presentation to the committee, March 6, 2008, Washington, D.C.

OCR for page 12
32 INFORMATION ASSURANCE FOR NETWORK-CENTRIC NAVAL FORCES • Forces are not prepared to fight through a sophisticated, covert cyber- attack; and • Commercial technology is not going to provide a solution for such attacks. The AFSAB emphasized that vulnerabilities exploited by sophisticated cyber- attacks are inevitable. Thus, the Air Force needs to be prepared with technologies and with operating concepts and procedures to “work through” such attacks. The findings of this committee are consistent with those of the AFSAB. Defense Science Board Study According to the Defense Science Board (DSB) study chairs, the findings and recommendations of the DSB study on information management for network- centric operations published in 2007 can be distilled to three points: 34 • The combat information capability must be treated as a critical defense weapon system. • Information assurance must be resourced and its risk managed accordingly. • An innovative acquisition strategy is required to leverage commercial off- the-shelf information technology while managing the IA risks. Like the AFSAB, the DSB believes that the “system and its capabilities will always be under attack and, as a result, will always be operated in either a degraded or compromised mode.”35 Given this belief and the DSB’s first finding, IA becomes a critical warfighting need, not just a support function. The DSB notes that information assurance enables mission assurance, and states that a formal risk management process is needed to assess the benefits of the added applications against the impact of the introduced information assurance threats. The implementation status of recommendations from these reports is at vari - ous stages. However, many aspects of information assurance and related cyber- warfare operations are currently undergoing comprehensive reviews and policy updates by the DOD and each of the military services. 34 Defense Science Board. 2007. Defense Science Board 2006 Summer Study on Information Management for Net-Centric Operations, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., April, p. 7. 35 Defense Science Board. 2007. Defense Science Board 2006 Summer Study on Information Management for Net-Centric Operations, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., April, p. 88.