WASHINGTON: Imagine a fighter squadron feverishly preparing to deploy to an overseas crisis — when all the lights on the airbase go out. Imagine a tank battalion stuck on flatcars because someone hacked the railroad switches between their base and the nearest port, or a destroyer stuck at the pier because a supplier with a scrambled inventory database sent the wrong parts for a critical repair.
Unlike Matthew Broderick in Wargames, it turns out hostile hackers don’t need to log in directly to some Pentagon supercomputer to wreak havoc on military operations. In a series of wargames with operational Combatant Commands, the Defense Department has discovered unexpected ways that otherwise well-protected weapons systems and military networks ultimately depend on much more vulnerable private contractors and civilian infrastructure.
“We’re finding you can be really secure in your network space and [still] lose a mission because an adversary can attack in one of those other layers,” said John Garstka, cyber director for undersecretary Ellen Lord, who oversees acquisition and sustainment of all Defense Department systems. “We now realize that, if our focus is on reducing the risk to mission at the combatant command level, we have to protect more than the traditional IT space.”
The new way of thinking is to look at the mission as the tip of a pyramid of supporting functions, what computer scientists call a “stack.” “We have a mission at the top,” Gorstka said, supported in turn by “weapons systems, traditional DoD networks, defense critical infrastructure, commercial critical infrastructure, and then the DIB [Defense Industrial Base].”
“An adversary can maneuver through any one of those spaces to degrade a mission” Garstka told a Federal Computer Week conference this morning.
“We’ve done three wargames with the Combatant Commands to help understand at the mission level what’s really important, because not all data is as important as other data,” Garstka continued. “I can’t talk with a great deal of specificity, but what I can say…. we’ve really focused on an element of cyberspace situational awareness that we think in many cases is lacking, [of] the relationship between your mission and different elements of a stack.”
The one scenario Garstka did mention was, “external power going out.” While fighter jets, tanks, and warships obviously store and generate their own power — at least as long as they have fuel — they depend on a base infrastructure that gets, by one estimate, 99 percent of its electricity from the commercial utilities via the civilian power grid. High-priority facilities get on-base backup generators, but these are inefficient, unreliable, and eventually run out of gas. Besides, generators are generally civilian equipment and therefore likely to have the same kinds of internet-accessible SCADA or other industrial control systems that often provide easy access to hackers.
Indeed, standard SCADA controls are found on all sorts of supporting systems. “One of the things that we’re doing as part of the cyber vulnerability assessments for defense critical infrastructure is getting an understanding of what our installed base is [in terms of] ICS/SCADA, understanding what your suppliers are and where those assets are deployed,” Garstka said. Because the Pentagon doesn’t reinvent the wheel and develop its own infrastructure from scratch — which would be ruinously expensive — such systems tend to be made of “Lego blocks” that are commonly found in the commercial world and possess common vulnerabilities, he said, in contrast to military-unique weapons systems.
What Garstka didn’t mention is that, as private sector information technology races ahead of the defense sector, the military is increasingly hiring commercial service providers, routing its communications over commercial networks and even piggybacking small military payloads on commercial satellites. It’s even possible that some military bases may have such off-the-shelf weak points as security cameras with key components made in China — some of which have actually been sold via the government’s own GSA catalog by vendors falsely claiming they were made elsewhere.
Garstka and his collaborators are analyzing the potential dependencies and vulnerabilities using modeling software called Dagger, which the government owns and can make available to contractors. “It helps you establish the relationships between, for example, external power, different elements of your network stack, your dependencies on your critical infrastructure, and [what happens] if you lose something because of a cyber attack or you have external power going out,” he said. “That is an area where we see a lot of opportunity for improvement.”