WASHINGTON: Cybersecurity — it’s not just for networks anymore. The trend towards what’s called “the Internet of Things” means targets can be anywhere.
“If there is a computer in something, it can be cyber-attacked, and we need to be able to harden it and defend it,” the Pentagon’s Deputy Chief Information Officer for Cybersecurity, Richard Hale, told me on Monday. “Whether the computer is on a desk or in a medical device or in the engine of a jet airplane, that computer has to be designed to be as resistant to attack as possible, it has to be configured securely every second, [and] it’s got to be able to be updated as quickly as possible.”
There’s a lot of cybersecurity angst over the impending Internet of Things, in which everything from refrigerators to self-driving Google Cars is connected to the web. If everything’s connected, the theory goes, everything is vulnerable. But, as Hale made clear, bad guys needn’t wait on the Internet of Things. We should start worrying now, because a device doesn’t have to be intentionally connected to the Internet to be inadvertently left open to cyber attack
The Iranian nuclear facility at Natanz wasn’t connected to the outside world, for example, but the Stuxnet virus appears to have gotten to it via a thumb drive. Treason or simple carelessness could reach a US military system the same way. The malware could also hitch a ride aboard the computerized diagnostic tools that maintainers periodically plug into every tank, missile launcher, and jet fighter. A sophisticated adversary might even insert a virus without physical contact by transmitting it into a radio receiver or radar antenna.
“Every acquisition that DoD does needs to worry about cybersecurity,” Hale told me. “We’ve got to design and manage each of these computers… whether it’s in airplane or on my desk.”
“The Joint Staff has recently put out a formal requirement document that includes cybersecurity as a key part of the survivability key performance parameter [KPP]” for every new system, Hale said. The CIO staff and the Pentagon’s top procurement officer, Undersecretary Frank Kendall, “have jointly written a guidebook for acquisition programs on how to better secure things with embedded computing systems” — that is, chips built into weapons systems rather than what a layperson would recognize as a computer.
Improving security on embedded systems is just part of a larger rethinking of cybersecurity across the entire department. With embedded systems, engineers once imagined that chips built into weapons systems were protected by their isolation: They weren’t on a network, so they weren’t vulnerable to attack. With networked systems, engineers focused on firewalls, anti-virus software, and other perimeter defenses to keep the enemy out of the network. In both cases, the strategy was keeping the enemy out — but that’s no longer enough.
“We’re trying to have a more dynamic concept [of defense], Hale told me, “a more dynamic management of the whole infrastructure, in order to give us better sharing with partners and at the same time give us stronger dependability” in the face of attack.
“We still use firewalls [and] perimeter defense,” said Hale, but those only address one stage of an attack: the enemy’s attempt to infiltrate malware into the network. Before even attempting infiltration, for example, a sophisticated hacker will scout out the target system, looking for vulnerabilities: see where it connects to the Internet, what software it uses, and so on. “We want an infrastructure for the department that can change its look to the outside world,” Hale said, concealing key features so as to make reconnaissance harder.
Conversely, even if the reconnaissance and infiltration succeed, malware still has to take multiple steps before its attack succeeds. The malware needs to install itself on the target computer, then run, and usually, to get online and find its masters — a “command and control server” somewhere — so it can send them information and receive instructions. “We have options for disrupting that attack at each of those stages,” Hale said.
Even if the malware gets firmly established, finds sensitive files, and transmits copies back to its masters, that information is useless to the bad guys if it’s strongly encrypted. (It’s kind of like a safecracker finally figuring out the right combination — only to discover the only thing inside the safe is another, smaller safe). The Defense Department has long encrypted sensitive transmissions between systems, Hale said — codes and codebreaking were a major aspect of World War II — but now the military’s increasingly encrypting data stored inside systems as well.
Finally, if an infection does take root, the network needs to keep it from spreading. “We also want an infrastructure that’s designed to contain an attack,” Hale said. That requires creating “zones” within the network. Each zone can be tailored to support a particular kind of mission with particular security requirements: Working with relief groups in a disaster zone requires much more open communication with outsiders than a counterterrorist strike, for example. Each zone is also at least partly cordoned off from the others. And operators can quickly change how a particular zone works — adding more computing power, for example, or tightening security, or cutting it off from the rest of the network — in response to changing mission demands or cyber threats.
In the past, this kind of customization, compartmentalization, and reconfiguration would have required physically plugging and unplugging different devices. Modern “software-defined” networks make it much easier. “Some of the technologies we are deploying right this moment,” said Hale, such as Joint Regional Security Stacks (JRSS), “help give us some of these zoning and maneuver options in much richer ways than we had 10 years ago.”
Instead of speaking of networks in terms of static arrangements of interconnected hardware, Hale and other defense officials increasingly speak of dynamic systems that can maneuver. They speak of cyber operations and of cyberspace as a domain alongside the older domains of land, air, sea, and space. But do such traditional military terms really translate to the cyber world, I asked?
“I think they translate usefully,” Hale told me, “but just like other areas of warfare, other domains, the devil is in the details of the domain.”
You need specialized technology and training to operate in cyberspace, just as in the air, at sea, or in space. Just as air strikes, naval bombardment, or satellite reconnaissance can support troops on the ground, activities in cyberspace can support — or disrupt — operations in every other domain.
The difference, said Hale, is the intimacy of the interconnection. Yes, the sea touches the land, the air covers them both, and space looks over all, but cyberspace is everywhere: every ship at sea, every plane, every satellite, every tank, every radio in a soldier’s hand has some kind of chip in it.
“It is richly interconnected,” Hale told me. “We have to stay cognizant of the deep connection between the cyber domain and all the other warfighting domains. [Cybersecurity is] about defending our ability to execute the mission in every domain.”
Then in long run, cyber warfare may move from a supporting role to a lethal one. As more and more systems are connected — intentionally or not — to the Internet, as in the forthcoming Internet of Things, it becomes easier and easier for a cyber attack to do physical damage, said Hale: “That looks just like warfare to me.”
An earlier version of this story dropped the word “deputy” from Mr. Hale’s title and misidentified him as the Defense Department CIO; he is actually Deputy CIO for Cybersecurity. I apologize for the error.