Twitter Facebook Google RSS

As Military Becomes More Reliant On Networks, Vulnerabilities Grow 

10  2,005 

By Joe Pappalardo 

As the Defense Department pursues programs dependant on global computer networks, government officials warn that the current methods of ensuring information security are not commensurate with the threats against them.

If these problems are not addressed, the Pentagon could spend $200 billion during the next 10 years on a network with serious vulnerabilities, according to security experts.

Part of the catchphrase “net-centricity” refers to the ability to link small units with current information, and in return quickly derive data from every soldier, vehicle and sensor in the field. This type of system would change how military operations are planned and executed, since more information would be available to users at the moment they need it. Everything from immediate targeting intelligence to the reordering of supplies would be sped up and automated.

The ambitious Global Information Grid, meant to connect all of Defense Department’s information systems to each other and to civilian entities, depends on secure connections.

“The GIG enterprise offers significant advantages and efficiencies to war fighters … But all of this requires the users to have trust in the information,” said J. Michael Johnson, chief of the information assurance office of the National Security Agency, which has the lead in securing the network. “Our adversaries will attack it.”

Threats to the network range from nation-state sponsored hackers, organized crime groups, terrorist operations, traitors pulling inside jobs and unintended mistakes by users. Nightmare scenarios include the enemy’s ability to change coordinates of missiles while in flight, tamper with automated logistics by routing useless items to the front or expose the military’s plans for an impending operation. “Even weather information could be a tip off,” Johnson warned.

That makes security a key issue. The term “information assurance” is used to encompass both the availability and safety of the data flowing between users. Current strategic planning, including the Quadrennial Defense Review, is taking a more serious look at building stronger safeguards into military systems and equipment.

“I don’t think you can find information assurance in a previous QDR,” Johnson said. “This time it’s a significant topic.”

But officials at a defense technology conference hosted by Infonex Defense described a military that, from Pentagon brass to contractors, is having a hard time grasping ways to counter threats to information security.

In the future, every piece of equipment and every person will need the equivalent of an identifying IP (internet protocol) address. But in many cases, the idea of tagging all data, users and hardware to a common standard is met with service isolationism. “The technology is there, the policy is there, but the people aren’t there yet,” said Navy Capt. Jeffrey Burtch, director of the information assurance program at the office of the secretary of defense. “People are still in a rice bowl. ‘That’s my network. You can’t touch it.’ ”

Burtch described his effort to bring greater information security to the Pentagon as an uphill struggle, but one in which he painfully is gaining ground.

The future may witness significant funding, he revealed, citing a figure hovering at about $500 million for a dedicated, department-wide effort. “That number changes every time I get back to my email,” Burtch said. “I spend much of my time fighting budget wars.”

The 2006 budget slated $30.1 billion for Pentagon IT programs. Many of these are GIG-related, such as the Global Information Grid-Bandwidth Expansion program ($877 million), Transformational Satellite Communication ($836 million) and Net-Centric Enterprise Services ($79 million.)

Estimates of the GIG’s total cost over the coming decade tip the scales at $200 billion.

Education and awareness are important, he said, but money is critical to improving information assurance. Even though the commercial financial services markets have a lower, but still robust, number of threats against their information technology, they spend an average of 14 to 25 percent of their IT budgets on security.

By comparison, the Department of Defense spends only 7 percent of its IT budget on security, even though it must contend with intrusions from foreign powers, terrorist networks and spies, as well as the same slew of crooks and hackers who target banks.

Asked if the military is leveraging commercial technologies used to protect civilian nets, Johnson responded, “We are dependant on it.”

He added that Pentagon teams evaluate where government funds could best be spent to tackle problems unique to defense and intelligence information security.

The level of awareness in the military to the risk of cyber attacks is growing courtesy of tough education during war games, when “red teams” simulating adversaries wreak havoc by compromising networks. It isn’t necessary to take down an entire system to damage military operations, the experts at the conference agreed. Once the system is shown to be hacked, no information on it can reliably be trusted. In a net-centric operation, that could mean total calamity.

Burtch said that prior to his assignment protecting systems, he worked with the Navy to attack enemy networks. As an example of this tactic’s usefulness, he cited the targeting of communications of the Iraqis during Operation Desert Storm. By disrupting the Iraqis’ secure networks, the United States was able to push communications into less secure channels and clogged their limited bandwidth, providing keen advantages to U.S. troops, he said.

But the possibility that such techniques could be used against the United States is one not eagerly faced by program managers, contractors and mid-level military officials. For example, the Army must overcome cultural dilemmas in securing its systems, and officials often treat information assurance requirements as mere paperwork that has to be filled out to achieve certification, said Ted Hendy, director of information assurance and security engineering at U.S. Information Systems Engineering Command.

“We need to put security back in information assurance,” he said. “It’s not there.”

Many Army program officials do not think to build information assurance into an Army system from the start, he said. This is the unintended consequence of the structure adopted by the Pentagon to certify military information technology, Hendy said.

By aligning the Defense Department’s Information Technology Security Certification and Accreditation Process with another authorization agreement, “information security got pushed way to the back,” he said.

This occurred because security became lumped into the same paperwork as overall accreditation—just another bureaucratic hoop for contractors and program managers to jump through on the way to developing and fielding a piece of equipment.

Lost in the process was the role of security specialists who could help engineers design software, hardware, equipment and training procedures that would tighten security from a product’s inception, he said. Also forgotten, he added, was planning for updating and sustaining security on the product through its lifespan.

This is increasingly important in a networked environment, in which “a risk taken by one is shared by all,” Hendy said. “We need to know not just what risks are to your system, but what risks your system imposes on the rest of the GIG.”

Other consequences of lax security include a lack of forensic tools to assist the 1st Information Operations Command in tracing back the source of an attack, he said.

Hendy highlighted more problem areas, including a lack of centralized Pentagon tracking of the risks to networked systems, an overall dearth of recovery plans, little enforcement of information assurance provisions in private sector contracts and a dependence on commercial technology that does not meet military standards.

To those worries, Burtch added a reliance on foreign workers. “Ninety percent of the code running on our machines is written off-shore, mostly in friendly countries, for now,” he said. “Who knows in five years?”

The U.S. military is faced with state-of-the-art equipment rendered useless on the battlefield by a hacker halfway around the world, making the financial investments necessary, Burtch said. This is a message he said he delivered to officials at the Pentagon: “I’d like you to have one less tank to have this done the right way.”

  Bookmark and Share