NASHUA, N.H. – Encryption and securing data have been a concern for a long time. This year an increasing number of cyber attacks, more refined attackers, and changes in the way the U.S. military connects devices from across services all added wrinkles to the data battleground.
The threat categories are many. Vehicle loss or capture, data loss or transport, nation state hackers or internal threats all can threaten or intercept data at rest, data in motion and physical technology. On top of basic measures to separate data, like virtual private networks, supply chain resilience and new frontiers like artificial intelligence and quantum computing are a big part of the conversation today.
You’ve likely seen the Pentagon’s $10 billion JEDI cloud services contract in the news, due in part to big-name big-budget rival partners Microsoft and Amazon. In July, the Pentagon canceled the cloud contract, saying “due to evolving requirements, increased cloud conversancy, and industry advances, the JEDI Cloud contract no longer meets its needs.” However, the U.S. Department of Defense (DOD) still plans to solicit both tech giants for the program’s replacement, the Joint Warfighter Cloud Capability (JWCC).
This new project will be the central pillar of Joint All-Domain Command and Control (JADC2), the Pentagon’s plan to connect all cloud-enabled intelligence, surveillance, and weapons systems across all services. JADC2 will include some artificial intelligence (AI), to the tune of an expected $874 million allocation in 2022. The Pentagon expects to make the direct rewards for it around April 2022, and open it up to wider competition around 2025.
Also in the news is a plug-in security solution for the U.S. Army, the Air and Missile Defense Workstation (AMDWS), produced by Northrop Grumman Corp. and announced as a $21.7 million contract in September. This software suite is designed to improve decision-making for Army commanders.
What do adversaries want?
Protecting digital assets goes hand-in-hand with protecting physical ones.
“In the context of military systems, the U.S. wants to preserve its tech advantage,” says Steve Edwards, director of secure embedded systems at the Curtiss-Wright Corp. Defense Solutions division in Ashburn, Va. “In a lot of cases the attacker is after the algorithms or software that’s running on a system that would provide that kind of advantage … whether it’s some unique radar-tracking algorithm or image-processing algorithm. In some cases it’s the data the system collects.”
The number of attacks, furthermore, is rising. Last march the FBI’s 2020 internet crime report showed the number of internet crime complaints reported rose 69.4 percent year over year.
It’s generally recommended to use multiple security layers for encryption and authentication. Those could include usernames, passwords, two-factor authorization, or as many as three- and four-factor authentication. As in the commercial world, this tactic is gathering under the name zero trust.
The products with the most defense interest in this area are those with cyber security by the U.S. National Security Agency (NSA) in the agency’s Commercial Solutions for Classified (CSfC) encryption.
“There is a huge volume of attacks now,” says Dominic Perez, chief technology of the Curtiss-Wright PacStar business unit in Portland, Ore. “Attacks add a lot of noise to actual threats. Someone might be knocking on the door, which might obscure the really sophisticated actors. You have the risk of your encrypted tech being captured and used decades from now. That’s where the CSfC duel layer concept comes in.”
The NSA’s CSfC program replaces the previous requirement for organizations with classified data requirements either to build or purchase an NSA Type-1 certified solution. It aims in part to reduce bottlenecks during development created by the time-consuming and expensive Type-1 process. It’s a way for the latest commercial technologies to be on a short list of approved products, replacing Type-1’s practice of submitting each solution individually.
Curtiss-Wright experts have first-hand perspective on the changes in commercial-military partnerships because a 1990s-era directive for the industry to use commercial-off-the-shelf (COTS) project was the impetus for the Defense Solutions division to exist.
“The CSfC program itself came about and has been in an upward direction in terms of number of entrants both from a vendor and customer perspective. CSfC is a whole ecosystem [which has come along with the] increase in number of vendors, increase in number of people approved,” says Steven Petric, senior product manager for data storage at Curtiss-Wright.
That in turn shows “validation to the need that’s out there and the growth that’s required. Threats are prevalent and new programs are being required to have a NSA-approved encryption solution,” Petric says.
Other U.S. approval processes in this area include the National Information Assurance Partnership (NIAP) and the Protection Profiles required as part of the Common Criteria for Information Technology Security Evaluation.
The problem of time
Another factor is time; if an adversary captures a piece of defense hardware, it has all the time in the world to try to crack it.
“Time is definitely a factor,” Edwards says. “It’s a question of how long it takes [the adversary] and how much effort they have to put into it. So we’re upgrading military systems every three or five years [when there is] a new capability or feature or hardware. If we can prevent the attacker long enough to the point where we don’t care anymore, that’s a win for us. Or we make it so expensive that they lose interest because they don’t have the financial resources or the manpower to go attack it.”
Robin Wessel, CEO of CRU Data Security Group (CDSG) in Vancouver, Wash., notes that there is something of an arms race happening related to keeping the data on drones secure.
“There is a lot of focus on ensuring, for example, if a drone were to get knocked out by a countermeasure behind enemy lines that that data is secure and protected.” Although that data is likely encrypted behind multiple barriers, the enemy has all the time in the world to crack it.
“It’s potentially a ticking time bomb for customers or users. With our technologies incorporating multiple layers of tech, to ensure that they might infiltrate one of the safe guards but to get both becomes exponentially more difficult. I like to think of it as a moat behind a castle. We draw the drawbridge up,” CDSG’s Wessel says.
Commercial or specialized?
As in other areas of defense electronics this year, the industry has seen some gradual changes in the relationship between commercial and defense products and business partners. However, with only certain providers meeting the NSA’s CSfC standards, the options are limited.
“Traditionally, users had two options: on one extreme highly commercial COTS in the truest sense,” CDSG’s Wessel says. “Parts that have very, very short shelf lives so to support very, very long programs was difficult They didn’t meet a number of the critical certification requirements that cyber security officers and defense agencies require. Or they were not available in the form factors necessary for implementation. On the commercial end it was priced very nicely, but very incompatible through implementation and lacks certification.”
The other option, he says, comes from traditional defense-centric organizations that manufacture drives, which are more specialized but often much more expensive.
“As a result usually their form factors and the technologies they implement are one to two generations behind because this market is very fast-paced,” Wessel says.
Therefore, he notes, those more expensive products may not be as good a fit for a world in which the COVID-19 pandemic has pushed more organizations to go digital. That, in terms, increases the number of nodes and clients attackers could target.
Other standard commercial technologies in common use in defense applications include secure boot, which validates and authenticates an operating system and all the points it has to trust. Aaron Frank, senior product manager in the C5ISR business unit of Curtiss-Wright, named Intel Boot Guard and Intel Trusted Execution Technology (TXT) as commercial products that apply in this space, as do security Field Programmable Gate Arrays (FPGA) devices.
Data at rest
Along with having the right accreditation and making sure vehicles don’t fall into adversaries’ hands, another element of protecting data at rest is watching for where physical hardware might be simply carried away.
The threat landscape has expanded to every laptop or mobile phone carried by a warfighter or representative. During the Jan. 6 insurrection at the U.S. capitol, a laptop belonging to the House Speaker Nancy Pelosi was stolen. The laptop was used only to make presentations, making it a good example of how physical assets can put data at risk at rest and how sequestering critical data provides an initial barrier to entry.
“One of the most common ways defense departments and government protected data was through physical means,” Wessel says. “Taking the drive and removing it from the computer works great because when you air gap something, move it to a physical area, it’s pretty hard to hack that data offline. But [outside the office, this] is impractical. Imagine work from home. What are they going to do, stick the drive under their mattress? They may have mobile devices or thin and light laptops that it may be difficult to remove those drives.
“Sensors, drones, vehicles, portable C&C systems — all have copious amounts of data because they’re connected to sensors or networked across domains where they’re trying to share data with other systems. So, they’re storing lots of data locally.”
To prevent an attacker from physically removing chips, Wessel’s company CDSG includes special coding on drives that mark evidence of tamper. This extends to “even making boards non-probeable,” Frank says. “You can’t actually get access to signals on the board.”
However, important precautions like these can also create tension between keeping data safe and allowing for access by the people who are supposed to be looking at it.
“For example, a data officer is looking at Facebook or Instagram for threats,” Wessel says. “You want to keep that network separate from, let’s say, a classified network. But they want to see both kinds of that information in one place. In the past to do that you’d literally have a computer for unclassified, another computer with classified intelligence; literally separate computers. You can imagine how complex that set up is, a wall of monitors, tangled cables, a pile of boxes. So there’s been a real focus on what’s called cross-domain or multi-domain solutions. What it’s doing is using virtualization to display multiple types of operations on one computer instead of five computers.”
And that requires a lot of protection, which goes back to the necessity of encryption, multiple layers of security, and Common Criteria.
Data in motion
When it comes to data in motion or transit, including on the private and secured cloud used for military applications, many tried-and-true protection measures haven’t changed. Encryption algorithms and public keys remain important. However, what has changed in the last year is that there is a renewed focus on security and on not only how powerful we can make tools, but on how to use them correctly.
As Curtiss-Wright’s Perez says, “There’s no point in having the beefiest lock on your bicycle if it’s too much of a hassle and you never lock it up when you go into the store.”
In addition, decision makers are more familiar with CSfC now, although it still is a specialized area within the industry. “Not a lot of commercial vendors are really aware of it or outside of a small group within these vendors … their field application engineers may not be as conversant,” Perez says. “So, when you try to integrate technology from multiple vendors, such as from CSfC, you have to find a subject matter expert who understands the technology and the complexities of pulling all these things together.”
Another aspect of this is ensuring your data in motion protections are practical for warfighters in the field. There has been a lot of development on even the basic work of clarifying terminology in this area lately, Curtiss-Wright’s Perez says. The people actively using the technology need to be able to understand and use it without knowing every piece of the underlying infrastructure.
“VPNs are still the primarily technology for protecting information in transit,” Perez says. “Everyone these days probably uses a VPN to connect to the office. But those are a client-to-server technology, and there’s a whole industry around these. Device to device VPN when you’re protecting industry is harder. You need to identify the algorithms that are going to be used and how that stuff’s going to be authenticated.”
One way in which Curtiss-Wright experts see the convenience of today’s security tools is in automatically highlighting government-required renewals. PacStar’s IQ-Core Software, a management software application which Curtiss-Wright demonstrated in October can manage its Data Transport System (DTS1) rugged secure NAS device, includes automatic warning for expiration periods among it user-facing capabilities.
Quantum computing soon may be part of this conversation as well. As of now, quantum computers are too rare and too specific to their own industry to have to worry about attacks that effect large-scale situations. However, professionals are starting to have conversations about what quantum attacks and defenses look like. Perez says tremendous amounts of power and effort are being put into exploring this. However, that leads to some impracticalities. As he says, no one right now is looking to put a $1,000 lock on a $100 bicycle.
A lot of cyber security companies in the commercial space are currently pushing the concept of zero trust, a strategy in which data is assumed untrustworthy until proven otherwise.
“They call it zero trust but it all boils down to trusting something,” Perez says. That might involve something such as trusting a platform module device on hardware.
He also predicts that Microsoft’s focus on secure booting is going to switch from consumer to industry to military. Microsoft also recently made another big shift in terms of cyber security for its consumer products, pushing more options to log in without a password.
“What we’re finding is that commercial zero trust applications and solutions work really, really well in the commercial environment but may not always work very well in military downrange austere environments, denied environments,” Wessel says. It’s often about authentication, and common to authentication as a schema in commercial zero trust is pre-boot authentication for devices. That doesn’t work if you need to authorize a laptop downrange.
CDSG addresses this with their DIGISTOR Citadel solid-state drive family of data storage products, which have a pre-boot authentication layer to access the drive. Unlike commercial solutions that would require a network to authorize, this one is local and can be administrated in other ways.
Wessel notes that some of the customers he speaks to believe zero trust and other elements of the latest requirements are too expensive. Instead, they rely on DOD waivers.
“The other thing is, I hate to say it, but zero trust in the military environment … is slow moving,” Wessel says. “They still depend highly on their traditional schemas of security. Very often what I have experienced from talking to program managers or program executive offices is it’s kind of a ‘don’t ask don’t tell’ a bit in terms of they’re often not up on the latest requirements.”
‘Shifting left’ and what’s next
One message the experts we spoke to wanted to give to customers in particular is that security should be included toward the beginning of the design process for new infrastructure. Include a subject matter expert at the beginning in what is known as ‘shifting left,’ or a bringing a task usually performed toward the end of a process closer to the beginning.
“Security needs to be architected in up front,” says Edwards. “Whether that’s hardware based, [or] cyber security, however you want to define it. It’s going to be much more seamless and lower cost if it’s thought though up front.”
Listening to security experts at the beginning instead of the end of the process can also save money, he says.
Another important element to remember is that a layered approach is always better. Think about security at every stage, including boot security, application security and everything in between.
Customers don’t understand how to implement security all the time, says Frank. “Everybody need some level of security in programs today. It really requires the systems designers and the integrators to understand where they need the security. Where are their vulnerability points? And do a security assessment. Maybe it’s data at rest, maybe data in motion, maybe for the ability for some malicious content to be added coming off the web, something like that. The most imprint part is for our customers to understand where they are vulnerable.”