The Complex

How will DoD protect the commercial mobile devices on its networks?

Just like tons of us in the private sector have been doing for years, the Army, along with other Pentagon agencies, is moving toward allowing its staff to bring their own smart phones, tablets, and possibly laptops to work for use on unclassified systems.

"At the end of the day, we're really are going to become hardware agnostic," said the Army's Chief Information Officer, Lt. Gen. Susan Lawrence during a speech at the Association of the U.S. Army' annual conference in Washington last week. "Whatever device you feel most comfortable with to do command and control, to be mobile with, is the device that you'll have and that's the one that we'll work with."

"We're in the RIM [Blackberry] environment, we're in the Apple environment, and we're in the [Google Android] already as we go through this," said the three-star general.

She added that the service is already working with the Defense Information Systems Agency to establish a way to pass sensitive information via commercial devices tablets and smart phones running Google's Android operating system.

Wait a second, you say, doesn't this sound like an opportunity for hackers to break into Defense Department networks by attacking someone‘s smart phone or iPad while their kids use it at home?  What about the growing threat of malware aimed at attacking firmware that is embedded in the devices at manufacture?

"I believe the next wave of hacking will focus on modifying firmware," IT security consultant Robert Bigman told Killer Apps in an email. "As we eventually get better finding root kits" hackers will shift toward "hacks that modify computer and smart phone firmware, even breaking into vendor firmware diagnostics, to control devices via the firmware layer."

This means that "if you can control the firmware, you can control what software gets loaded and runs," wrote Bigman. "The firmware controls the physical device. You can control the firmware from factory and through the life cycle of the device either publicly, via updates, or covertly by spoofing the firmware or even software update process."

Killer Apps asked Lt. Gen. Lawrence about this immediately after her speech. Here's what she had to say.

"What you will agree to do is, if that's the device you want to use, you're going to sign an agreement with me that I get to scan you before you log on," said Lawrence. "I get to scan your device and then, you're also going to let me monitor you so that I can look for an inside threat as well. So if you're on the government network, you're gonna let me scan you first and you're gonna let me monitor you second."

With mobility being both the Army and Defense Department's "number one" computing feature that it is looking for, Army officials are scrambling to make sure that all data is all stored on a secure cloud, where it is more easily monitored, protected (say DoD officials), and accessible from anywhere instead of on vulnerable laptops, tablets, and smart phones.

However, one of the most important issues in the shift toward mobility and cloud computing "is in fact, ensuring that it's you on the network and that we've got your certifications and accreditations so that when you log on, I say yes, that's that person."

Two ways of doing this are authenticating the user via passwords and data tags when they log onto the cloud or via the DoD's move to only allow people to log onto networks using a secure, personalized ID card under its Secure PKI initiative.

Click here to read more about DoD's move to mobile and how it plans to make sure that users are actually who they say they are.

Wikimedia Commons

The Complex

The Army is building cyber into its combat exercises

The Army has started incorporating cyber operations into exercises meant to prepare its heavy forces to fight major wars again after more than a decade of counterinsurgency, a three-star general revealed this week.

Until recently, "we had not thought through the process of how we could use cyber, or the network, from a weapons standpoint," said III Corps Commander, Lt. Gen. Donald Campbell during a speech at the Association of the U.S. Army's annual conference in Washington this week.

To address this, Campbell had representatives from U.S. Army Cyber Command embed with his commanders for the exercise, hosted by III Corps this summer, so that the traditional combat troops could learn how to use cyber in a conflict. (III Corps is a heavy combat formation of the U.S. Army consisting of numerous armor, cavalry and infantry divisions.)

"This was a Caspian Sea scenario against what I would classify as a near-peer adversary," said Campbell. This means that the friendly troops were fighting a nation with an advanced military, like Russia's.

In addition to throwing armor, artillery, and infantry at the enemy to defeat its forces, commanders got accustomed to thinking about how they would use cyber power in the campaign.

"I had to tell the staff, ‘Here's what I want to achieve as an example,' as we got ready to isolate Baku, in really the culminating operation for the exercise. I specifically said I want to target this [enemy] division to do this to it -- not ‘take it down', that's not a doctrinal term -- but to really impact its ability to command and control," said Campbell. "So we put together a [concept of operations] using [U.S. Army Cyber Command's] capabilities, [the Army cyber] team working to us to do that specific mission [taking out the enemy's command and control] and it was very successful."

What does very successful mean? The fake enemy's ability to command his forces and gather intelligence was degraded by about 40 percent because of Army cyber's efforts, according to Campbell.

"When [Army cyber commander Lt. Gen. Rhett Hernandez] talks about the network as a weapons system, in my opinion that was a great example," said Campbell.

He added that his operational planners had to learn how to collaborate with the cyber commanders to use cyber weapons.

"We met daily, in a targeting brief for an hour and there were specific focused targets on what we would do to the network and what we would do to our network," said Campbell. 

Friendly forces even used social media in an attempt to win the local population's support.

"I asked the team to leverage what we could from a social media standpoint . . . to try to get after the populace," said Campbell, who added that this use of social media to influence the outcome of a conflict was "bigger than public affairs."

While the exercise was a start, the Army must make relationships between more traditional units like III Corps and its divisions and cyber forces "habitual," according to Campbell, who noted that several upcoming Army exercises will incorporate cyber.

All of this comes as the Army seeks to develop a new generation of cyber weapons and is working to incorporate offensive cyber fire support into its operations.

In addition to building strong and resilient networks capable of operating while under attack, "we must also be ready when directed to conduct offensive operations to help achieve commanders intents and the objectives that they desire," said Lt. Gen. Hernandez during the same event at which Campbell spoke.

Wikimedia Commons