The Complex

Data triage and the cyber age

While the media has been getting itself worked up about the fact that American UAVs have broadcast video streams over unencrypted communications channels for years now, some in the military are taking a more nuanced approach to what battlefield data must be super secure.

Three years ago, news broke that insurgents in Iraq were able to watch UAV video feeds by using cheap software. This came more than a decade after video feeds from the MQ-1 Predator UAVs' first combat missions over the Balkans were inadvertently broadcast on local TV sets. And let's not forget the small frenzy that occurred when it was reported that a virus was recording keystrokes at U.S. Air Force drone command centers in 2011.

Some have dismissed the utility of hacking a drone feed without knowing exactly which aircraft's video is being looked at -- and therefore having the ability to warn potential targets. Others have a different take on this.

However, in light of ever-evolving cyber threats aimed at stealing as much data from -- well, everyone -- as possible, the Army is seeking to triage threats to its networks. What does this mean? It means figuring out what information warrants the significant investment in technology, time, and money required to protect it from hackers and what information will be useless if hacked. The latter is called perishable data, and in some cases it includes things like voice communications during a firefight. While this data would be encrypted against hacking by the enemy actually fighting U.S. forces, it wouldn't need to be hardened against hackers with advanced code-breaking abilities because by the time they tapped into the data and analyzed it, the fight would be over and the data useless.  

"We recently made a big decision that's reducing a lot of our costs [and that] is going to [National Security Agency] Type 2 encryption for our push to talk radios at the tactical edge," said the U.S. Army's chief information officer, Lt. Gen. Susan Lawrence during a speech at the Association of the U.S. Army's annual conference in Washington last week. "We realized, did we really need full Type 1 encryption all the way to the dismounted soldier? No."  

(Type 2 encryption is commonly used by the military to transmit sensitive but unclassified information.)

Lawrence's comments reflect the growing view among U.S. military commanders that it will be impossible to protect all of its networks and all the data on the networks. Therefore, the most important information must be heavily guarded against theft or corruption. and it must be kept on a network that is resilient enough to operate even while under attack.

"We can't protect all our networks . . . so it's more about the defense of our data. It's about the data, where do you put the information and the data, where should it reside so we can protect it," said Lawrence.

Wikimedia Commons

National Security

How will DoD protect the commercial mobile devices on its networks?

Just like tons of us in the private sector have been doing for years, the Army, along with other Pentagon agencies, is moving toward allowing its staff to bring their own smart phones, tablets, and possibly laptops to work for use on unclassified systems.

"At the end of the day, we're really are going to become hardware agnostic," said the Army's Chief Information Officer, Lt. Gen. Susan Lawrence during a speech at the Association of the U.S. Army' annual conference in Washington last week. "Whatever device you feel most comfortable with to do command and control, to be mobile with, is the device that you'll have and that's the one that we'll work with."

"We're in the RIM [Blackberry] environment, we're in the Apple environment, and we're in the [Google Android] already as we go through this," said the three-star general.

She added that the service is already working with the Defense Information Systems Agency to establish a way to pass sensitive information via commercial devices tablets and smart phones running Google's Android operating system.

Wait a second, you say, doesn't this sound like an opportunity for hackers to break into Defense Department networks by attacking someone‘s smart phone or iPad while their kids use it at home?  What about the growing threat of malware aimed at attacking firmware that is embedded in the devices at manufacture?

"I believe the next wave of hacking will focus on modifying firmware," IT security consultant Robert Bigman told Killer Apps in an email. "As we eventually get better finding root kits" hackers will shift toward "hacks that modify computer and smart phone firmware, even breaking into vendor firmware diagnostics, to control devices via the firmware layer."

This means that "if you can control the firmware, you can control what software gets loaded and runs," wrote Bigman. "The firmware controls the physical device. You can control the firmware from factory and through the life cycle of the device either publicly, via updates, or covertly by spoofing the firmware or even software update process."

Killer Apps asked Lt. Gen. Lawrence about this immediately after her speech. Here's what she had to say.

"What you will agree to do is, if that's the device you want to use, you're going to sign an agreement with me that I get to scan you before you log on," said Lawrence. "I get to scan your device and then, you're also going to let me monitor you so that I can look for an inside threat as well. So if you're on the government network, you're gonna let me scan you first and you're gonna let me monitor you second."

With mobility being both the Army and Defense Department's "number one" computing feature that it is looking for, Army officials are scrambling to make sure that all data is all stored on a secure cloud, where it is more easily monitored, protected (say DoD officials), and accessible from anywhere instead of on vulnerable laptops, tablets, and smart phones.

However, one of the most important issues in the shift toward mobility and cloud computing "is in fact, ensuring that it's you on the network and that we've got your certifications and accreditations so that when you log on, I say yes, that's that person."

Two ways of doing this are authenticating the user via passwords and data tags when they log onto the cloud or via the DoD's move to only allow people to log onto networks using a secure, personalized ID card under its Secure PKI initiative.

Click here to read more about DoD's move to mobile and how it plans to make sure that users are actually who they say they are.

Wikimedia Commons