Cybersecurity

Military Gives External Media Devices Marching Orders

In the wake of Pentagon-based U.S. Army Pfc. Bradley Manning’s leaks of thousands of files from SIPRNET — the Defense Department’s internal version of the Internet — to Wikileaks, all branches of the U.S. Armed Forces are ordering troops to stop using portable or removable media.

Military personnel caught using CDs, DVDs, thumb drives or other removable media risk court martial, reads a Dec. 3 order from Major General Richard Webber, commander of Air Force Network Operations.

The move comes after Pentagon officials reviewed various ways to foil Wikileaks, mostly by removing removable media. Problem is, by waylaying Wikileaks, the Armed Services may be hampering their own missions.

“Users will experience difficulty with transferring data for operational needs which could impede timeliness on mission execution,” the order notes.

What’s more, criticism is growing that the government isn’t doing nearly enough to staunch the potential flow of classified information.

Access Review Essential

“Reports indicate that the Pentagon has immediately taken steps to disable drives that would allow users to record and remove data,” said Kurt Johnson, vice president of strategy and corporate development at Courion. “But a Pentagon spokesman has said that officials are not yet reviewing who has access to data. It is absolutely crucial that access policies are defined, verified and enforced in order to safeguard critical data.”

Such safeguards will likely only represent the start of a daunting task.

“The WikiLeaks debacle will force the Department of Defense to rethink computer security procedures and change their policies, but in a revolutionary way,” said Darren Hayes, a computer forensics and security professor at Pace University’s Seidenberg School of Computer Science and Information Systems.

Revolutionary or not, those policy changes should include “identity and access management systems synched up with security information and events management software and data loss prevention tools to monitor who has access to key applications and what is being done with that access,” Courion’s Johnson told TechNewsWorld.

“The Pentagon likely knows which of its data stores are most sensitive, but there is a need to create access intelligence — an understanding of who has access to that data and whether what’s being done with it is inconsistent with normal activity,” he explained.

Media and Morale

Defense Department officials have long debated whether access to everything from USB drives to social media should be allowed or restricted, Seidenberg’s Hayes told TechNewsWorld.

“There have been numerous problems with secrets being linked through social media and compromises with USB devices well before WikiLeaks,” he said.

Yet with morale at stake, little action has ever materialized.

“Many have argued that it is important for military personnel stationed abroad to have access to technology that facilitates communication with family,” Hayes explained.

The morale argument, however, falls short for George Calhoun, executive-in-residence at the Stevens Institute of Technology Howe School of Technology Management, whose son is an infantry officer stationed in Afghanistan.

Armed forces personnel “follow a number of instructions” that greatly reduce their contact with the outside world, he told TechNewsWorld.

“I don’t know exactly the routes he travels, or details of his missions,” added Calhoun, an information architecture and wireless communications expert who cofounded InterDigital Communications Corporation. “But my son and his fellow soldiers are conditioned to function under these circumstances, so I don’t think loss of certain media devices will impact their morale.”

Enforcing the order shouldn’t be difficult either, Calhoun explained.

“Unless you’re listening privately to a Lady Gaga CD or something, you cannot use these devices without detection, especially on the military’s current networks,” he said. Calhoun was also chairman of Geotek Communications’ joint venture with the Israeli government’s Rafael Armament Development Authority to develop secure fleet radio communications.

Military Internet

By shutting down so much troop-accessible media, the U.S. Armed Forces will doubtless be criticized for overreacting. After all, the Pentagon’s computers weren’t hacked, and the information Wikileaks received was turned over, voluntarily, by a renegade armed serviceman.

Or so it appears — but appearances can be deceiving, reminds author and executive consultant John Mariotti, a former president of both Rubbermaid Office Products and Huffy Bicycle, who started his career as a codesigner of the AUTOVON, a super-secure U.S. military phone system built to survive nuclear attacks.

Although Wikileaks did not directly attack the DoD’s computer network, Manning’s leaked documents about conflicts in Iraq and Afghanistan do represent what Mariotti calls “a modified form of cyberattack: ‘cybersnooping.'”

Wikileaks also took advantage of a flaw in the government’s network security, albeit a human-driven flaw.

“The U.S. government uses two different computer networks: NIPRNET, which is analogous to the Internet we all know and use; and SIPRNET, a secure network separated from NIPRNET by an ‘air gap,’ which means that no physical connection between the two exists,” said Mariotti.

Ironically, “SIPRNET was designed for such high-security personnel access, it was not protected with a high security system,” he explained. “Allegedly, a private first class ‘bridged the air gap’ with an external memory device — maybe a USB thumb drive — in such a way that material could be copied and then retransmitted.”

The military is right to be worried particularly about thumb drives, “the easiest, smallest way to either download or upload something,” Mariotti said. “For malware and stealing data, they are small, easy to conceal, and cheap.”

All this talk of cybertheft and malicious Internet intent reminds Mariotti of the plot of his recently published thriller, The Chinese Conspiracy, which contains numerous elements of the unfolding Wikileaks scenario and warns against the very real dangers of cyberskullduggery.

“How is Wikileaks any different from the attack that stole the plans for the U.S. Air Force F-35 Joint Strike Fighter?” he asked. “If hackers and cybercriminals can hack into the U.S. Army’s systems and access battlefield plans — which they did in 2008 — then what is secure any more?”

2 Comments

  • Your comments are pretty superficial as to the problem and the potential solution(s).

    The problem (Wikileaks)stems from a systemic problem with all large organizations, both private and government, when dealing with technology.

    In any large organization money is prioritized by perceived need. And the people prioritizing the money today are not technically competent to any significant degree.

    In virtually every organization, money spent on security is generally ‘soft money’ meaning funds not being spent directly on mission critical actions. Soft money is hard to come by and an easy target for any reorganization or austerity program.

    Determining the value of software which will increase sales or improve the flow of timely intelligence to the front line forces is a mature art. (Mature art being process and procedures generally agreed to be defensible as industry ‘standard’.) Determining the value of ‘security’ is much more difficult.

    You can value the protection against proven threats (anti-virus software and frequent applications of ‘patches’) relatively easily. Since ‘everyone’ has seen or at least read about the damage that can occur by not spending the money, funding is relatively easy to get approved.

    But many threats (including perhaps the most dangerous ones) are not ‘real’ in the eyes of senior management. The threat hasn’t been widely reported on in the Wall Street Journal and other major news outlets and therefore does not exist in their perception.

    Even for threats in the public eye, their analysis is very often that the threats are more costly to prevent than to ‘fix’ if they occur. This view will prevail until someone delivers thousands of ‘secret’ documents to Wikileaks or breaks in and steals the plans for your latest weapons systems. At that point it becomes a problem which may deserve funding. In any event, the incident provides the opportunity for ‘armchair quarterbacks’ to endlessly debate ‘what we did wrong’.

    It is worth it to consider in this light the huge hole in our nation’s security created by the fact that ALL of our major internet components are supplied by factories located in countries that are very likely to become opponents in warfare either economic or physical combat.

    The problem is compounded by the fact that virtually all of our weapons and combat systems contain chips produced in the same countries.

    None of these products have been tested for dormant functionality that could be activated by a foe destroying our economy by disabling the internet, disabling our weapons systems (smart bombs, satellites, command and control, weapons aiming and guidance systems…. the list is incredibly long) or both.

    The cost of rectifying this potential is enormous, almost beyond our ability to deal with. Take your own best guess what it would cost to replace every suspect component in the internet and all future components with Made in the USA products (all produced by American owned companies within our borders and designed by security vetted designers).

    Currently every major company in this market has foreign connections, even direct ownership by foreign nationals. None have the facilities to produce the products in the US, because like our cellphones most of the components and all of the assembly has been outsourced to countries potentially our ‘enemies’. We don’t even have a comprehensive program for testing devices we buy and verifying that the actual devices delivered conform to the tested unit(s).

    The arguments against ‘fixing’ the problem include the national debt, distrust of our military and military suppliers, inability of decision makers and voting public to understand the threats, opposition by corporations to either oversight or radical changes to their interrelationships, inability to comply (huge foreign national presence in design and testing plus no US based factories), etc.

    Hardware isn’t the only problem. Windows, which struggles to meed even consumer level security requirements, is an integral part of our military systems. Not a problem you say, the Captain of the USS Yorktown might disagree after he found himself adrift without power for over 3 hours due to a program glitch in a control system front ended by Windows NT.

    If a major disruption to our economy or failure of a mission critical military system occurs, the outrage and second guessing will be legion.

    If anyone has an effective and practical (both economic and politically) our nation could sure use it.

  • What a joke our Government is. All the Agencies created DHS, CIA,FBI, and yet we don’t protect documents. Are we really that stupid? Yes we are and here’s why. Because people are lazy and lack the willingness to take the extra steps to do so. Sorry to say our Government is just like any consumer who mostly lacks much security when it comes to their documents. I AM sure our Government will create yet another Agency to tackle this problem and yet I see nothing changing except for it taking more tax revenue.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Mike Martin
More in Cybersecurity

Technewsworld Channels