Wireless Tail Wags Infrastructure Dog
Cyberdefense research supports integrated approach, joint service and commercial partnership.
Assuring the integrity of information in radio frequency tactical networks is rapidly becoming a linchpin for the success of the U.S. Defense Department’s Global Information Grid. Without cyberdefense advances, wireless domain devices cannot function properly in the face of information warfare, raising vulnerability issues for the entire U.S. communications infrastructure.
Radio frequency (RF) communications are pivotal to warfighter command, control and combat situational awareness. As a result, top-level leaders are now focusing their attention on the risks of using wireless warfighter networks that are based on commercially available technologies. Their recognition of the inherent RF network dangers has led to the formation of a new cyberdefense policy group within the Defense Department.
This policy group’s creation follows a staggering threat assessment and the development of nascent countermeasures techniques by the U.S. Air Force Research Laboratory, Rome, New York, to identify and thwart RF domain intrusions. Working in collaboration with industry, the laboratory is seeking to assure operational continuity of critical wireless networks. The laboratory’s cyberdefense program is based on a continual cycle of protection, detection and reaction, according to E. Paul Ratazzi, a senior program engineer. The trick is to detect information warfare attacks in real time and react quickly enough to ensure critical information remains available, correct and secure, then resume protection functions, Ratazzi emphasizes.
However, information assurance in wireless local area networks (LANs) poses unique military concerns. RF communications can expose the entire enterprise through links such as mobile satellite services; mobile cellular, paging, software and tactical radios; wireless LANs; handheld devices; wireless exchanges; and wireless local loops, Ratazzi notes. Meanwhile, the Defense Department has not approached RF research and development activities with the same heavy emphasis that it devoted to wireline Internet protocol (IP) networks.
The laboratory’s information connectivity branch is managing the RF cyberdefense program. A vulnerability analysis, briefed to the Air Force secretary and to Lt. Gen. John L. Woodward, Jr., USAF, now deputy chief of staff for communications and information and deputy chief information officer, Headquarters U.S. Air Force, Washington, D.C. (SIGNAL, May 2000, page 17), precipitated the establishment of the Defense Department’s RF cyberdefense policy group, Ratazzi explains. With an initial meeting in mid-July, this group is the beginning of a concerted effort to develop an overarching policy for military use of RF commercial devices and technologies, he reports.
Continuing hacker efforts to infiltrate wired networks is directed toward IP-based domains, and this is still where the preponderance of attention and funding is directed. However, significant dangers to the Global Information Grid (GIG) through wireless network penetration are gaining recognition and some additional funding. The laboratory’s information connectivity branch is operating with approximately $1 million added to this year’s budget to supplement existing advanced development. Part of the additional funds will be used for efforts by industry and academia to develop RF network information assurance, Ratazzi points out.
Also, the laboratory is using approximately $500,000 to build a five-node software radio-based wireless LAN testbed that is joint tactical radio system (JTRS) capable. Researchers are using commercial technologies to build this testbed based on the software radio development system (SoRDS). The idea is to assure continuity of the development program regardless of continuing contractor support, Ratazzi claims.
A field programmable gate array using the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard is part of this in-house effort. Likewise, another element is a graphical rapid prototyping workbench based on signal processing, as are development of assured satellite communications receiver and transmitter designs. Commercial off-the-shelf wireless LAN technology involves possible use of the ORiNOCO product line from Agere Systems (formerly the Microelectronics Group of Lucent Technologies) as well as Harris and Cisco products; specialized directional antennas; and RF digital test equipment.
The Air Force wireless network cyberdefense program addresses information assurance and protection demands in a mobile environment. The laboratory program is structured to conduct research and document vulnerabilities of current and planned wireless equipment, systems and networks, and proposed solutions. An essential element is hardware and software development to demonstrate proposed solutions in a testbed environment. Newly developed concepts will be applied to existing or planned military wireless and wireline interfaces.
Wireless LAN technology operates in unlicensed bands, has range limitations, uses proprietary extensions to standards, proprietary hardware and software designs and has no RF advanced nulling and steering techniques, Ratazzi imparts. For industry, security features are optional and may affect interoperability, and the private sector has no integrated approach to information assurance because the focus is on operations in a benign environment.
Electronic warfare (EW) tactics can be used against RF networks because of their vulnerability. Few commercial products provide electronic protection technology, and rapid growth of commercially available wireless systems has led adversaries to develop EW tactics against networks.
Additional funding may be available in the new fiscal year to resolve important RF network vulnerability issues. The laboratory is seeking to exploit joint service and commercial partnerships as it moves toward a long-term goal of developing an autonomous and continuous protect, detect and react loop for RF networks, Ratazzi declares. Using a broad agency announcement (BAA) as a contract mechanism, the laboratory is actively seeking innovative RF information assurance concepts. One contract is with Logicon, a subsidiary of Northrop Grumman (see page 37), another is with Science Applications International Corporation (SAIC) and a third is with Northeastern University in Boston.
Logicon is developing intrusion detection and recovery capabilities for RF networks using proven aerospace engineering expertise. Northeastern University is developing authentication and revocation protocols for more frequent use with wireless networks, and SAIC is developing database vulnerability taxonomy for the reaction portion of the information assurance loop. “Once an understanding of vulnerabilities exists, you have a database to execute reactions and start toward real-time capability,” Ratazzi emphasizes. SAIC’s work involves look-up tables as opposed to using software intelligent agents.
In addition to the BAA, the laboratory has nonproprietary agreements with a number of other companies to monitor RF technology applications.
A joint wireless working group sanctioned by the Defense Department several years ago reports to the joint commanders group on communications and electronics. This group includes the U.S. Army’s Communications-Electronics Command (CECOM) and battle laboratories; the U.S. Navy’s Space and Naval Warfare Systems Command (SPAWAR), Navy Postgraduate School and battle laboratories; the Air Force Research Laboratory Information Directorate, Air Force Communications Agency, Air Force Information Warfare Center and battle laboratories; and the National Security Agency.
The wireless working group maintains an avenue for commercial partnering with companies such as Harris, Lucent, Qualcomm, Clarion, Cisco and Motorola. A nondisclosure agreement with Harris offers product influence through the company’s SECNET-11, which uses a modified encryption chip. A key element in leveraging commercial technologies is use of the 802.11 standard, Ratazzi discloses. “This standard has a lot of commercial momentum behind it and is becoming very low-cost and widely available.
“The program’s main goal is to determine how to best leverage the massive commercial investment to meet Air Force needs but to do so in a way that does not compromise the integrity and safety of the information,” Ratazzi continues. This is not an easy task because commercial RF technologies were not designed for the levels of security and robustness necessary in tactical military operations, he observes. The laboratory’s initial focus is on wireless LANs, and a large portion of wireless LAN technology falls under the 802.11 standard umbrella. He emphasizes that increased information assurance is necessary, but adds that commercial off-the-shelf products can be leveraged with enhanced RF network protection.
Investigation of the 802.11 standard core implementation is directed at applications for environments such as an air operations center on a bare base. “Instead of having to transport spools of cable and heavy equipment, a wireless network is established without an infrastructure,” Ratazzi relates. The 802.11 products are widely available “at your favorite electronics dealer, with PC cards for laptops at a cost of approximately $150 and access points for between $500 and $1,500. Technology also is available that provides data rates from 1 megabit to 10 megabits and faster. There are some levels of privacy designed in the devices, but they are not hardened for security.
Most 802.11 systems specify an approach for encryption known as wired equivalent privacy, developed within the IEEE group. However, there are fundamental flaws in the way random numbers are generated for encryption keys. By monitoring RF traffic and collecting statistical data, an adversary can determine the keys. The speed with which this can be accomplished depends upon the level of network traffic. And, an intruder’s monitoring post is simply a laptop computer with a widely available $150 card installed.
The University of California at Berkeley determined this vulnerability last February and posted it on a Web site. “This vulnerability is independent of the key size. You might believe moving from a 40-bit key size to a 128-bit key would provide stronger encryption, but this is not the case,” according to Ratazzi. “The encryption only keeps the casual observer from learning what you are doing. If someone wants to crack it, they can.
“This 802.11 commercial encryption capability applies only to the payload of the packet, and the network information is not encrypted. You clearly do not want an adversary to know your IP addresses, your gateways and which machines are servers. So, the encryption is not remotely like a Type-1 end-to-end encryption used in military communications systems,” Ratazzi discloses.
A natural extension of the laboratory’s approach with 802.11 technology systems encompasses Bluetooth short-range technology applied, for example, on personal digital assistants. Bluetooth is expected to significantly change the RF communications medium (SIGNAL, September 2001, page 34). The laboratory is seeking to develop solutions that overcome commercial RF vulnerabilities, perhaps something along the lines of a virtual private network. “But there is a lot more to information assurance than just encryption. Whether or not an adversary can observe the data in the RF channel, the very fact that communications are transpiring is information you do not want an adversary to have,” Ratazzi notes.
This approach leads the laboratory and its contractors to possible modifications to commercial RF devices that function with lower power levels. The aim is to provide low probability of detection, low probability of intercept and antijamming, as with tactical military communications equipment. This provides protection by avoiding detection, location and denial of service. Other techniques also may enable spread spectrum, frequency hopping and traffic leveling that masks actual transmissions, Ratazzi illustrates.
Commercial technologies of interest to the Air Force include wired-equivalent privacy, secure sockets layer, wireless transport layer security and wireless application protocol. Applications of wireless LANs would be anywhere that their use results in reduced logistics, acquisition, installation and maintenance costs, Ratazzi insists. Other considerations involve rapid setup and takedown, increased flexibility and mobility. “But wireless LANs must be secure, robust, reliable and assured,” Ratazzi declares.
“The way the laboratory is attacking the RF network protection problem is on two axes. One involves the International Standardization Organization/ open system interconnect (ISO/OSI) model,” Ratazzi specifies. This seven-layer model encompasses application, which provides network access; presentation, which manages data representation; session, which involves log-in, priority, token and action management; and transport, which ensures reliable delivery and integrity. The other layers are the network, with connections and paths between multiple users; datalink, which provides message formatting, point-to-point synchronization and error control; and physical, the RF transmission media, with connection and data transmission.
“The immediate focus is on physical layer protection and to begin integration with information assurance at other layers. We are delving into all seven layers, especially those things that are unique to the wireless aspects of each, Ratazzi assures. The second axis of information assurance is the protect, detect and react loop. In the detection element of the information assurance loop, physical-layer intruder detection and localization techniques are being developed, as are continuous authentication, network intrusion and anomaly detection techniques. The reaction phase involves collaborative, multilayer techniques; dynamic node personalities; robust, distributed key management; adaptive multinode-based nulling; and diversified reach-out and reach-back.
In developing a fully protected wireless GIG infrastructure, elements of the laboratory’s program involve a 2004 near-term objective that begins with determining vulnerabilities, threats and countermeasures databases. By 2007, the midterm, the program calls for secure mobile code; data hiding based on watermarking and stenography, robust anomaly (captured code) detection; collaborative, distributed boundary and perimeter defense; and dynamic coalitions adaptable to multiple classification levels. In this phase, metrics and evaluation techniques will be developed, along with exploitation of mobile agents, active networks and graded trust models.
In the long term, the program calls for integrated multilayer defense, an autonomous protect, detect and react loop and seamless wired and wireless information assurance. In this phase, rule-set or intelligent agent technology, based on an expert system, is likely to determine actions for certain contingencies, Ratazzi says. Another division within the laboratory provides expertise in intelligent agent technology, and a lot of work is being accomplished in this area for the Defense Advanced Research Projects Agency, he adds.
Bluetooth Chips’ Allure
Heavy international investments by electronics companies are driving communications markets toward inexpensive wireless devices equipped with what is known as Bluetooth integrated circuit technology. As this technology accelerates, it is expected to have an immense impact through the constant emergence of new devices and applications.
Bluetooth chips in freight containers can be used to identify cargo whenever a truck drives into a storage depot, as an example. Another is a headset that communicates with a mobile telephone in the user’s pocket, or even in a nearby room. Home appliances communicating with a Bluetooth-enabled computer also can be turned on, off, or can inform retailers over the Internet when provisions are required, as still another example.
Conceived initially by Ericsson in Sweden, before being adopted by myriad other companies, Bluetooth is a standard description for a small, inexpensive radio chip that transmits information that is normally carried by wired appliances such as a printer, mouse, monitor or data processor. It transmits at a special frequency to Bluetooth receiver chips. Again at a special frequency, information received by a Bluetooth chip can be relayed to a computer or telephone.
Projected Bluetooth chip cost is about $5.00 each, and its low power consumption means it can be placed almost anywhere. The technology’s name is derived from a 10th century Danish Viking, King Harald Blåtand (Bluetooth), who particularly enjoyed eating blueberries.
Aircraft Calculations Boost Radio Frequency Networks
Algorithms developed for airframe and engine lifetime testing for systems such as the U.S. Air Force B-2 stealth bomber and U.S. Navy swing-wing F-l4 fighter are finding unique applications. Coupled to neural networks and various sensors, these algorithms are helping to predict and detect tactical wireless network intrusions.
Extensive aerospace life-cycle testing by Northrop Grumman is finding radical radio frequency (RF) use by Logicon, one of its subsidiaries. This Logicon activity falls under an Air Force Laboratory, Rome, New York, broad agency announcement (BAA) and centers on work with waveforms from the U.S. Army/Raytheon enhanced position location reporting system (EPLRS).
EPLRS provides automated, near-real-time radio and data communications to tactical commanders. With a data distribution capability between computers, combat elements report position, location and navigation. San Diego, California-based Paul Zavidniak, Logicon’s information warfare manager, calls EPLRS an especially interesting approach. He originally worked in aircraft development at Northrop before the Grumman merger.
This company’s core aerospace technology involves neural and Bayesian belief networks. Both are being applied to RF network intrusion forecasting in concert with multiple sensor fusion. Bayesian belief networks are a part of larger evidential reasoning networks that use prognostic algorithms to determine the remaining lifetime in machinery and aircraft. Applying years of sophisticated aerospace experience, remaining-life equations for a mechanical system can be used to extrapolate normal wireless network operation and predict anomalous behavior. “It is not just use of an algorithm, but how to implement it and knowing when it is appropriate for network security applications, especially when harnessing neural networks,” Zavidniak contends.
Large numbers of EPLRS radios are in the field, and the system is in full-scale production. The Air Force is looking to develop RF network and information assurance technology for joint service applications. “EPLRS is a strong Army program, but the technology is also in use by the Navy and U.S. Marine Corps for amphibious operations to extend situational awareness ashore,” Zavidniak clarifies. “The Air Force already uses the technology in its situational awareness datalink for close air support. This multiservice use is one reason why the laboratory and the company settled on EPLRS waveforms for research and development.”
EPLRS functions with a time division multiple access communications architecture to avoid transmission contention with its frequency hopping, error detection and correction interleaving. The system also uses spread-spectrum technology to provide jamming resistance. But it is the strong network control station of the EPLRS subsystem that provides what Zavidniak believes is the foundation for an RF network management system. He relates that the company is modeling EPLRS activity to explore where an RF-based information warfare attack on the system would take place.
Former Grumman aircraft program employee John Whitson, now a Logicon cybertechnology specialist from Bethpage, New York, continues. “EPLRS is parallel in its technical approach to other systems that interconnect with it. For example, the Army’s single channel ground and airborne radio system (SINCGARS), with its tactical internet controller, provides the communications link for the digitized force.” He maintains that EPLRS waveforms, which the laboratory assigned to Logicon for the program, “are a rich environment because they report unit positions at brigade and below levels. You can actually watch as radio sets move around the battlefield independently of the global positioning system.”
EPLRS also provides a lot of backbone trunking for the tactical internet. Not only does it move its own message traffic around along with command and control information, but it also handles distribution of X.25 traffic embedded in the Internet protocol, Whitson claims.
“This capability really got us interested in the EPLRS network control station and in SINCGARS,” Zavidniak stresses. To begin with, it provides an important look at the tactical internet because it is a data network, the trunking network from which SINCGARS radios interconnect with an appliqué. EPLRS provides the means to distribute SINCGARS information.” Whitson joins in, stating that EPLRS can be considered to be a true plug-in wireless Ethernet arrangement, analogous to a traditional wireline network.
As a result of EPLRS information assurance research, Logicon is developing a model to determine whether an adversary has overrun a friendly position and captured a radio, Whitson affirms. This concept involves what a network control station operator might observe over a time line that would lead to the conclusion that a network radio has been compromised, or that it is being specifically jammed. “This research is the first part of the laboratory’s contract task. The second part involves methods to recover from the situation.” He adds, however, that EPLRS is difficult to jam.
The company is involved in two types of network events: jamming and compromise. Jamming involves both noise and traffic disruption. Compromise events are very difficult and center on learning when an adversary has entered the system. The risk is not to the voice traffic; it is access to the data and the ability to undermine confidence or corrupt the data as they move to soldiers equipped with manpack radios.
Jamming is not always from hostile systems and can be from co-site interference. It is necessary to distinguish between the two phenomena to model EPLRS events that are directly observable, “and this is what our work is all about,” Whitson states. Logicon has a background in this approach from its work with wired Internet-based systems and is drawing upon experience in network intrusion forecasting to model RF wireless information warfare attacks. “EPLRS is a very good candidate for this work because of the level of network control, which provides the ability to place monitors on the network control station to obtain unprecedented data capture.”
In RF networks, there is no consistency between waveforms and the ways in which they are managed. For this reason, problems have to be solved on a waveform-by-waveform basis. This lack of waveform unity impinges on the joint tactical radio system (JTRS), which will become the fundamental technology to understand, Whitson observes. The company already is examining waveforms for a Navy digital modular radio, an interim system, and the Army near-term digital radio.
“It is difficult enough to get a waveform onto a personal computer with all of the necessary waveform handling. To replicate the waveform on each radio and to embed management systems is asking a lot,” Whitson comments. Legacy waveforms will be used with the JTRS, which involves developing management tools and determining where they will reside. Some next-generation radio architectural changes may be necessary to handle jamming and detection functions. In the presence of jamming, recognizing when to dynamically add another channel may be key, but it might not be good enough, he adds.
The availability of commercial RF products—cellular telephones, laptops and personal digital assistants—is rapidly stimulating widespread military applications, and security is not an immediate industry consideration. Vendors do not publicize security problems. Instead they emphasize privacy, which does not equal security. “This whole area needs much more attention, but it is difficult to get users to admit that problems exist. On the battlefield, information must reach the warfighter at any cost because lives are involved. Shutting down the network is not an acceptable solution, and data integrity is crucial,” Zavidniak remarks.
The networks upon which so much emphasis is being placed for U.S. battlefield success must be there when needed most, but very little is being done at the warfighter platform level. “The commercial RF equipment community does not embrace the seriousness of today’s threat to their devices and systems. However, the Russians and Chinese are prodigious writers, and their literature suggests very serious threats that ought to be scary to corporations and to military users alike,” Zavidniak concludes.