Asymmetric Cyberwarfare Demands a New Information Assurance Approach
The planners of the Defense Department Joint Information Environment, or JIE, must specify the requirements that can cope with the surges in asymmetric cyberwarfare—now. Asymmetric warfare describes conflicts in which the resources of the two belligerents differ in terms of their weapons and organization. The opponents will attempt to exploit each other’s weaknesses.
To defend against asymmetric warfare requires the imposition of a unified intelligence that is applicable to all U.S. Army, Navy, Marine Corps and Air Force applications. Proceeding with comprehensive protective solutions is required prior to completing facility consolidations. Fixing applications before consolidating computer processing has become one of the primary requirements for safe cyber operations.
Proceeding with only enhancements of legacy operations will not be sufficient. For example, placing emphasis on data center consolidations without a simultaneous re-engineering of applications cannot deflect targeted cyber attacks.
Cyberwarfare has evolved over the past 40 years. Information security methods, which used to protect computer systems, now are inadequate. Thousands of unknown global cyber attackers examine millions of dispersed targets, but only hundreds of defenders protect tens of thousands of applications located in fixed positions. The disparity between many unknown attackers compared with a few known defenders has created a situation where asymmetric warfare is the prevalent condition under which system operations now take place.
U.S. organizations experience a malware-related event every three minutes—550 million incidents per year. Attacks typically are waged through less than 200 statements of logical code. Meanwhile, defenders depend on at least 1 million lines of rapidly obsolescent software acquired from dozens of vendors to protect each system. With a limited number of sufficiently skilled personnel, thousands of computers may have incomplete malware countermeasures.
The listing of risky malware codes numbers more than 13 million. According to the International Data Corporation, worldwide spending for security services in 2013 is $46 billion, and for security products it is $33 billion. Even $79 billion of protection is inadequate for meeting the challenge of rapidly growing malware.
Cyberdefenses must face a series of five stages in dealing with a typical malware attack. First, they must counter the setup attack, which often is conducted by spear phishing. It will be difficult to isolate the error-prone behavior of any individual. Insiders can open access to malware—whether in error, neglectfully or deliberately—into the inside of a protected computer environment. One of the remedies is to apply elaborate software screening to examine every attempted entry. Defenders must possess a list of suspected URL addresses that must be blocked if recognized as a malware source. Similar screening is needed to pass through the locations, positions or authorization levels of authorized entrants.
Defenders also must prevent the opening of a back door. They need to use security software to monitor any modification of approved application codes so they can validate any efforts to open a new communication channel. Attempts to open an unauthorized channel then are routed to an isolated virtual “sand box” where the malware is trapped for examination until it can be released. As a prerequisite, all modified communication channels must be checked against a master list of prior back-door opening attempts.
Adequate defenses must block the seizing of an application. Adding malware code to any installed applications requires permission, which in turn requires the availability of enterprisewide endorsement of application coding. This mandates checking software changes against a master list of approved configurations. Any malware attempts then are trapped and routed to an isolated virtual sand box where the modified software can be tested automatically by specialized software. If automated checking does achieve its purposes, the situation is referred to a human operator responsible for cybercounterintelligence. Such checking usually is performed at network control center hubs, which have the responsibility for releasing transactions for further processing. Any non-automated transaction release requires the employment of highly skilled cyber experts.
The opening of a back channel is another challenge for defenses, but they can address it. Most malware, such as bots, requires the maintenance of continuous connections with the command and control origins from where the malware initially was released. Once malware has broken through sufficient security barriers, it can start performing assigned tasks such as redirecting messages or modifying databases under the control of the originating source. Meanwhile, the back channel must remain hidden from detection and must keep its encrypted characteristics. Using advanced software techniques, such as neural networks, the defenders may be able stop all back-channel communication attempts at this stage. When malware is disabled, in most instances the intervention by a highly trained human operator capable of making complex security interventions will be required.
Intercepting communications from a back channel can be key. An enterprise must maintain a list of the addresses of known command and control operators, with special attention given to originating botnet operators. Such efforts reach beyond the scope of the Defense Department and may include accessing databases maintained by the national security community to eliminate back channel-communications. This is where information warfare attacks rather than defenses enter the scene. Will control over back-channel communications allow the defenders to wage counterattacks? With this capability, defenders can convert into attackers because they finally have located malware attack operators who otherwise are widely dispersed and hard to reach.
For defenders, the consequences of identifying separate characteristics of a five-stage sequence of malware infections are far-reaching. Stage 1 requires every processing site to verify incoming transactions against databases that list every malware site. Stage 2 requires all incoming codes to be verified against telltale signatures of known back-door codes. Stage 3 confirms the integrity of the software of all applications compared with an approved listing of codes that were not modified. Stage 4 offers a confirmation that known command and control sources were not identified as suspected recipients of unauthorized communications. Stage 5 contains a universal list of command and control malware originators.
Consequently, individual applications in any enterprise cannot be viewed as self-contained programs in cyber operations. Five different stages of checking are made in comparison with various consolidated databases, and they require the treatment of any application as a component of the entire infrastructure. The procedural parts of application logic, which happens in the case of legacy applications, still might continue to function without interference from security safeguards.
Security assurance requires treating all five stages of malware infections as an interdependent system, because each stage depends on centrally managed tables of names and addresses. In the future, cybersecurity will impose on all applications a level of interoperability unless a policy decision is made to treat some of the applications as a completely isolated island that has no intra-organizational communications. As long as the Army, Navy, Marine Corps and Air Force require interoperability, each of their systems must be treated as a part of an integrated security environment. Corruption of any one of these applications by malware must be treated as a potential subversion capable of infecting everyone. This security interoperability becomes a necessity whenever back-channel communications are checked against national security databases.
The JIE architecture development cannot proceed amid attempts to simplify what already is in place—such as through consolidation of servers, the merging of networks or sharing of applications. The consolidation of financial or human resource applications does have merits. While increases in asymmetric attacks are taking place, safeguarding security cannot be done though isolated fixes. As the first priority, the JIE must put in place a shared security infrastructure upon which all other components such as data centers, networks and applications can be constructed.
According to the Office of Management and Budget, the Defense Department has 2,429 projects totaling $32.7 billion in the 2013 budget. About 88 percent of operation and maintenance projects have budgets of less than $10 million. Some 87 percent of development programs have budgets of less than $10 million. This demonstrates that the overwhelming number of Defense Department projects operate with funding levels that would make the installation of costly stand-alone security safeguards hard to justify in the future. Vulnerability to malware makes no distinction between large or small projects. It takes just one spear phishing incident for the malware corruption to start propagating indiscriminately.
There is no way of telling what it would take to make most of the Defense Department projects interoperable from a security standpoint so that an installation of a shared environment could repel malware attacks. The department operates too many projects that are organizationally fractured into subcontracts to venture on the enforcement of a consolidated security environment.
So, how can the Defense Department proceed with disentanglement from the current diversity of thousands of incompatible security solutions? What is a path for proceeding with the installation of a new generation of security assured systems if budgets are constrained?
Fewer than 30 projects have development budgets of more than $100 million, which accounts for more than a half of total department development spending. These investments offer an opportunity to overhaul the projects’ security architecture. Program executives would accept a shared next-generation firewall for protection while leaving legacy systems in place. A shared security environment would offer several advantages.
First, it would save money for individual firewalls. The estimated cost of security protection in the Defense Department is about 8 percent of total information technology spending. A unified approach to acquiring security products and services should be viewed as a cost reduction opportunity. This would free funds for the training and deployment of an enlarged cybersecurity staff.
It also would save money for operation. The department must have hundreds of firewalls, each requiring updating of the permission and access listings. Maintenance includes keeping up software updates as attackers change their methods.
This shared environment also would improve the utilization of scarce personnel that must be deployed around the clock to monitor warning messages that are generated by firewall devices. And, it would speed up the response time when firewall warnings are triggered.
Consolidating firewalls allows the extraction of an enterprisewide collection of forensics about attacks that originate from diverse attack sources. And, the shared security environment would set up a single source connection with national security organizations that track the attack patterns and sources of attackers.
Paul A. Strassmann, a retired vice president of Xerox, is a former director of defense information, Office of the Secretary of Defense.