Protecting Soldier Networks From Threats, Inside or Outside
NIE efforts in the laboratory and in the field will bring better, more secure cyber capabilities to bear.
Cyber is becoming more critical in battle every day, and the U.S. Army is adjusting its Network Integration Evaluation to reflect that reality. The service branch is introducing new digital features to the training event from the laboratory to the field.
During the most recent evaluation, which occurred in October and November, several cyber features made their debut. For the first time, the Army Research Laboratory Survivability/Lethality Analysis Directorate (ARL/SLAD) became part of the lab-based risk-reduction efforts in the lead up to the hands-on portion of the event. That work is helping to find earlier vulnerabilities that previously would have been discovered during the field portion of the Network Integration Evaluation (NIE) so experts can resolve any issues before giving the technologies to soldiers. “Is it going to find everything? No, no lab test is ever going to find everything, but I think it is allowing us to move the ball down the road from the perspective of being more proactive to find these issues,” says Jennifer Zbozny, chief engineer for the Program Executive Office for Command, Control and Communications-Tactical (PEO C3T).
The lab-based risk reduction that took place before NIE 15.1 is one of the biggest pushes to do more cybersecurity work in the evaluations. By moving assessments into the laboratory, soldiers save time on the ground. It also helps ensure that updates are loaded before the fieldwork and that mitigation measures are in place when necessary.
Matt McVey, lab-based risk reduction configuration management and operations lead, System of Systems Engineering and Integration (SoSE&I) Directorate, explains that not only does his organization provide the capability for units to test individual systems, but in the laboratory the units also have the opportunity to connect into the system of systems environment. This opportunity allows users to identify vulnerabilities and access points they might have missed when developing in a vacuum.
Also new for NIE 15.1 was a draconian approach to ensuring passwords are changed and that units really control them. Many of the systems in the evaluations come with default passwords when delivered. These need to be changed to specific passwords that users memorize. “I think that alone is going to help in terms of some of the threats we’ve seen before,” Zbozny says. “Passwords get out, and somebody gets into the network.” Troops might not have passwords at NIE, but they have connectivity, so once they obtain a password, they are in the network. Officials hope these fixes make the network more robust and secure.
The dangers of near threats have made headlines in recent years, and cybersecurity professionals often cite users as their biggest concerns. If people get their hands on passwords, they are one step closer to looking around on the network. Zbozny says misuse by authorized personnel is not her team’s biggest concern. Systems primarily run on the secret Internet protocol router network, which already has controls in place. However, dangers from inside as well as outside remain, so the Army is improving its user training.
In previous NIEs, leaders have seen passwords written on paper and posted inside vehicles, where anyone can see them. These leaders are trying to instill the discipline to maintain control of passwords at all times. Lt. Col. Carlos Wiley, USA, integration and execution division chief for SoSE&I, explains that soldiers from the 2nd Brigade Combat Team, 1st Armored Division, are made aware of the vulnerabilities in security as part of their NIE training. “Technically, we can find all the faults, but if the unit and the soldier are not tracking it, then the [red team] can get in,” Col. Wiley says.
Two blue teams took part in the NIE Validation exercise, and ARL/SLAD performed an analysis of them on WIN-T Increment 2 while the 1st Information Operations Command did an operational assessment of their work on all facets not connected to that network increment. “We must ensure from a holistic approach that the entire network is hardened,” the colonel explains.
PEO C3T now is working on a cyber road map that will lay out known vulnerabilities, describe how the organization expects to fix them and address bigger picture measures of additional network security. Officials want operations to be easier, not more difficult, for soldiers, so a major thrust of the effort is to refrain from adding complication to the network. With two-factor authentication, for example, experts say they can obtain the same security benefits without using a token-based method. Zbozny further explains that “down the line, we’re looking at things like biometrics. We would like to get to the point where really we just use some type of biometric signal. It’s different in the tactical world.” In the field, considerations must be made for items such as gloves, which make fingerprinting problematic. Authentication requires customization to the battlefield, so PEO C3T is working with the Army’s Communications-Electronics Research, Development and Engineering Center to examine developmental capabilities for tactical biometrics that will replace current capabilities. While those technologies were not ready for NIE 15.1, pilots for two-factor authentication functions could occur next spring in 15.2.
Most of the cyber road map is classified, but officials can discuss the Intelligence Community Information Technology Enterprise (ICITE). Zbozny says it may “very well change how we do business from a data perspective.” This unified data capability was developed by the National Security Agency, spans many agencies and provides support to the Defense Department (SIGNAL Magazine, October 2013, “Information Sharing ...). “The bottom line is it’s going to bring what I call ‘hardening’ of our data on our network to make it impenetrable,” she states. “I hesitate to say anything is ever impenetrable, but that’s the intent. That really does change the landscape.”
ICITE would alter focus from people entering the network to what they could damage. By locking down that data, ICITE reduces the potential harm intruders can inflict. Work on that took place in NIE 15.1, and depending on the assessment of its value, it may become part of the data dissemination strategy for the Command Post Computing Environment.
Fiscal year 2015 is expected to be active for PEO C3T in terms of trying to enhance its security patching capability. Zbozny says personnel need to patch faster and respond quicker to vulnerabilities. They also need to reach a point where all their systems have the ability to pull patches off a secure portal and automatically download them rather than requiring a disk or other medium. “I don’t know that we’re going to get that all done for every system in PEO C3T in [fiscal year] ’15, but certainly the intent is to make a lot of progress down that path,” she explains. Today’s mission command systems can respond quickly and download patches. The focus is to move the rest of the systems to that same status.
A push for more cyber in the NIE is not necessarily new. Zbozny says the effort is how mission command reached its present point. However, the networking of forces is becoming increasingly important in the tactical world as well as for drawing services from enterprise networks. A vulnerability on one system is a risk for everyone, and as the Army continues to build out bigger networks, cybersecurity becomes a bigger issue for everyone. Industry has to deal with many of the same considerations. Before those NIE partners can enter the laboratory, they need to understand the information assurance requirements and their vulnerabilities. If they have vulnerabilities, the Army prohibits them from network access. Col. Wiley says “that’s where risk reduction comes in as well.”
PEO C3T is looking to bring industry in on many parts of the Simplified Tactical Army Reliable Network, or STARNet, the middle phase of its Network Modernization Roadmap. Cyber is an area it definitely wants to enhance. To accomplish the task, the program office collaborates with science and technology (S&T) partners to ensure development against gaps, thus spending Army money wisely. It looks to industry to fill other gaps that come from outside the S&T community. In November, officials held a briefing for industry that laid those out as well as needs outside of cyber. Zbozny says more events will be held in the future.
Another move underway to improve cybersecurity is certified ethical hacker training. A mobile team visited Aberdeen Proving Ground, where PEO C3T is based, and asked for the community to provide the training course last year. It helped students learn about threats and the latest techniques hackers are using as well as how to apply that knowledge to efforts such as the NIE. That way, experts can identify and react to risks better.
Col. Wiley likens that training to wargaming: It helps troops know their enemy. “The course lays out what all the known threats are, and it’s constantly updated,” he says. “That gives us a better understanding on who’s going to try to get in the network and what procedures they will be using to try to get in the network, so we can recognize them.” Soldiers on the ground see degradation in performance but might not know the origin of the problem. Rather than a system issue, the problem might be a result of a hacking attempt. Having troops more involved in the security process helps them understand attacks and how to recognize signs of one.