Assured Cross-Domain Access Through Hardware-Based Security: Sponsored Content
Connectivity is at the heart of today’s modern military operations. To conduct complex, distributed multidomain operations at speed and scale, U.S. and allied forces need seamless connectivity to enable real-time communications and high-fidelity data flows.
But the military services have wrestled for decades with the challenge of communicating and sharing data securely with each other, let alone with non-DoD partners and allies. To take a few examples:
• Personnel working on classified
systems often can’t access high-threat networks like the internet;
• Personnel working on one service’s
classified system generally can’t
access another service’s data;
• Personnel working on their national systems can’t access allies’ networks.
In its first-ever Data Strategy, published last fall, the DoD acknowledged that it still “lacked the enterprise data management to ensure that trusted, critical data is widely available to or accessible by mission commanders, warfighters, decision makers and mission partners in a real-time, useable, secure and linked manner.”
Progress has been made. For example, intelligence and defense agencies from the Five Eyes nations have procured, supported or developed cross-domain solutions (CDSs) to enable connectivity between IT systems at different security or classification levels. However, these CDSs have historically been constrained by the level of security they have been able to deliver. Such conventional cybersecurity tools rely on threat detection and remediation, and are implemented in software. This means that they cannot be trusted to connect sensitive data to high-threat networks, nor can they successfully police/filter all of the desirable data formats that users would like to exchange.
Transfer CDS moves authorized data from one network to another. Access CDS enables a user of one network to securely reach into another and interact with it in real time.
But both kinds of conventional CDS are increasingly inadequate to the challenges posed by ever-more complex coalition military operations and increasingly more capable adversaries. Such approaches might work for inter-service connectivity, but they can’t securely connect the wider spectrum of partners required for modern complex multidomain operations, like nongovernmental organizations or untrusted governments.
“The security of legacy CDS is increasingly questionable in an era of near-peer adversary capabilities,” says Henry Harrison, co-founder and chief scientist at Garrison Technology Ltd. “What’s more, the expanded reach of today’s multidomain operations means that connectivity is needed well beyond one’s own trusted networks or those of one’s trusted allies. Even historically, that broader reach has fallen outside the security envelope for legacy CDS.”
All software is vulnerable
Countering the adversary’s use of gray zone tactics and hybrid warfare requires mobilizing all elements of U.S. national power, including nonkinetic “hearts and minds” operations conducted with foreign and civil society partners.
“We’re not just talking about bullets and bombs,” says Dave “Flash” Flanagan, vice president of secure consulting at Garrison. In the expanded combat space of gray zone conflict, multidomain operations involve social media campaigns, open source intelligence collection and humanitarian projects with untrusted partners. “With such a wide-range of partners, you need to be able to work with everything from your most sensitive classified environments, all the way down to Facebook, depending on the op,” explains Flanagan. “You need that access.”
The integration of cyber warfare techniques into multidomain operations, or MDOs, introduces another level of complexity to the connectivity equation. Networks, no matter how secure, might be toxic—for example if they contain repositories of malware. Toxicity is another dimension of connectivity risk that must be managed to ensure the security of protected systems.
And just as the MDO environment is becoming more complex, the threat landscape is also darkening. “You have adversaries out there (in cyberspace) who are every bit as good as we are,” says Colin McKinty, Garrison’s North America general manager.
The problem is that legacy CDS relies on software, and software is vulnerable. All software.
Indeed, some computer scientists are increasingly pessimistic about the possibility of ever being able to produce reliably secure software owing to the almost infinite flexibility of a CPU. Software-based Turing machines, the general purpose computers that power everything from laptops to washing machines, can do pretty much anything they’re programmed to, which is the source of their enormous value. And the root of their enormous vulnerability, because an attacker can program them, too—Turing machines can’t be locked down.
As software complexity grows, it becomes harder and harder to guarantee its security. Attempts to use formal software assurance processes have typically proved to be too expensive and time consuming for practical use even in security-critical use cases like CDS, and in any case would need to be applied all the way down into the hardware vendor’s proprietary microcode.
Software-based security can’t be guaranteed. “The battle for secure software, safe from attackers, has been fought and lost,” says Flanagan.
Non-Turing machines: How hardware can be made secure
But Garrison’s next generation CDS technology relies on hardware-based security, using components like field programmable gate arrays, or FPGAs, with security logic implemented as non-Turing machines, to limit the possible behavior of its equipment. Non-Turing machines have a much more limited set of possible failure modes, as compared with the infinite possibilities of Turing-complete software. That limitation means these FPGA-based implementations cannot be exploited by an attacker in the way that software can.
“The integrity of our security enforcement function, because it’s hardware based, cannot be changed by software,” says McKinty, meaning it’s not vulnerable to malware or other software-based attacks. FPGAs are integrated circuits (microchips) that allow digital logic circuits to be programmed and reprogrammed post-manufacture. This gives them the reliability of hardware security and the reprogrammability of software. The programming is done through direct access to pins on the FPGA—a channel physically separate from the inputs and outputs of the equipment itself. By physically protecting this channel and ensuring a robust chain of trust from the manufacturer to the appliance it is possible to provide a very high level of security assurance.
The role of FPGAs as hardware guarantors of security was laid out in a 2019 paper by the likely pseudonymous Sandy Macadam. Macadam proposes they be used in conjunction with the “transform and verify” approach to data advocated by the UK’s National Cyber Security Centre, or NCSC—a part of the GCHQ intelligence agency. In “transform and verify,” data is stripped down to its basic components and verified through a non-Turing machine, before being permitted into the network. Used in this fashion, Macadam says, hardsec architecture can “provide a robust and practical platform for threat elimination.”
Garrison also uses a second hardware-based approach, employing pairs of smartphone processor chips. Silicon Assured Video Isolation, or SAVI, performs the “transform and verify” process by rendering the web as an image—raw pixels are an easily verifiable format—and uses fixed-function hardware to deliver the non-Turing-machine implementation to move it safely onto the network.
“Because we’re hardware-based, we can be trusted in environments where other access CDS products just can’t be trusted, because they’re software based, and therefore vulnerable,” says Harrison.
He adds that when it comes to modern CDS, access is critical—transfer just can’t cut it.
“Transfer solutions will always have a role, and an important one, gathering data for training AI, for example. But there’s a flattening of the data when you do that collection and centralization,” Harrison explains. “In complex, distributed multidomain operations, where you have warfighters in action at high tempo, there’s no substitute for rich, real time interactivity.”
JADC2 requires cross-domain access
Those kinds of high-tempo multidomain operations with foreshortened OODA loops are exactly the ones envisaged in DoD’s JADC2 concept of networked multidomain operations conducted at a tempo sufficient to keep the enemy off balance. But achieving the connectivity required is proving challenging.
“It’s been obvious for a while that the ‘gather all the data together’ approach wasn’t going to work,” says David Wallick, security consultant at Garrison and previously leader of the Defense Intelligence Agency’s cross-domain strategy. “And Lt. Gen. [Dennis] Crall [the three-star heading up JADC2 efforts for the Joint Chiefs of Staff] recently called the ‘standardize all the data’ approach a ‘fool’s errand.’”
The data federation approach DoD is adopting for JADC2 could be enabled by Garrison technology, Wallick says. To make the JADC2 vision a reality, warfighters “need to be able to reach across and down into any domain, or classification or toxicity level and touch the data in its native form.
“You can only do that through hardware-based threat elimination.”
Garrison’s technology, says Harrison, “is currently the only commercially available product that offers hardware-based CDS access at scale. This is the new frontier in assured cross-domain access.”
Garrison technology is deployed in networks with “tens of thousands” of users, he adds.
This enterprise scale form factor, able to serve thousands of users, is deployed in data centers, but smaller form factors are available to support use cases with fewer users all the way down to “top of rack” boxes supporting network/infrastructure operations and management.
“The need is clear,” says Harrison, “Real-time data that can be accessed by anyone that requires it—and this cannot be accomplished by software-based CDS alone. To do this without putting our national security systems at risk, we need innovative technology that provides provable and quantifiable high level security assurance.”
“To fight and win on the information battlefield of today,” says Harrison, “DoD needs cross domain solutions that provide assured security and affordability. That’s what we do.”
For more information: https://www.garrison.com/en/cross-domain