IoT Rewards to Outweigh Risks for NSA
The Internet of Things both requires and enhances cybersecurity.
Where some see challenges, others see opportunities. It sounds like a motivational poster, but that is exactly how researchers at the National Security Agency view the Internet of Things, or the IoT.
“We approach IoT a little differently than everybody else. Everybody’s talking about all the security problems. That’s certainly fair, but we look at IoT as an opportunity in terms of the security goals we can accomplish,” says George Coker, chief, Information Assurance Research Group, National Security Agency (NSA).
He describes a paradox of sorts in which the IoT can help the agency achieve its security goals but first may need to be made more secure. “We need to always look at emerging technologies and understand what mission value they provide and also what security requirements we need to meet in order to follow through on that mission value,” Coker suggests.
He cites multifactor authentication as one example. “We think there’s quite a bit of value in using IoT-like capabilities to further enhance and create not only better fidelity for the enterprise in terms of multifactor authentication but greater ease of use. There’s a high potential payoff for IoT because both the enterprise and the user have significant pains in the experience and management of multifactor authentication,” Coker explains.
The NSA’s Information Assurance Research Group touts its Secure Wearable Authentication Gear (SWAG) project as a potential replacement for the ubiquitous password. SWAG offers a frictionless, wristband-based system to ensure and confirm a user’s identity, according to an NSA webpage. “Wearable technology will use cryptography to replace vulnerable passwords with a simple tap, and a proximity monitor will automatically lock the system when the user leaves the vicinity. On the whole, SWAG will position the U.S. Department of Defense to make the most of capabilities inherent in the Internet of Things,” the webpage states.
Coker indicates that SWAG is rooted in a program from about a decade ago known as Sentient Office. In some ways, he shares, the NSA research group was exploring IoT-type capabilities and technologies before the IoT concept really began to take off. “Ten-plus years ago—well before wireless networking at the enterprise level was mainstream—we were trying to understand how we could do IoT-like enabling of the office environment for security. The problem was that the networks weren’t there to support all of the wireless distributed sensors and sense making,” Coker says. “Now we are revisiting parts of it with this effort we call SWAG, which is our IoT multifactor approach to authentication.”
The agency’s prescient forays into IoT-like research included a host of other emerging technologies. “We were definitely experimenting with ad hoc mesh networking and trying to understand if we could attach this wireless sensor to other devices and get a more comprehensive picture of the office environment,” Coker reports. The technologies included facial recognition and gait analysis to identify someone by the way he or she walks. The agency also was researching intrusion detection systems and virtual private networks before they became commonplace.
“Those were things that 30-plus years ago were not mainstream capabilities, and today everybody has networks in their homes as well as in their enterprises at work. We’re often looking at how we can structure solutions out of the same types of components that are commonly used everywhere and then understanding where we need to add value for national security customers,” Coker relates.
Recent advances in wearable technologies mean that the time is finally right for SWAG. The cloud, wireless infrastructure, miniaturization, capability consolidation and advances in back-end computing power helped make SWAG possible. “That was something very hard to achieve 10, 15 years ago,” he states.
The new revelation that wearable technologies, such as Fitbit, have led to the disclosure of classified military locations around the world offers no concerns for the SWAG project, Coker assures. “We continue to try to understand how we can protect these devices against known as well as unknown threats. That is a challenge,” he acknowledges. “You have to design your architecture and your approach to the system to try to understand how components are vulnerable today and how components might become vulnerable in the future.”
Multifactor authentication is part of the NSA’s solution to the insider threat, which has plagued the intelligence community since former NSA contractor Edward Snowden’s 2013 leak of classified information. But the capability needs to be improved. “If we can create a more fluid experience in multifactor authentication as well as create a more robust experience, we’re going to be able to better meet those kinds of security goals, and that will definitely help with the insider threat problem,” Coker asserts.
Efforts to counter the insider threat include two closely related internal NSA programs initiated in the wake of the Snowden scandal: Secure the Enterprise and Secure the Net. The latter effort was criticized in a 2016 Defense Department inspector general’s report. The report essentially found that the NSA had not fully carried out each of the steps required under the Secure the Net initiative. But Coker indicates that both Secure the Enterprise and Secure the Net help guard against insider misbehavior. “STE and STN, as they’re known internally, are really all about how we can make good on efforts to address the insider threat,” he says. Coker reports that his research team is actively supporting the initiatives and adds that a “whole system of mitigations come together to create a consolidated, secure approach to dealing with the insider threat.”
The NSA’s challenges-vs.-opportunities attitude toward the IoT includes other emerging technologies, such as software-defined networking (SDN). “Software-defined networking has a lot of potential, but I don’t think we’ve been able to really harness it as well at scale,” Coker asserts. “We’re looking at how we can bolster the security of the components that you build SDN architectures out of and also which SDN architectures work best for national security systems.”
Cyber autonomy is another technology of interest for the agency. “Today, responding to threats on the network is a challenge, so we’re trying to understand how we can use autonomous systems to martial effective responses for cyber defense,” he says.
Coker also emphasizes contributions his research group has made to open source technologies. For example, it has provided two software analysis tools—Cryptol and the Software Analysis Workbench—now widely used outside of the NSA. Software analysis is valuable not just for national security but also for industry. “We’re constantly pleased and amazed when others find new uses and tremendous value in the things we contribute to the community,” he offers. The agency supports software assurance communities and continues to focus on software analysis tools that ultimately result in higher-quality software.
Additionally, the agency has introduced two lightweight cryptographic ciphers known as SIMON and SPECK to the public. “They’re in response to what we see as unique gaps in IoT and other resource-constrained applications, such as radio-frequency identification,” Coker elaborates. “Those are parts of the commercial ecosystem where there is common recognition that the security bar is not quite high enough, so we’ve introduced those to raise the bar for security in those platforms.”
Other NSA open source contributions include Security-Enhanced Linux and Security-Enhanced Linux in Android, which support access-control security policies. “With those systems, you can use security policies to limit the scope of what any one user can do—even privileged users. I think we’re going to see more of those kinds of approaches to system hardening become mainstream and common as people try to better consolidate their approaches to the insider threat,” Coker predicts.
He also emphasizes the research group’s role in cyber resiliency of networks, enterprises and weapon systems. “That is a concept where today enterprises and networks are constantly changing. They’re complex. Adversaries are more determined than ever, so we realize that customers need the ability to persevere and for the systems and networks to adapt and respond in the face of a determined adversary,” Coker states.
The NSA’s Information Assurance Research Group has gone by a number of different names, and its core areas of research have evolved over the years. Those core areas currently include operating systems, network and hardware security, software analysis, software architecture and system design, and, of course, cyber operations and cryptographic systems, including quantum cryptography research.
The primary mission is to support the agency’s deputy national manager for national security systems, Marianne Bailey, by innovating and researching new technologies to reduce risks to U.S. security systems. Ultimately, the group’s mission is all about cybersecurity and science. Coker mentions the agency’s Science of Security Initiative, which promotes foundational cybersecurity.
“We’re very much about a scientific approach to cybersecurity, and we think that is how we’re going to make progress now and in the future. We’re trying to build all of our work on scientific foundations, and that’s going to help us get tremendous scaling and discipline in cybersecurity going forward,” Coker concludes.