Ones and Heroes: A Briefing on Cyber Warfare
I. Kinetic Threat
The sweeping battlefields of cyber warfare are no place for the fearful. Thank Murphy’s Law. Any proverb assuring worst possible outcomes is bound to unnerve. Especially so, it might surprise you, in network security.
To illustrate the point, think of hacking as telekinesis, the power to seize control of an object without physical interaction. A plot device used in Hollywood science fiction, its advantage has toppled galactic empires. But apply it to the real world and the hijacking of connected devices through network security exploits (i.e., hacking), and you’ve got a screenplay on cyber attacks. If it sounds unrealistic, read the latest headlines:
- How to Hack a Military Drone (DefenseOne, 2015)
- Hackers Can Disable a Sniper Rifle — Or Change its Target (WIRED, 2015)
- Hackers Can Send Fatal Dose to Hospital Drug Pumps (WIRED, 2015)
- Hackers Remotely Kill a Jeep on the Highway — With Me In It (WIRED, 2015)
We're living in the dawn of 'kinetic cyber' where such titles, once alarmist and unfeasible, now depict clear and present danger. Kinetic cyber (i.e., a cyber attack resulting in the loss of life or destruction of critical infrastructure) illustrates the preeminence of today's cyber threat. With billions of devices and control systems online1 and the ongoing meteoric rise of the Internet of Things2, it seems to be only a matter of time until bad actors hack their way to physical destruction on a large scale.
The cyber arms race has emerged as the great national security challenge of our time. In April, columnists in The Wall Street Journal predicted events on the scale of a "Cyber 9/11" or "Cyber Pearl Harbor"3. We’ve been warned of such a crisis extensively by the media, in fact, whether in a take-down of critical infrastructure4 or the combining of a cyber attack with traditional terrorism5. Whatever the target, smart people are predicting a game-changing kinetic cyber event in our future. Some see parallels to a new cold war in which we’re fast approaching a state of mutually assured cyber-destruction6.
Regardless if this is our fate, the fact remains that the discussion is no longer confined to privacy. From connected vehicles, drones, and medical devices (e.g., pacemakers, insulin pumps), to the industrial control systems that run our nation’s critical infrastructure (e.g., power grids, nuclear plants, air traffic control systems, hospitals), all of these things share the characteristic that they can, if not secured, harm or kill you. Practically speaking, any device that shares information through a network has some level of vulnerability, a matter which poses very serious and emerging threats to an ever-connected world. The only way to be totally secure is to never connect in the first place. The very term 'cyber security' is modifier and noun made redundant by the pervasiveness of connected technology and the conflation of the virtual and physical worlds. At some point in the digital revolution we crossed a Rubicon where we met the inevitable truth that cyber security is nothing but security.
How did we arrive here? Economics. A manufacturer's logical ambition is to be first-to-market with new products. It’s a huge advantage. But this need for agility is the antithesis to a business model which values methodical designs and processes in security. Gaining a competitive advantage through speed turns the clearing of security hurdles into unpalatable propositions at best. It’s a byproduct of today's fast-paced economy, yielding products on shelves with gaping network vulnerabilities and the potential for destruction. Companies who make and sell devices don’t necessarily have the expertise to predict how someone could hack their products. Even if they did, they may not have the resources to do anything about it. It’s a paragon of cyber security going all the way back to the beginning.
As if merely an afterthought, non-kinetic cyber attacks on wealth and information are more prevalent than ever. The net impact of traditional cyber attacks is enormous to our economic welfare. Stolen identities and financial information, profitable loot to say the least, are in constant high demand on the black market. It only takes minutes within setting up its network for a company's data to be compromised. "Owned" is how Matt Vaughan would describe it. Vaughan is a senior cyber security leader at tech giant and defense contractor Leidos (ly-dose) based just outside the Washington, D.C. beltway. "If you're a small or medium sized business with little or no in-house security resources, you're going to have a hard time understanding what's coming at you and how," he said, "much less have the ability to react."
Businesses in general want information systems with maximum affordability and speed. They want networks that are, by definition, flexible and open. The whole point is to easily share information with employees, clients, and business partners—an entire notion which is, of course, the complete reverse of what someone would do if they wanted to make sure no one could access their data. Likewise, the Internet itself is inherently insecure. Its underlying architecture has continually evolved since the very beginning, and not necessarily with a thought toward security. "It's like the tax code," Vaughan explains. "It grew from a single idea, and over time we've clipped on appendage after appendage. That's how networks operate today. And they're very, very complex things to protect if that's not your core competency."
Even large companies and the federal government, entities that commit enormous resources to the protection of critical information, are far from immune to breaches in cyber security, and there's a world of data waiting to be stolen. Intellectual property, for one, is of major concern. A group that has invested millions or billions of dollars in research and development stands to lose its investment and advantage when a foreign competitor steals its intelligence.
News of a successful attack breaks daily, including the recent attack on the United States Office of Personnel Management (OPM), which compromised the private information of four million federal workers. We now know sophisticated nation state adversaries are actively working against the United States to collect data. The OPM breach illustrates the power of cyber espionage and the potential of one single attack. According to high-level intelligence sources interviewed for this article, the OPM breach only reinforced their assumption that someone already has literally every piece of information valuable to them. Their advice? Just assume you're compromised.
According to Doreen Harwood, Cyber Operations Manager at Leidos, attacks of this scale are attempted in perpetuity. What does this mean? That cyberspace is the virtual battlespace of future geopolitical conflicts. "There's a daily struggle for advantage on the Internet, where virtual proxy wars are fought thousands of times a day," she explains. "Most will never know the volume, sophistication, scope, or uniqueness of these attacks, or who is winning and losing."
Cyberspace involves a high degree of anonymity. It's asymmetric security at its core, in which your adversary could be anybody anywhere. "We see loose coalitions of groups spread worldwide acting toward a common purpose. It may not be country-to-country. These new organizations are almost akin to terrorist organizations, and perhaps more worrisome because they could reside in lots of geographic areas," according to one source.
Who are they? It depends. Nation states aren't the only ones who can find back doors. It's simply impossible to know who (e.g., a nation state, a criminal network, a lone wolf hacker) has the ability to do what, on what scale, and with what degree of motivation and sophistication. The barrier to entry is hyper low. "Any smart person with an individual cause can wreak havoc," Harwood said. "A smart, 17-year-old programmer could impact global security."
The state of affairs so far described is alarming, and important questions demand to be answered. One which is paramount is this: Are the United States and its allies serious about cyber security? Others of concern: Do we have the very best minds working on these challenges? Not just our best minds, but the best minds? Are we recruiting and training future generations of elite cyber professionals? Are we investing the appropriate resources?
II. White Hats
In the parlance of cyberspeak, the idiom 'white hat' refers to an ethical hacker (i.e., cyber security professional), whereas a "black hat" is a malicious or criminal hacker. *Michael Leiter is someone who knows both. Leiter served as director of the National Counterterrorism Center (NCTC) under Presidents Obama and George W. Bush, and is considered one of the world’s foremost experts on matters of national security. He's now head of strategy at Leidos, and he's dubious about the United States government's ability to solve the problem at hand. Instead, he sees the elite cyber firms of the private sector, like his own at Leidos, as the essential players.
The operation Leiter leads is the quintessential white hat firm. Leidos has worked with the federal government in security engineering for the past 30 years and, not surprisingly, is deep in the heart of the defense and intelligence communities supporting critical cyber operations. Leidos is one of the largest providers of integrated security offerings to the United States government and defends some of the most attacked networks in the world. Practically speaking, there’s nothing they haven't seen or are incapable of solving.
If you haven't heard of Leidos, you might know them as Science Applications International Corporation, or SAIC. The company changed its name in 2013. In this article, Leidos refers to the company both before and after the change. Today, Leidos is perhaps best known for recently winning a major contract from the Pentagon to update electronic healthcare systems for the Department of Defense.
Modern Healthcare called the multi-billion dollar program the "mother lode of IT contracts." Or ACTUV, an autonomous sea vessel (i.e., sea drone) for DARPA, which WIRED called a "bleeding-edge method of detecting quiet submarines lost under the ocean depths." Or its role in the vanguard of protecting United States borders and ports of entry with its imaging technology.
"There's no silver bullet to solving this problem," Leiter told Bloomberg Business in February, "We've put all of our data on vulnerable networks, and most of the functions in cities are becoming increasingly digital. It's going to be a long path." But he's encouraged by the emerging capabilities he sees. "The United States is remarkably good at doing forensics—identifying not only where an attack came from, but often the individuals involved, because they leave fingerprints, just like you would in any criminal act." And though forensics is just one piece of the cyber puzzle, it highlights an area of strength and a reason for hope.
Predictive analytics is another piece, and represents a leap forward from forensics. Throughout most of the cyber threat evolution, the best one could determine was if someone was hacking their network or had hacked it before. But Leidos and others have invented solutions in threat prediction and automated behavior analysis to stop attacks before they start. The bastion mentality of perimeter defense (i.e., firewalls, intrusion detection, anti-virus technology) only provides limited value over time since these defenses need to be constantly updated to keep pace with offensive capabilities. Think of it like home security. You install a deadbolt? A burglar might find a different entrance. You install an alarm system? He might find a way to disable it. The only practical way to stop a person determined to break in is to be there to catch him in the act. Using advanced analysis based on human behavior, it is now possible to forecast specific threats before they emerge. Adopting a proactive strategy allows network operators to prioritize and employ mitigation tactics, and increases capabilities without adding personnel. The cyber world doesn't discriminate between commercial and government. We're all connected.
If any firm understands the necessity of injecting security engineering processes into all aspects of the development life cycle, it's Leidos. Taking lessons it has learned being heavily embedded in commercial markets outside the intelligence space, the company feels it is able to apply that expertise across the spectrum. "The cyber world doesn't discriminate between commercial and government," Harwood explains. "We're all connected."
Within the company, cyber analysts are encouraged to learn best practices from colleagues who have invented solutions to similar problems in other markets, and its brainpower as a combined resource is famous for yielding brilliant solutions for its customers. This power of collaboration, Harwood explains, is one of the things that attracted her to the company earlier this year from a long-standing career at the National Security Agency (NSA) supporting the SIGINT and Cyber missions.
Harwood's team enables defensive and active-defense as well as Cyber.Ready. exercise support. In executing for Harwood's Intelligence and Defense customers, she says her team members are not only experts with the technology, but also with the counter-measures. Similar to military preparation of the battlefield, cyber operations consists of preparatory sessions, e.g., exercises to maximize efficiency and effectiveness of the specific operation. Leidos' Cyber.Ready. capability is pivotal in this function. It provides the means to train, test, and certify that cyber professionals are fully qualified.
Often though, Leidos develops tools and procedures on defense, solutions they can then sell to their customers in the commercial industry. It's a model called scaling, and it's a key advantage for Leidos. "We do everything at scale," Vaughan said. "And just as importantly, we're not going to push a specific product on anyone. We're going to make sure they have the best solution they can possibly have for their environment."
Operationally speaking, Leidos is one of the few companies that goes end-to-end with its solutions. With more than 1,500 cyber professionals in its work force, Leidos often manages and maintains its customers’ entire security environment so they don't have to be in the security business themselves. It's an important distinction, Vaughan explains, because "there are very few who can help with the upfront assessment, bring an offering that's an integrated set of solutions to protect business functions, and then ensure that it operates in a way that's useful, efficient, and secure. It's pretty unique."
One of the things Harwood is most proud of in her operation is that it leverages in-depth knowledge of its customer. Instead of quick fixes with only short-term benefits, her team looks for long-lasting solutions. "They're not a bridge," she said. "It's a lasting mitigation. It has depth to it, and it’s part of a larger strategy to improve national security."
Brian Russell is a systems engineer at Leidos and one of the world's top minds in cyber security for unmanned aerial systems (i.e., drones). Russell spends his days thinking about the newest and most innovative subfields in national security. The weight of the challenges he tackles every day is what attracts top minds like his to companies like Leidos.
Security engineering is his primary focus, preventing connected devices from being used to cause harm in ways most haven't even considered. His team is working, for example, on how to detect, disable, and deny airspace to drones being used to do things like smuggle narcotics over prison walls and across borders, or act as aerial Improvised Explosive Devices (IEDs) to kill airborne forces. According to Russell, small drones, extremely difficult to detect, can now carry more than ten pounds, a significant payload metric for destructive cargo. He's concerned, as another example, about one's ability to amass swarms of drones. There has been significant work, he says, in behavior coordination capabilities for these platforms. "What happens if a dozen of them are coming at you at the same time? A hundred? Then you have some really significant issues in trying to combat them."
Last year, the Federal Aviation Administration (FAA) reached out to Russell's team because they wanted to understand threats posed by small drones in the same airspace as commercial airplanes. After completing its research, Russell's team concluded there was a much broader problem regarding rogue drones, and invented a solution called Rapid Drone Interception and Interdiction (RDI2). The idea behind RDI2 is that if you could quickly detect and diagnose small drones in specific geographic areas (namely, a restricted airspace), then you could more easily take actions against them.
To make this possible, Russell explains, one must be able to identify the vulnerabilities of any particular drone at any given time. A robust and readily-available database containing key data (e.g., manufacturers, software, protocols) would allow authorities to very quickly make determinations as to what device they're dealing with and, ultimately, what action to take. The device could be steered to a safe location, for example, or rendered inoperative by using electromagnetic weaponry to fry its internal components.
His team is also working with the University of California at San Diego (UCSD) to understand what Russell calls the 'Super Bowl Scenario,' in which a heterogeneous set of drones, operated by different entities at large public events, like the Super Bowl, are used simultaneously for different purposes —anything from security checks (e.g., scanning a parking lot) to aerial videography for game coverage. But a chief concern is employing them safely and securely in a crowded environment. So Russell is working with UCSD to invent systems architecture needed to do just that. He's also involved with NASA and Unmanned Aerial System Traffic Management (i.e., air traffic control for drones), and policy-making. In a perfect world, Russell says, every drone built in the United States would have a transponder allowing military and law enforcement to take control of the device, if necessary, and that every drone would require registration.
Taking lessons learned from drones, Russell’s team applies its expertise to things like connected vehicles. "We're looking at how to enable security across all connected things from medical and manufacturing and retail and beyond. We apply what we're learning in our industry leadership roles to all the challenges our customers are facing."
Headlines are not statistics. They help us understand worst possible outcomes, but Russell contends we should remember connected devices will provide almost unimaginable benefits now and in the future. Do the benefits outweigh the risks? He thinks the answer is yes. He believes connected vehicles will decrease automobile fatalities by 90% or more in 20 years. "With connected medical systems, I can diagnose diseases in near real-time and feed your vital statistics to your healthcare provider. That's a profound benefit of connectivity, and a real reason to be optimistic. There's a dark side of that as well, but you have to take the bad with the good, with the understanding that the good is worth the price of the bad. That’s what keeps me optimistic."
Harwood believes so. Instead, she compares today's cyber challenge to the Space Race in which a flag-planting moment is achievable. "I just think it's the next great challenge," she said, "I truly think it's the next moon landing. I have no doubt there will be a technological leap somewhere on the globe. We'll put the problem in some context and someone will be able to rule the Internet. Hopefully it will be the United States that gets there first. Great minds will devise a solution to today's internet security challenges. Until then, cutting edge cyber companies like Leidos will continue to be at the forefront of thought leadership and the delivery of zero day cyber solutions."
- Danova, Tony (Oct. 2, 2013). Morgan Stanley: 75 Billion Devices Will Be Connected To The Internet Of Things By 2020. Business Insider.
- Stefan Groschupf, Datameer (June 17, 2015). Rise of the machines: The industrial Internet of Things is taking shape. Venture Beat.
- Silber, Mitchell D. and Garrie, Daniel (April 15, 2015). Guarding Against a 'Cyber 9/11'. The Wall Street Journal.
- Grobman, Steve (July 22, 2015). Out of Aspen: State of Critical Infrastructure Cybersecurity, 2015 InformationWeek.
- Rainie, Lee, Anderson, Janna, and Connolly, Jennifer (Oct. 29, 2014). Cyber Attacks Likely to Increase. PewResearchCenter.
- Sanger, David E. (June 2, 2012). Mutually Assured Cyberdestruction?. The New York Times.
*Michael Leiter worked at Leidos in various capacities from November 2014 - January 2017