>How $26 Can Buy You A Billion-Dollar Surveillance System

>

If $26 software can give our enemies on the ground access to our drone feeds and cyber warfare can inflict indefinite havoc on our critical infrastructure, we need to rethink what technological superiority means and how we keep it.

No defense system is foolproof. That’s why we build redundancy into the system and layer our defenses with “defense in depth,” so that just because the enemy infiltrates one layer, doesn’t mean that our defenses are laid bare.

When in fact, we become aware that our systems have been compromised, it is only responsible for us to re-secure them, bolster them with additional defenses, or take those systems out of commission.

It was shocking to learn this week in multiple reports in the Wall Street Journal that our UAV drones and their surveillance systems that have been so critical in our fight against terror in Iraq and Afghanistan were compromised, and the feeds intercepted by $25.95 software sold over the Internet. These feeds were found on the laptops of the very militants we were fighting against. Reportedly, we knew about this vulnerability ever since the war in Bosnia.

It is incredible to imagine our massive multi-billion dollar defense investments and technological know-how being upended by some commercial-off-the-shelf software bought online for the price of a family dinner at McDonalds. But what makes it even worse is that we knew for nearly two decades that the enemy had compromised our systems, yet we did not fix the problem.

A number of reasons have been circulated about why the necessary encryption was not added to the drones, as follows:

It would have resulted in an increase in cost to the development and deployment of the systems.

There would be a detriment to our being able to quickly share surveillance information within the U.S. military and with allies.

There was immediate battlefield need for the drones because of the immediate concern about roadside bombs and therefore there was apparently no time to address this issue.

Based on the above, one may possibly be able to understand why the Joint Chiefs “largely dismissed” the need to repair the drones’ security flaw. However, it also seems that they were overconfident. For any “Are You Smarter Than A Fifth Grader” contestant can tell you that if the enemy can see and hear what we see and hear, then they can take action to subvert our military and intelligence resources, and the critical element of surprise is gone—the mission is compromised.

Of course as civilians we are not privy to all the information that our leaders have. And one can say that if all you have are compromised drones, then those are what you must use. Nevertheless, officials interviewed by the Journal point to the hubris that influenced the decision in this situation – as the report states:

“The Pentagon assumed that local adversaries [in Iraq and Afghanistan] wouldn’t know how to exploit” the vulnerability. So, the result was that we kept building and deploying the same vulnerable systems, over a long period of time!

This is not the first time that we have both been overconfident in our technological superiority and underestimated competitors and opponents in foreign countries—with disastrous results. There are the human tragedies of Pearl Harbor and 9/11, to name just two. And then there are the economic challenges of global competition, such as in the automobile industry and overseas manufacturing in general.

And if some terrorist cells on the run can so clearly compromise our technical know-how, shouldn’t we be even more concerned about established nations who are well financed and determined to undermine our security? For example, just this week, a group calling itself the “Iranian Cyber Army” hacked and defaced Twitter and we were helpless to prevent it. Also noteworthy is that this same week, it was reported that our defense plans with respect to South Korea, including operational details, were hacked into and stolen by North Korea.

Unfortunately, however, we do not even seem to take threats from other nations as seriously as we should: As the Journal reported, “senior U.S. military officers working for the Joint Chiefs of Staff discussed the danger of Russia and China intercepting and doctoring video from the drone aircraft in 2004, but the Pentagon didn’t begin securing signals until this year.”

I am deeply respectful of our military and the men and women who put their lives on the line for our nation. It is because of that deep respect that I reach out with concern about our overconfidence that we are technologically superior, and about our dismissal and underestimation of the resolve of our enemies.

>Let’s Not Understate the Cyber Threat

>

Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:

“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”

While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.

Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”

Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.

The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.

Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.

While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.

Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?

While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.

Rep. Lamar Smith, R-Texas said “Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”

Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.

This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.

The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:

“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”

We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:

“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”

Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation’s central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”

On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.

>Now We All Have Skin In The Game

>

It used to be that cybersecurity was something we talked about, but took for granted. Now, we’re seeing so many articles and warnings these days about cybersecurity. I think this is more than just hype. We are at a precipice, where cyberspace is essential to each and every one of us.

Here are some recent examples of major reviews in this area:

  • The White House released its 60-days Cyberspace Policy Review on May 29, conducted under the auspices of Melissa Hathaway, the Cybersecurity Chief at the National Security Council; and the reports states: “Cybersecurity risks pose some of the most serious economic and national security challenges of the 21st century…the nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat.”
  • The Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th President wrote in a December 2008 report: “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration…It is a battle we are losing.”

Cyberspace is becoming a more dangerous place as the attacks against it are growing. Federal Computer Week, June 2009, summarized the threat this way:

“Nation states are stealing terabytes of sensitive military data, including some of the most advanced technology. Cybercrime groups are taking hundreds of millions of dollars from bank accounts and using some of that money to buy weapons that target U.S. soldiers. The attacks are gaining in sophistication and the U.S. defenses are not keeping up.

Reviewing the possibilities as to why this is happening: Have we dropped our guard or diverted resources or knowhow away from cybersecurity in a tight budgetary environment and now have to course correct? Or, have our adversaries become more threatening and more dangerous to us?

I believe that the answer is neither. While our enemies continue to gain in sophistication, they have always been tenacious against us and our determination has never wavered to overcome those who would threaten our freedoms and nation. So what has happened?

In my view the shift has to do with our realization that technology and cyberspace have become more and more vital to us and underpins everything we do–so that we would be devastated by any serious disruption. As the Cyberspace Policy Review states definitively: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S economy, civil infrastructure, public safety, and national security.”

We rely on cyberspace in every facet of our lives, and quite honestly, most would be lost without the connectivity, communications, commerce, productivity, and pleasure we derive from it each and every day.

The result is that we now have some serious “skin in the game”. We have something to lose–things that we deeply care about. Thus, we fear for our safety and survival should something bad happen. We think consciously or subconsciously how would we survive without the technology, Internet, and global communications that we have come to depend upon.

Let’s think for a second:

What if cyberspace was taken down or otherwise manipulated or controlled by hostile nation states, terrorists, or criminals?

Would there be a breakdown in our ability to communicate, share information, and learn? Would there be interruptions to daily life activities, disruptions to commerce, finance, medicine and so forth, concerns about physical safety or “accidents”, risks to critical infrastructure, and jeopardy to our ability to effectively protect ourselves and country?

The point here is not to scare, but to awaken to the new realities of cyberspace and technology dependence.

Safeguarding cyberspace isn’t a virtual reality game. Cyberspace has physical reality and implications for all of us if we don’t protect it. Cyberspace if a critical national asset, and we had better start treating it as such if we don’t want our fear to materialize.

>Cyber Warfare and Enterprise Architecture

>

Security is a cross-cutting perspective in Enterprise Architecture, but I treat it as its own EA perspective because of its importance. And this is especially true in a law enforcement and defense readiness organization.

While security in EA is generally of a defensive nature, we must remember that as a nation, we must be ready to not only defend ourselves, but also to launch offensive operations and take out the enemy.

According to Military Information Technology Magazine, 9 April 2008, in an interview with Major General William T. Lord, the Department of Defense is standing up a new Cyberspace Command in the U.S. Air Force.

Why do we need this new Cyberspace Command?

There are many threats to us that emanate from cyberspace that include:

  • Cyber-criminals—looking to steal your identity or your money
  • Cyber-terrorists—“wants to disrupt, dissuade, or deter us from doing something
  • Nation States—“some of which are out to interrupt U.S. interests anywhere in the world.”

Cyberspace is a dangerous place, especially if you’re DoD; they “get about 3 million attempted penetrations” a day!

This is why defense in depth is so important, so that if an enemy manages to get through the perimeter of our network security, we can still stop them at the second or third tiers of our defensive capabilities.

In terms of offensive capabilities, sometimes you have to take the battle to the enemy. At times, it is necessary to “disrupt an enemy prior to the conduct of kinetic combat operations, [so] that the enemy could not figure out what its command and control system was, had false data, could not see an attacking force, and was making decisions based on information systems that been manipulated in advance of combat operations.”

To architect the defensive and offensive cyberspace capabilities necessary to combat our enemies, it is imperative to continuously build information sharing and partnership between the parties involved, such as the Departments of Defense, Homeland Security, Justice and the Director of National Intelligence. This is a core tenet of user-centric EA.

Just as we invest in the latest and greatest kinetic weapons to defeat our enemies, we must also invest in non-kinetic weapons including “our electronic warfare, space systems, and cyber-systems. As Major General Lord, stated: “it’s not always about destroying things, but about changing behavior, so that an enemy concludes that the costs of whatever they had in mind is too great and will stop. [Then again,] sometimes you have to be able to whack somebody in the nose.”

>Doomsday and Enterprise Architecture

>

Enterprise architecture is about planning and transitioning from the baseline to the target state.

However, as architects, there are times when we need to plan for the worst and hope for the best, as the saying goes.

As the price of oil has reached and exceeded $100 a barrel and significant new findings of oil are becoming a rarity, some people are starting to get nervous and are planning for a day when oil will be scarce, pricey, and society as we have come to know will cease to exist. Yikes, doomsday!

Are these people simply uninformed, pessimists, or non-believers that technological progress will outpace the demands we are placing on this planet’s resources?

The Wall Street Journal, 26 January 2008, reports about everyday people, like the Aaron Wissner in Middleville, Michigan, a school computer teacher with a wife and infant son, who became “peak-oil aware.” This term refers to his “embracing the theory that world’s oil production is about to peak.

These people fear the worst; “Oil supplies are dwindling just as world demand soars. The result: oil prices ‘will skyrocket, oil dependent economies will crumble, and resource wars will explode.’” Mr. Wissner’s forebodings include, “banks faltering” and “food running out.”

And they believe that we cannot stop this from happening. “no techno-fix was going to save us. Electric cars, biodiesel, nuclear power, wind and solar—none of it will cushion the blow.”

So Mr. Wissner and his family are preparing and transitioning themselves for the worst, they “tripled the size of his garden…stacked bags of rice in his new pantry, stashed gold…and doubled the size of his propane tank.”

According to the article there are thousands of people that adhere to the peak-oil theory.

Of course, there are many doomsday scenarios out there that end in war, famine, disease, and so on. During the cold war, people built bomb shelters in their back yards, and school children had drills hiding under their desks. These days, many fear that globalization will drive this country to economic ruin. Al Gore and other environmentalists espouse the global warming theory. And since 9/11, fears are heightened about terrorists hitting us with nuclear, biological, chemical, or radiological agents. Even Hollywood has entered the fray with movies such as Armageddon about meteors hitting the Earth or The Day After Tomorrow with the greenhouse effect sending us back to the ice-age.

Whether you adhere with any of these various doomsday scenarios or visions of the future (their believed target architecture, not necessarily their desired one) and how they are preparing (transitioning) to it or you think they are just a bunch of nut-balls, it seems important as an enterprise architect to recognize that targets are not always rosy pictures of growth and prosperity for an organization, and the transition plans are not always a welcome and forward movement. Sometimes as architects, we must plan for the worst–hoping, of course that it never comes–but never-the-less preparing, the best we can. As architects, we don’t have to put all the enterprise’s eggs in one basket. We can weigh the odds and invest accordingly in different scenarios. Our organization’s resources are limited, so we must allocate resources carefully and with forethought. Of course, no architecture can save us from every catastrophe.

>Fire Sale Attack and Enterprise Architecture

>

Fire Sale─“Matt Farrell (Justin Long), a character in the movie Live Free or Die Hard, used this term to describe the plot by Thomas Gabriel (Timothy Olyphant) to systematically shut down the United States computer infrastructure. The plan crashes the stock market, communications and utilities infrastructure, crippling America’s economy and causing nation-wide chaos. The term was coined because of the phrase “everything must go” meaning all of the world’s technology based off of a computer system, virtually everything.” (Wikipedia)

The New York Times, 4 June 2007, in an article titled, “When Computers Attacks,” states how governments are preparing for the worst in terms of cyber attacks.

Anyone who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect.”

What systems are at risk?

All computers are at risk that connect “to the Internet through the industrial remote-control technologies known as Scada systems, for Supervisory Control and Data Acquisition. The technology allows remote monitoring and control of operations like manufacturing production lines and civil works projects like dams. So security experts envision terrorists at a keyboard remotely shutting down factory floors or opening a dam’s floodgates to devastate cities downstream.

But how bad would a cyberwar really be — especially when compared with the blood-and-guts genuine article? And is there really a chance it would happen at all? Whatever the answer, governments are readying themselves for the Big One.

For example, “China, security experts believe, has long probed United States networks.Congress, China’s military has invested heavily in electronic countermeasures and defenses against attack, and concepts like “computer network attack, computer network defense and computer network exploitation.” According to a 2007 Defense Department annual report to

What are we doing?

The United States is arming up, as well. Robert Elder, commander of the Air Force Cyberspace Command, told reporters in Washington at a recent breakfast that his newly formed command, which defends military data, communications and control networks, is learning how to disable an opponent’s computer networks and crash its databases.

How serious is the threat of cyber attack?

An all-out cyberconflict could ‘could have huge impacts,’ said Danny McPherson, an expert with Arbor Networks. Hacking into industrial control systems, he said, could be ‘a very real threat.’”

Is our nation’s architecture prepared to secure our enterprises and this country from a fire sale-type or other cyber terrorism attacks? Here are some actions that have been taken based on a CRS Report for Congress on “Computer Attacks and Cyber Terrorism” (17 October 2003)

  • In 2002, The Federal Information Management Security Act (FISMA) was enacted giving the office of OMB responsibility for coordinating information security and standards developed by civilian federal agencies.
  • In 2003, The National Strategy to Secure Cyberspace was published by the administration to encourage the private sector to improve computer security for critical infrastructure.
  • DHS has established the National Cyber Security Division (NSCD) to oversee the Cyber Security National Tracking and Response Center to conduct analysis of threats and vulnerabilities, issue alerts and warnings, improve information sharing, and respond to major cyber security incidents.
  • The Cyber Warning and Information Network (CWIN) is an early warning system for cyber attacks.
  • In 2003, there was established a new Terrorist Threat Integration Center (TTIC) to monitor and analyze threat information (composed of CIA, FBI, DOD, DHS, and Department of State officials)

Additionally, “The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation’s Internet infrastructure, US-CERThttp://www.us-cert.gov/) coordinates defense against and responses to cyber attacks across the nation.

According to the CRS Report For Congress, in July 2002, The U.S. Naval War College hosted a three day seminar style war game called ‘Digital Pearl Harbor;” 79% of participants believed that a strategic cyber attack was likely within 2 years.

While the dreaded cyber attack did not occur as feared by the war game participants, the scenario of a devastating cyber attack remain a real possibility that we must be prepared to confront and defeat.

As in the movie Live Free or Die Hard, a major cyber attack on this country could quickly bring us to our knees, if successful. We have become a nation born and bred on computers and automation. I challenge you to think of many things that you do that does not in some way involve these. We have formed a day-to-day dependency on all things computers, as individuals and as a nation.

In our enterprise architecture, we must continue to focus on comprehensive security frameworks for our organizations that address technical, managerial, and operational security areas. While the Federal Enterprise Architecture treats Security as a cross-cutting area, I believe that Security should be its own perspective (even though it crosses all domains), so that it can be given focus as an area that each and every agency and organization addresses. We must do more than create alerts, warning, and reporting capabilities. We need both “computer vaccines” that can quickly cure and rid us from the encroachment of a cyber attack, as well as hunter-killer offensive capabilities that can paralyze any warring nation or terrorist organization that would dare to attack us.

I remember hearing a saying that once something is created, it is bound to eventually be used. So it was with the atomic bomb. So it will be with cyber warfare, and we must be prepared to defend this nation.