Pragmatic Security for Homeland, National Security
Tuesday, February 2, 2010
by David Kahn
Policies meant to provide perfect data security prevent deployment of systems with sufficient security
The national and international media recently broke the news that video found on an Iraqi insurgent’s computer proved that our enemies are intercepting video feeds from US drones. All it took was a $25.95 program created by a Russian company to view the unencrypted downlinks.
US satellite networks prevented unauthorized access to their video transmissions years ago by encrypting their feeds. The US military has not.
Sources within the US military and Department of Defense have indicated that the problem is being dealt with, but they have not provided details on efforts to encrypt the drone video. Given the amount of infrastructure modification required, it will take a long time.
Whoever decided that the drone video feed data would be unencrypted understood the risk that our enemies could access the data. The only explanation as to why they would tolerate that risk is that they believed that there was no better alternative. They were probably right.
How we protect our information assets
The US has implemented four practices with the goal of providing 100 percent assured protection of our information assets.
First, people who handle classified information must be rigorously vetted and routinely re-vetted. Second, hardware and software must go through intensive testing before being allowed to handle classified information. Third, classified information should not be accessible through public networks. Fourth, we must never let our encryption technologies fall into the hands of our enemies.
There’s wisdom in these policies. Unfortunately, all four have unintended consequences that have opened information security holes.
It is time consuming and expensive to conduct background checks required for security clearances. Moreover, personnel with security clearance generally command salaries 20 percent or more above their un-cleared peers. Security clearances are precious and few military personnel have them. Marking the drone videos as classified would have made it inaccessible to many personnel who needed to view it.
Congress has passed laws such as the Federal Information Security Management Act (FISMA) of 2002 which provides strict guidelines for Information Assurance. The Department of Defense has created the DoD Information Assurance Certification and Accreditation Process (DIACAP) to comply with FISMA.
Secure information systems always contain encryption, which must be reviewed separately. This review process has been defined by the National Institute of Standards and Technology (NIST) division of the Department of Commerce. The National Security Agency (NSA) has an Information Assurance review process, as does the National Reconnaissance Office (NRO) and a plethora of other agencies. The net result is that it costs millions of dollars and usually takes years to implement a secure information system. If a company is not already a defense contractor working on an existing contract, they have to commit, up-front, huge sums of money and personnel to navigate confounding Information Assurance processes from multiple agencies. Few try.
The sad truth is that even with these certification processes, systems remain vulnerable. It may take years for a super computer to decode information protected with Advanced Encryption Standard (AES) encryption. However, cryptographic keys are not always well protected and users still use shockingly predictable passwords, even when they conform to enforced complexity standards. The federal government’s solution has been to create separate networks not accessible from the Internet such as the Secret Internet Protocol Router Network (SIPRNet) to carry secret data while requiring personnel to use hardware certificates to access these networks.
Unfortunately, few mobile devices exist that can access the SIPRNet. Moreover, the few that exist must always be in the possession of personnel with security clearances – which eliminates most soldiers. Since mobile devices risk capture by our enemies, they contain embedded hardware Public Key Infrastructure (PKI) encryption hardware and certificates that are designed to prevent reverse engineering. By and large, these are only available in expensive MIL-SPEC devices.
The world has changed, so must the rules
In order to get their mission done, personnel bend existing Information Assurance rules. It is better to get important information through on an unencrypted channel (e.g., the drone video that caused the brouhaha in December 2009) than not at all.
Early in the Iraq war, US soldiers started using toy remote controlled vehicles as bomb detectors. Since then, the use of drones and other robotic devices has increased exponentially, saving the lives of innumerable US soldiers. Each must be remotely controlled and often downloads video and other telemetry. Multiple companies build them, and there has been little standardization.
The Economist recently reported many ways that the “Military Consumer Complex” has provided outstanding capabilities far sooner and at a small fraction of the cost of systems developed for our military. Smart phones and ever smaller mobile devices originally built for consumer use can provide our field personnel with communications and tactical information that could enhance their mission capabilities and help save lives.
Many soldiers, policemen, and emergency responders are “digital natives” who, when their official equipment doesn’t have features they need or want, such as GPS, maps, street views, weather and text messaging, routinely use their personal smart phones. This has opened gapping security holes and allowed our enemies to determine the location of US personnel by tapping the unencrypted cellular back channel.
We can no longer assume secure networks where all hardware is continuously controlled and managed by our forces. The US military and homeland security work with partners. Some will be long-term partners such as the British and Canadian forces, while others will be less trustworthy local military, polices, and militias. We need to share data, at least temporarily, with partners having varying levels of technology and whose trustworthiness is questionable.
Where do we go from here
Going to war always challenges our assumptions. One assumption that urgently needs to be revisited is whether it is necessary, or wise, to impose Information Assurance requirements and procedures which made eminent sense when our enemy was the former Soviet Union. Back then, we faced a large and technically sophisticated nation that had the will and means to penetrate the smallest crack in our information protection. Our current enemies haven’t the skill or resources to mount large scale attacks which DIACAP and NIST reviews were meant to protect against.
Bureaucracies follow the path of least resistance, which typically means perpetuating existing practices. It will take imagination, energy, and persistence to rethink our Information Assurance procedures so they have the flexibility to quickly get useful devices out in the field while protecting our critical data.
Here are changes we should consider:
- It is not always necessary to have perfect information security. If our enemy lacks the skill or resources to penetrate a less secure but more readily available data protection, we need to let these systems be used. If the lifetime of sensitive data is short, which often is the case in tactical situations, we only need protect the data for the duration of the mission;
- Consumer devices offer amazing capabilities that could be of great use to our emergency responders and soldiers. While they may not be completely secure, Information Assurance personnel need procedures to determine, in cooperation with end-users, if the benefits outweigh the risks;
- If our emergency responders or soldiers want a device because it will help them with their mission, the default security assumption should be that it is acceptable to use, rather than it is not;
- If a device is being used to transmit sensitive data, we need a fast review process to determine if that device’s security is not obviously flawed;
- Divisions of the DoD have developed effective procedures for developing and reviewing secure systems. Releasing them to the commercial world and encouraging their use would enhance rather than degrade the country’s information security;
- We urgently need methods to retrofit existing devices to provide improved, but perhaps not perfect, information security. There already are software implementations that could greatly increase the security of the smart phones our emergency responders and soldiers are already using in the field. But they are not being deployed because they are not perfect. Let’s make these phones safer and worry about perfect in the future.
- The purpose of this review is not to be critical of our efforts to protect data, but to suggest that as our enemies have become smaller and less sophisticated, and the resources provided by devices coming out of the Military Consumer Complex have become critical to our emergency response and war effort, that they need to be updated. This need is largely recognized by data security practitioners. It time to do what we know is right.
David Kahn is CEO of Covia Labs, a pioneer in developing software platforms for unifying communications and interoperability for the US military and local law enforcement and other first responders. David is committed to making any and all devices, from cell phones to helicopters, work together simply and seamlessly. David holds a BS in Physics from the Rensselaer Polytechnic Institute, an MS in Nuclear Science and Engineering from Carnegie-Mellon University, and an MBA from Stanford University.
