With the introduction of computer systems and computer networks, there comes the dire need to protect these structures and the functions they support. Today, when we use the term, “cyber security” we begin to think about all the different aspects within the term, such as what it means and how is it applied to our technologies. In many spaces, cybersecurity means a few different things such as network hardening, secure process management, certifications and other such fascist. These are important in both the government and public sector where cybersecurity creates standards of business to maintain cyber requirements and certification levels. While such processes provide a level confidence in security, we still see significant cyber incidents. Take for example incidents in 2014 where attacks were launched against the White House computer system. The FBI, the Secret Service and other U.S intelligence agencies stated that it was, “among the most sophisticated attacks ever launched against a U.S government system” As we continue to rely on computer systems, the information they process and the functions they support expose ourselves to the greater risk as these systems become more valuable targets.
The need for computer security has increased greatly as our reliance of these systems continue to grow. We can pull a handheld computer out of our pocket that stores heavy amounts of personal data such as heart rate, schedule, contacts, search history and much more, but our reliance on computers extends far greater than just our smartphones and laptops. We see them in aircrafts where computers are taking more control of the given systems and their daily functions. Computers also support national flight patterns, communications, and the timing of thousands of flights every day. In automotive, we see cars becoming more like artificial intelligence (A.I.) where their ability to reduce the need for human interaction to operate the vehicle is becoming the new standard. We also see this same reliance in health care, law enforcement and many other industries. Computer security continues across all sectors and services where the term computer security is known as Cyber security to a large portion of the population.
Cyber security is a wide term that has been used heavily in coordination with the protection of computer systems. In many cases when speaking to different individuals about cyber security, there can be several different responses about what cyber security really means. From an IT prospective, cyber security could be a strong firewall with an intrusion detection system (IDS) located on the network, or random key generators to protect the access to the system. To a process manager, cyber security might mean Risk Management Framework (RMF) or requirements that a company must meet to fulfill their operational needs. We can use the National Security Agency (NSA) to define what cyber security means by looking at what they define institutional programs as, “National Centers of Academic Excellence.” The NSA sponsors two types of Centers of Academic Excellence (CAE) One of which is in Cyber Defense and the other is in Cyber Operations. For Cyber Defense, the agency states, “The goal of the program is to reduce vulnerability in our national information infrastructure by promoting higher education and research in cyber defense and producing professionals with cyber defense expertise.” Some of the topics included in these studies are Vulnerabilities and Risk Management, Fail Safe Defaults / Fail Secure, and Intrusion Detection Systems. These, and other topics, leads individuals or institutions that support these cyber defensive capabilities to a reactionary division within cyber security. The NSA wrote, “CAE-CD colleges and universities have educated our nation's cyber first responders.” Cyber operations, on the other hand, takes a different path. The NSA states, “The CAE-CO program is a deeply technical, inter-disciplinary, higher education program firmly grounded in the computer science, computer engineering, and/or electrical engineering disciplines, with extensive opportunities for hands-on applications via labs and exercises.” Some of the topics included in these studies are Software Reverse Engineering, Hardware Reverse Engineer, Embedded systems and Digital Forensics. These skillsets lead to an in-depth look at technology that can go unnoticed. When discussing a skillset like Hardware Reverse Engineering, we can consider taking an IOT device, such as a network router, pulling it apart, looking at all its hardware components and reversing the said router to learn how the device works. When we consider Software Reverse Engineering or Digital Forensics, we think about a malware executable that is loaded into a dissembler and then reversed to evaluate how it operates, which creates its own division within cyber security. After analyzing the two separate paths, we can look at it as two different areas of specialization: Cyber Defense (Network Hardening, Risk Management Framework, etc..) and Cyber Operations (Firmware Reversing, Malware Analysis, and Software Exploitation)
What cybersecurity is lacking today is that it doesn’t address the highly technical nature that is needed to address the needs placed on both private and government sectors. From the private sectors standpoint, we can look at major cyber events such as one in 2012 where 400,000 credit cards where published online or in 2017 where the ransomware, “WannaCry” hit over 230,000 computers in more than 150 countries which held large amounts of data unless payments were made and finally, the “NotPetya” attack that took down A.P. Møller-Maersk. Moreover, cyber operations are becoming one of the foremost concerns of the Department of Defense (DoD) stating, “The United States’ growing dependence on the cyberspace domain for nearly every essential civilian and military function makes this an urgent and unacceptable risk to the Nation.” This type of work goes unnoticed for a large amount of the population, but the efforts from major nations, such as China and Russia, are constantly on going and evolving. These said nations are expected to be behind many attacks on both private and government military systems, “China is eroding U.S. military overmatch and the Nation’s economic vitality by persistently exfiltrating sensitive information from U.S. public and private sector institutions. Russia has used cyber-enabled information operations to influence our population and challenge our democratic processes.” The Department of Defense cyberspace objectives are as follows:
1. Ensuring the Joint Force can achieve its missions in a contested cyberspace environment;
2. Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages;
3. Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident;
4. Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks; and
5. Expanding DoD cyber cooperation with interagency, industry, and international partners. Cyberoperations must meet these requirements in order to keep pace with the rest of the world and what is sure to be a new war space between nations.
As stated before, nearly every military function is dependent upon cyberspace which includes cyber operations and services. In many cases, the government is ridiculed for its dated systems that are lacking advanced technical equipment for many of its mission critical applications. In an article by Business Insider, “The Pentagon still uses computer software from 1958 to manage its contracts. The U.S. nuclear missile force is known to run on 8-inch floppy disks, and spends $61 billion every year to maintain that system.” This can be a great risk for the U.S. population and its military as cyberoperations is at the heart of many of the U.S. programs that are dependent upon the firmware that operates these dated systems. In the study of Firmware Security Risks and Mitigation, Enterprise Practices and Challenges wrote, “73% respondents who did not prioritize firmware security experienced a high rate of unknown malware occurrences. in contrast, 52% of respondents who did prioritize firmware security reported at least 1 incident of malware-infected firmware infiltrating the company system.” Malware hiding within the firmware of a system is extremely dangerous as it can be unknown and undetected until a specific function is called, which can brick the hardware of a mission critical asset. This said technique was used in the Ukrainian power grid attack where serial-to-ethernet converters were bricked after malware located on the firmware had made its way onto the devices and rendered them unusable. The DoD expresses its desire to focus more on cyberoperations and these low-level systems: “Embed software and hardware expertise as a core DoD competency: To make it attractive to skilled candidates, the Department will establish a career track for computer science related specialties (including hardware engineers, software developers, and data analysts) that offers meaningful challenges, rotational billets at other Federal departments and agencies, specialized training opportunities tied to retention commitments, and the expansion of compensation incentives for the Cyber Excepted Service (CES).”
As we continue to depend on computer systems for every function across the private sector, the government, and the U.S. military, we will see our national competitors continue their attacks against our systems. We need to be sure that malware is not lurking within our dated systems so it can be used to serve a mission and save lives. Cyberoperations addresses the risks we face as a nation. Our military must create a highly technical workforce that is able to address the new attack space such as firmware, hardware and software. We can expect that cyberoperations will become essential skillsets and services that will be required across all sectors to not only continue business operations, but to protect the assets required for no failure systems.
Works Cited
Home. (n.d.). Retrieved from https://www.nsa.gov/resources/students-educators/centers-academic-excellence/.
Cybersecurity Risk Management Framework (RMF). (n.d.). Retrieved from https://aida.mitre.org/cyber-rmf/.
Blake. (2017, March 30). The Pentagon still uses computer software from 1958 to manage its contracts. Retrieved from https://www.businessinsider.com/pentagon-computers-software-from-1958-2017-3.
Firmware Security Vulnerabilities and How to Prevent Them. (2017, September 16). Retrieved from http://solidsystemsllc.com/firmware-security/.
Greenberg, A. (2018, December 7). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Retrieved from https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.
Great read Jarrod