Breaching military computer systems is not something to be embarked upon lightly as UFO hacker Gary McKinnon would undoubtedly now testify. The infamous Briton is currently awaiting possible extradition to the US for penetrating 97 computers at the US Department of Defence (DoD) and NASA, causing an alleged US$700 000 (£415 226) worth of damage.
The McKinnon incident raises two important questions. The first relates to the ethical issues behind hacking, however innocently intended the activity may be. The second is how effectively the US military had safeguarded its systems against cyberattack in the first place.
Nonetheless, it does appear that awareness of the potential threat posed by cyberespionage, cyberterrorism and cyberwarfare is growing within the US administration. Following a 60-day cyber review after a further security breach at the Federal Aviation Administration, President Obama launched a broad five-point plan in late May to try to tackle the information security issue.
The plan included the creation of a new cyberczar position to devise, co-ordinate and manage strategy across different government agencies – but such an appointment has yet to be made and at least three people are believed to have turned the position down.
The UK follows suit
In recognition of the view that IT systems now constitute critical national infrastructure, the move also spurred the UK on to announce its own cybersecurity strategy in June. This included the creation of a new Cyber Security Operations Centre (CSOC) at the Government Communications Headquarters (GCHQ) in Cheltenham to bring together experts from across government and outside in order to identify what kinds of cyber-attacks are taking place, where they come from and how best to defend against them.
It also included the setting up of a dedicated Office of Cyber Security (OCS) in the Cabinet Office to coordinate policy across government and to manage international co-operation. In an apparent splintering of responsibility, however, it was Lord Alan West, Parliamentary undersecretary for Security and Counter-Terrorism within the Home Office who launched the strategy and it is he who will add responsibility for cybersecurity to his remit.
Noticeable by its absence at the launch, meanwhile, was the Ministry of Defence (MoD). This is despite the fact that: “Protecting citizens is a fundamental function of the armed forces”, according to Taher Elgamal, chief security officer at internet security products provider Axway. “If a foreign country launches a denial-of-service attack and citizens can’t access critical resources or sensitive information leaks out, you could have a potential war situation on your hands.”
Such a stance is reinforced by Jonathan Evans, director general of intelligence agency MI5. He indicated in a speech in 2007 that, because Russia and China were increasingly supplementing traditional intelligence-gathering activities with cyberespionage in both the military and civilian domain, the issue had to be taken seriously.
One of the concerns at the moment is the lack of clarity around how the new civilian bodies will work with existing defence organisations and how much funding and manpower is likely to be put into the emerging but important cybersecurity area.
These resourcing issues are important to consider in light of the UK’s current operational and political priorities in combat areas such as Afghanistan and the forthcoming Strategic Defence Review, which is likely to lead to budget cuts in some areas.
Who’s who
At the moment the MoD has a reactive Computer Emergency Response team (CERT), which includes a number of Warning, Advice and Reporting Points, Monitoring and Reporting Centres (MRCs) and Incident Response Teams. The MRCs use pattern recognition and artificial intelligence tools to identify informatino security vulnerabilities on the MoD’s network and to establish whether any incidents are taking place.
Any nefarious activity is reported to a Joint Security Coordination Centre located at the MoD headquarters in Whitehall, London, which looks for trends and co-ordinates any response, potentially with international allies such as NATO. The Centre also passes information about any serious incidents on to high-level civil servants and Ministers. It is currently unclear however, whether MODCERT will work alongside COSC, become subordinate to it or even be disbanded.
Lack of co-ordination
Another challenge is the lack of strategic information security co-ordination between the different armed forces organisations. Anthony Franks, a retired senior intelligence officer, explains: “One of the problems the forces face is that each one has a slightly different approach to cybersecurity so there’s a lack of coherence in their response to it. As far as I know, there is still no one single, properly formed unit acting on a tri-service basis to execute military cybersecurity policy”.
Moreover, even though the government has indicated that cybersecurity is now a national priority, it has failed to appoint a US-style dedicated cybersecurity czar to take responsibility for actions across both the civilian and military areas.
“If we accept that information is power, why aren’t we getting a dedicated minister for information security to look after the UK’s intellectual property?” asks Franks. “The minister’s portfolio should include national information security strategy and they should be working with the MoD and the agencies to ensure that the services benefit from best practice. Otherwise, we’ll continue to deal with cyber-security in a piecemeal fashion and by definition, it will be disintegrated and inefficient.”
Outdated communications
Another consideration is the ageing and stovepiped nature of many MoD and armed forces’ systems, which were often built before the internet took hold and are unable to communicate easily and effectively with each other.
"Many systems were built when cyberthreats weren't so strong and some of the older ones don't have security features and controls built in." |
Howard Schmidt |
This means that data is mainly exchanged using email or other media such as USB sticks or CD-ROMs. This is not necessarily a problem in itself as the encryption of such data is now mandatory following a series of high profile data loss incidents.
An Enterprise Gateway Service has also been introduced to enable email to be exchanged with locations outside of the MoD using restricted systems. Mike Gillespie, a director at security consultancy Advent IM, warns: “This allows users to email data externally with very little in the way of control. Also more worryingly, it allows the import of data, which may be virus-infected or contrary to the MoD’s acceptable use policy.”
He adds that restrictions on information sharing are “very much based on policy controls. There’s an email size limit, but the main restriction is that users have to sign a disclaimer prior to sending any email outside of the MoD”, he says.
The matter of dealing with such ageing systems remains an important one because of the armed forces’ ever-great reliance on them, believes Howard Schmidt, who heads up industry body the Information Security Forum and who has worked in various US defence and law enforcement roles for years. A key consideration here is that the armed forces’ manpower levels have almost halved since the Cold War, despite marked increases in operational tempo.
“Many systems were built when cyberthreats weren’t so strong and some of the older ones don’t have security features and controls built in. It’s a financial issue because you can’t take them out all at once and replace them so it has to be done in an evolutionary way”, explains Schmidt, who has been tipped as a candidate for the US cybersecurity czar role.
The upshot at the moment is that much time and effort is currently being spent on monitoring such systems to establish where potential vulnerabilities lie, although the MoD is building security considerations into its Defence Information Infrastructure (DII) project from the ground up.
The information security initiative was criticised earlier this year, however, by public spending watchdog, the National Audit Office for costing £4.5 billion more than was announced to Parliament in 2006 and for being 18 months behind schedule.
"DII is trying to solve the issue of what happens if you know what you're looking for but don't know where the information is." |
Dave Freeman |
The MoD had originally said that the initiative, which is being undertaken by the Atlas Consortium led by EDS, would cost £2.3bn. But the figure has now risen to £7.09bn because the department initially only revealed the contract costs of the first phase rather than total programme costs. Such additional expenditure includes the management of any future risks, work not yet contracted for, departmental overheads and remote support services.
DII – a backbone network
As to what DII comprises, it is essentially a large backbone network that enables information to be shared between authorised users of logistics and administration systems for collaboration purposes. The DII backbone itself will consist of clusters of networks, running systems that perform similar functions and hold similar kinds of data. These network clusters will be hooked together using large routers.
The project will also involve integrating newer technology into the network and replacing more than 300 legacy systems belonging to the three armed services. For access purposes, the aim is to deliver 150 000 terminals to 300 000 users at 2000 sites, including ships and front line forces in Afghanistan. But a further goal is to index all relevant information and make it easy to find using a discovery mechanism.
Dave Freeman, consultancy director at Activity, explains: “DII is trying to solve the issue of what happens if you know what you’re looking for but don’t know where the information is.”
Third party communications
Another issue under consideration is whether to extend DII access out to other parts of government such as the Foreign and Commonwealth Office and to international allies, which includes bodies such as NATO, in order to improve the security of information exchange.
The same rationale also extends to the MoD’s communications with its supply chain. Since before the start of the millennium, the MoD has been trying to find more effective ways to work with suppliers such as British Aerospace in a bid to reduce contractual problems and cost overruns. At the moment, it develops bespoke projects to enable secure electronic data transfer between itself and large partners, but has so far not come up with a standard system to enable it to collaborate with second and third tier vendors.
“There are differences in [communications] standards and the use of some technologies, but they’re surmountable. The biggest area though is things like processes and procedures. The MoD could just send a cook book to a supplier and say ‘do it this way’, but some companies are working with 30 other organisations so it would create tension”, says Freeman.
Such issues are compounded by international legal and regulatory issues. This state of affairs means that most information is currently disseminated via relatively insecure mechanisms such as email or courier services. It should be noted, however, that DII will not be used for military operations although no single network currently exists for such activity.
Operation communications
Collaboration in the operational context also generates information security problems of its own, not least because UK forces no longer work in isolation but as part of wider international teams. At the moment, collaboration between different international forces tends to be dealt with in a specific fashion.
“You can carve up territories so you don’t have to worry about other units in the area or you can have the concept of a lead nation, which provides systems to partner organisations rather than try to exchange information between different networks. The problem is that your friend today may be your enemy tomorrow so it’s not an easy nut to crack”, Freeman explains.
An MoD spokesperson declined to comment on any of the issues raised beyond saying: “The Ministry of Defence puts significant effort into securing its computer networks against malicious or accidental attack. We constantly monitor attempts to access our key systems and take appropriate measures to protect them. However, it would not be in the interests of the UK’s national security to provide detailed information on the measures we employ.”