While the threat of hacking is a large enough headache for the likes of banks, online retailers and ISPs, for the defence sector, it represents a nightmare on an unprecedented scale. As one cyber security consultant puts it, “hacks are a probabilistic certainty – it’s not a case of if, so much as when”.
The long list of defence data losses to date more than proves the point. User logins from the UK MoD’s business networking organisation Niteworks, information from the Swiss state-owned defence contractor RUAG and even details of the F-35 – the most expensive weapons system ever built – have all ended up in the public domain.
In August, another was added to the roll, as the story emerged in The Australian of a massive data breach – said to run to some 22,400 pages – that had exposed highly classified information about the Scorpene class submarine from French shipbuilders DCNS.
Said to be one of the most advanced and stealthiest vessels of its kind, the Scorpene is already in service with Chile and Malaysia, while the first of six being built for India – INS Kalvari – concluded final sea trials in September, and Brazil expects the first of four in 2018. For all of these nations, the leak is a major security risk, lifting the lid on the frequencies these vessels use for intelligence-gathering, their noise levels at different speeds, their diving depths, range and endurance, along with magnetic, electromagnetic and infra-red data, details of the torpedo launchers and combat system.
As the dust settles on the Scorpene leak, leaving DCNS embarrassed, India fuming, Australia concerned over its own recent order for French Shortfin Barracudas and some in the US asking if they really should be supplying ‘foreign’ subs with American combat systems, one big question remains. How can defence contractors and governments protect sensitive material and keep it from being stolen?
Stephen Gates, chief research intelligence analyst at security specialists NSFOCUS, says that understanding the mind, methods and motivations behind the hack is vital, in just the same way as knowing what lies behind a crime can often help police officers to solve it.
“Any organisation that houses sensitive data needs to ask themselves, 'if I were a hacker, how would I gain access to the very data we are trying to protect?',” Gates says.
Part of the answer to that seems to be by taking advantage of the growing complexity of the systems that hold it. According to Michael Callahan, vice president at security management company FireMon, with the defence sector ever more reliant on huge amounts of varying kinds of sensitive data, this mounting sophistication provides major opportunities for hackers to exploit.
“If the environment is simple and easy to manage and understand, you’d have fewer issues of theft of sensitive data. Complexity will only increase, and the problem will not go away,” Callahan says. “I’d focus on the right security management tools that give a comprehensive view of the infrastructure and focus on the people aspect so everyone knows it’s their responsibility to maintain security.”
Gates goes even further, suggesting that every single device – everything from computers and smartphones to security appliances and network gear – that has ever been connected to the internet, no matter how briefly, should be regarded as suspect and viewed as a potential threat. He says they should never be trusted and in consequence, nothing internet-connected should be allowed to access sensitive data – ever.
“Any device that has had internet access in the past, or currently has internet access, is completely capable of infecting any other device, and can being used to steal your data,” says Gates. “Think like a hacker and don’t trust anything.”
He advocates deploying every possible defensive measure between any such questionable devices and the data to be protected, and if an airgap – total physical separation from the internet – cannot be installed around computers that store highly sensitive data, then that data must be segmented from as many devices as possible. Segmenting the network in this way into multiple zones, with varying levels of security and access, and a rigorous rule-set governing what is allowed to move between them, means those who need access to sensitive data can get it, those who do not cannot, and the reach of any unauthorised intrusion is minimised.
It is clearly sound advice. It seems that although the computer that held the classified Scorpene data had no direct internet connection itself, it was networked to a compromised device within the same facility that did.
However, as Callahan explains, the danger can come from anywhere, and in many different forms. There are technical attacks, using exploits of both known but unplugged and previously unknown vulnerabilities, personal thefts where someone with access takes information and socially engineered breaches, which trick personnel into allowing access to sensitive data.
Who and why?
In addition to knowing the ‘how’ of the attack, Gates says that it is also important to understand the ‘who’ and the ‘why’. “The biggest threat comes from the hackers who have the greatest motivation,” he warns. “Everyone must evaluate the motivations that could likely drive someone to attack you. Then you’ll understand the biggest threat your organisation faces.”
Unfortunately defence contractors are potential prey for all three of the main motives behind cyber attacks – spying by state-sponsored agents, extortion by organised criminal groups and notoriety, protest or vendetta by lone wolves and hacktivists. Although there are ways the sector can tighten up security across the board, there is no real one-size-fits-all solution to counter the range of threats it faces.
Callahan points out that firewalls, for instance, remain the most critical defence tool since almost all traffic has to flow through them, making effective security/firewall management tools an essential element in securing sensitive information. “However, there is not much to be done if someone with access downloads data that they have rights to, and walks it out the door,” Callahan says.
Asymmetric arms race
In many respects, it is the ultimate in asymmetric warfare, where the defence sector must aim for the impossible target of 100% perpetual and perfect security, while all the other side needs is a laptop, an internet connection and to get lucky just once. Gates likens it to a game of whack-a-mole, where as fast as one vector of attack is closed off, another one surfaces somewhere else – a kind of cyber arms race in which one side temporarily gains the upper hand before the other closes the gap.
So is it time to stop pretending that data can ever be entirely secure, any more than every bank-vault can be impregnable or every prison escape-proof? Probably; defence secrets are simply too tempting a target and over the coming years, more leaks must surely remain a “probabilistic certainty”, but Gates says no system is perfect and now is not the time to throw in the towel.
“If we can get just one step closer every day to keeping our networks up and running and our data secure, then we have achieved our goals. The other option is to go back to punch cards, fax machines, hard copies sent in the mail, or carrier pigeon,” he says. “All of them had their issues too.”