The DOD Has Its Head in the Clouds

The Department of Defense spends roughly $38 billion dollars a year alone on information technology that supports two million users and 10,000 operational systems.

The DOD Has Its Head in the Clouds

The future of warfare is happening in cyberspace.  State and non-state actors consider assets within the United States federal government, including critical infrastructure and the military, the holy grail of cyber targets.  The United States’ Department of Defense (DOD) along with other agencies are responsible for protecting the homeland and U.S. interests from those attacks, including DOD networks, systems, and information; critical infrastructure; the private sector; and other agencies within the federal government. Most of these assets are heavily dependent on information technology systems and network operations from doing complex mathematical calculations for navigation systems, to controlling the electrical grids, to storing a plethora of sensitive data. The Department of Defense spends roughly $38 billion dollars a year alone on information technology that supports two million users and 10,000 operational systems [1].  

The definition of cyberwarfare differs depending on which entity is being asked, but most agree that it is defined as using information technology as a weapon against an adversary.  Cyber-attacks can cause damage that is physical or electrical.  Cyber warfare can also include cyber espionage (or cyber infiltration) which is when networks are penetrated, and information is stolen for use in politics, economics, or military strategy [2] or the information is destroyed, manipulated or altered [3].  Malicious users can also manipulate software within systems that might be controlled, copied, damaged or rewritten. A network is a group of interconnected devices and it is vital to the military where many units rely on data stored offsite and help coordinate the Unites States military efforts on the battlefield, whether in space, air, sea, and land domains.  The cyber domain connects them all, and bridges communications and coordinates military maneuvers [4].  

Vulnerabilities  

According to a 2000 report, one of the weakest military systems vulnerable to attack is the Military Command, Control, Communications, Computer, and Intelligence system (C4I).  It uses and interconnects interfaces through the Internet, base and organizational local area networks (LAN), modems, military and civilian communication systems, navigations systems and radios in all frequency ranges [3]. There are many infiltration points and the complexity of the system could shadow or at least delay the potential to trace a cyber infiltration.  If software controls a military system, then it is vulnerable to attack.  If it computes, then it is hackable.  The Navy’s newer ships like the USS Zumwalk is being powered by Linux, has 6 million lines of software code, and is essentially a floating data center with even a classified wireless network capability [5].  Similarly, seventy-five percent (or more) of the United States military aircrafts’ performance and capabilities are dependent on software.  These modern aircrafts receive data from the C4I systems and the Global Positioning System (GPS) that are interconnected to a multitude of the other aircrafts systems, like flight control systems, radar systems, and environmental control system.  A hacker using correct control sequences, inputs, or reprogramming could take control of the aircraft or overwrite flight control software [3].  A cybersecurity researcher by the name of Ruben Santamarta admitted to hacking hundreds of commercial airplanes from November to December of last year by taking advantage of a weakness in satellite communications equipment [6].  He also used the vulnerabilities to spy on cargo ships and uncover supposed hidden military bases [6].  While experts downplayed the threat, vulnerabilities are always a pssibility and a persistent threat actor could take advantage.  

In a study conducted by Norwich University, 80% of the federal agencies respondents were uncertain or did not believe that “current federal security standards met their needs for establishing a cloud infrastructure” [1].  The Federal Cloud Computing Strategy (FCCS) categorized the current federal IT environment as “low asset utilization, fragmented for resources, duplicative systems, environments difficult to manage, and long procurement lead time” [1].  Several directives and strategies were implemented in hopes of moving along the government’s desire to move to cloud services, including the National Defense Authorization Act of 2012 and the Department of Defense Cloud Computing Strategy (DODCCS), however, these directives must meet data security regulations and standards like the E-Government Act of 2002 (or the Federal Information Security Management Act of 2002) and the Department of Defense Instructions [1].  While these data security regulations and standards have purpose, they also bring a lot of red tape that slow progress.

The call to move the Department of Defense’s data and services to a commercial cloud infrastructure was made in the 2012 National Defense Authorization Act (NDAA), however, it did not provide guidance on how to support the “cloud first” directive.  The idea was to reduce IT infrastructure and reduce the swelling DOD IT budget, however, the use of commercial and private cloud infrastructure to save money had to outweigh the risk to the DOD [1].

Oxford Dictionaries defines the Cloud as a network of remove servers, hosted on the Internet that is used to store, manage, and process data in place of local servers.   There are many different businesses that provide cloud computing services including Google Drive, Apple iCloud, Amazon Cloud Drive, and hybrid services like Box, Dropbox, and SugarSync [7].  Microsoft is currently providing the United States Army cloud-based security and connectivity to mobile devices to improve and extend the military’s SPIRNet capabilities.  Through the Army’s Unified Capabilities (UC) program that is in collaboration with AT&T, the Army leverages the commercial cloud to improve networking interoperability on classified and unclassified networks, and allow forward-deployed or dismounted soldiers the ability to connect and share combat-relevant data from beyond an otherwise limited network [8].

That old proverb goes “a chain is only as strong as its weakest link”, or a network as strong as its users.  The problem with anything that is not air gapped (and even in that case one might want to look up Stuxnet), is vulnerable to the users using it, the Internet Service Providers (ISPs), the Cloud service provider, and the different organizations tasked to protect it.  The more users and the more organizations involved increases the risk to the system.  Everyone involved in the DOD cloud will have no knowledge of how others and anyone (whether a user, systems provider, or ISP) practicing security standards lower than the DOD will put the DOD at risk and create a potential national security risk [1].  

Cloud technology is built on an Infrastructure as a Service (IaaS) model where the service provider controls all the hardware including the physical servers, network devices, etc. that is necessary to run the virtualized machine infrastructure.  Total control of the backbone is in the hands of the cloud service provider and a lot of trust must be built for the government to allow this.  Contracts must be written with specific service level agreements (SLA) for the company to uphold the high standards of unclassified and classified government networks.  Virtualization technology allows the cloud provider to have several virtual machines running on the same server at the same time, which potentially allows for leakage of government data.  Also, classified virtual machines cannot run on the same physical server as unclassified virtual machines.  These machines need proper physical controls in place, such as proper labeling, physical security, training of personnel that are working on the machines on a regular basis and much more.  Currently, the government controls the selection and training of personnel who work on government equipment by hiring directly as government employee or through a military service or hiring through a contract with government approval required for all hires.  These personnel are all vetted with background checks for security clearances and restrictions put in place for personnel based on their clearance level.  When the infrastructure exists within a cloud providers headquarters, they control the facility and are subject to possibility of the wrong personnel having or gaining access to government systems [1].

There are three cloud models that the DOD could implement: public, private, or hybrid.  In a cloud environment, many virtual machines reside on the same physical server.  In a public cloud environment, there is a mixed bag of virtual machines on the same server, and the National Security Agency (NSA) has pointed out the inherit risks associated with this.  It is possible for someone to gain authorized access to a virtual machine that does not belong to them.  Another issue pointed out by the DOD was that data could reside in any country, and ownership of that data would be subject to the laws of that country and could present issues.  Private cloud is when cloud resources are solely used for one purpose, only one organization has access to them.  The DOD has over 700 data centers, and if these could have consolidated into a private cloud configuration, they would experience a potential costs savings.  A hybrid solution is just a combination of the two, for different networks [1].  SIPRNET (classified military network) would obviously never be public, but unclassified traffic could be made public if the data is not considered a risk to national security.

Works Cited        

[1]          S. C. Dudash,    "The Department of Defense and the Power of Cloud Computing," Air    University Press, Maxwell Air Force Base, 2016.            

[2]          M. Chapple and D.    Seidl, Cyberwarfare: Information Operations in a Connected World, Jones    & Bartlett Learning: VitalSource Bookshelf Online, 2014.              

[3]          L. C. L. D. Alford    Jr., "Cyber Warfare: Protecting Military Systems," Acquisition    Review Quarterl, pp. 100-120, Aquisition Review Quarterly, Spring.

[4]          M. C. Libicki,    "Cyberdeterrance and Cyberwar," RAND Project Air Force, pp.    1-114, 2009.              

[5]          S. Gallagher,    "The Navy’s newest warship is powered by Linux," ars Technica, 18    10 2013. [Online]. Available:    https://arstechnica.com/information-technology/2013/10/the-navys-newest-warship-is-powered-by-linux/.    [Accessed 01 09 2018].            

[6]          T. Brewster,    "This Guy Hacked Hundreds of Planes From the Ground," Forbes, 09    08 2018. [Online]. Available:    https://www.forbes.com/sites/thomasbrewster/2018/08/09/this-guy-hacked-hundreds-of-planes-from-the-ground/#a72777046f2f.    [Accessed 01 09 2018].            

[7]          E. Griffith,    "What Is Cloud Computing?," PC Mag, 03 05 2016. [Online].    Available: https://www.pcmag.com/article2/0,2817,2372163,00.asp. [Accessed    01 09 2018].             [8]          K. Osborn,    "DISA and the Army use commercial cloud to enable SIPRNet smartphone    networking," Defense Systems, 10 11 2017. [Online]. Available:    https://defensesystems.com/articles/2017/11/10/disa-cloud-army-microsoft.aspx.    [Accessed 01 09 2018].          

The artwork used to head this article is called PLANE by Andrey Prokopenko.