WHAT IS MILITARY IT-SECURITY?
Information Technology Security (IT Security) is information security applied to computers and computer networks. Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information in this case includes all its forms from data to knowledge. All this can be defined as it is done in ISO 27000:2013: “Preservation of confidentiality, integrity and availability of information whilst taking care of authenticity, accountability, non-repudiation and reliability”.
Information has to have these dimensions of security quality as illustrated in fig 1:
Confidentiality, which is preventing the disclosure of information to unauthorized entities.
- Data confidentiality is preserving authorized restrictions on data access and disclosure.
- Privacy assures that individual control of influence what information related to them may be collected and stored and by whom and to whom that information may be disposed
- Authenticity is the confidence in the validity of a transmission, a message or a message originator
Integrity, which is the accuracy and consistency of information thorough its entire life-cycle.
- Data integrity assures that information and programs are changed only in a specific and authorised manner.
- System integrity assures that system performs its intended functions in an unimpaired manner.
- Accountability assures that actions of an entity can be traced uniquely to that entity.
Availability, which means that information and its processing services are ready for and in use of authorized users when they so require.
Figure 1: Classical structure for IT security
IT security is built with layered structures of technical (hardware, software and communications) security, physical security, personal security and organizational security measures.
This paper does not refer to embedded computing but to military utilization of commercial computing devices and their security measures. Thus technology roadmap begins not from Polish Bombe machine that they used to decrypt German Enigma coding but with mainframe computing (1964 IBM System/360 was market leader ) utilized for military resource management, statistical calculations and human resource management . From this on military IT security has tried to sustain mainly confidentiality and keep up with exponentially increasing technological complexity of computing and datacommunications.
WHAT IS IT SECURITY BASED ON?
Information management has been passed on printed mediums since Gutenberg revolutionized the management of explicit knowledge about 1455 by printing first Bibles. Before that information was mainly tacit. Cambridge University Library had 1424 only 122 books . Gutenberg changed totally information management procedures and at height of this era when 2009 the number of books in English in Nielsen BookData catalogue was over 8 million .
Books has been stored in library and their reading has been controlled by librarians since famous libraries of Nineveh and Alexandria. This has created the very basis for information management and thus information security. Books, their publication and copyright system has taken care of information integrity. Books have been available in libraries and librarians have controlled who were reading them.
Figure 2: Gutenberg, library and human tendencies from information security point of view
Human beings are naturally curious. Through exploration and investigation they learn from their discoveries. They also have tendency to collect items like books sometimes over exceeding their actual need to read them. To counter this behaviour confidentiality has based on restricting people to get their hands on books that contain sensitive or unapproved information. Library has been physical site where both confidentiality and availability has been maintained. Books are available but their reading is under control.
People has also tendency to choose the path of least resistance. This is specially studied in information science. Information seeking client will tend to use the most convenient search method. Information seeking behaviour stops as soon as minimally acceptable results are found. Thus people have tendency of bypassing any security control if that demands fewer effort than following security procedures.
The history of information management is based on physical structures of libraries that constraint users access to information managed in books, shelves, catalogues and bibliography. Librarians have been in key roles to project security policy by creating bibliographies of books and their authors, storing them in shelves, rows and rooms with classification system and further logging books and their loaners. This was the legacy structure that has defined the early years of information technology security measures.
TRUST ON PHYSICAL STRUCTURES
Very first Mainframe computers were installed in closed rooms sheltered preferably underground to create multi-layered physical security specially to control access of human beings into computer services and digital information. Human beings and printed information were considered main avenues for information breach thus computerizing was not considered a specific risk as illustrated in fig 3.
Figure 3: An example of classical site structure based security trust
Data communications was not considered since information feed to mainframe and outcome was mainly via punched cards. Later when terminals were introduced it was estimated that risk of someone tapping special wiring with right code breaker was non-existent.
Printed documentation was categorised, labelled and kept within buildings and inside vaults. Problem occurred when documents were transferred between sites. This risk was countered with online data communications encryption devices which were evolved from history of online communications security starting from Green Hornet during WWII. Printed documents from trash bins, mail and couriers were main points of intrusion for outsider to get documented information. Most information was captured by insiders or with evolving telecommunication technology through social engineering and telephones. Human Intelligence was adversaries’ main method.
During 1985 studies relieved that computers were transferring unintended electromagnetic waves which could have been received outside of trusted physical site. To control emission the TEMPEST standards (a minimum of 100 dB insertion loss from 1 KHz to 10 GHz) were invented and computers were installed inside Faraday shield. All electromagnetic emission is cancelled in conductive wall material of this structure (usually metal) and no emission is leaked through cage.
There are many different categories for physical security but one generic is as depicted in fig 4:
- Level perimeter: required to process top secret information
- Level perimeter: required to process secret information
- Level perimeter: required to process confidential information
- Level perimeter: required to process restricted information
Figure 4: Generic classification of physical security in military compounds
These perimeters are normally built within each other so outer shield protects inner. In typical military compound outer fence with access control by gates and either security personnel or electronic systems based surveillance provides 4th level perimeter. 3rd level security perimeter is achieved when inside 4th perimeter there is building or shelter that has separate access control and structure that prevents other avenues of access. Consequentially 2nd and 1st perimeters are inside 3rd with separate access management and additional protective structures. During peace time these structures may be design to prevent physical breach until reactionary forces arrives to capture intruders. When war time structures are designed, survivability under attack is the greater goal.
Still one finds that computers in within 1st perimeter are often offline and accessible only to personnel who have physical access to top secret facilities. These computers are unfortunately weak when it comes to resist cyber threats over air cap as it has been demonstrated in cases of Stuxnet and Agent.ptz (latety version SNAKE).
TRUST BASED ON CONTROLLABLE DOMAIN PERIMETER
As information management includes dissemination of information at least need-to-know bases, there was the need to connect secure physical military sites to other similar. This was established by having improved communication security on the lines that were used between computes in physical shelters as defined in fig 5.
Figure 5: An example of IT security that is based on trusted domains
Encryption started at very low level of datalink layer 2 or similar within line modem devices. With Ethernet protocol at Local Area Network and several Wide Area Network link structures encryption struggled to provide both performance and cryptography required. Digital COMSEC at layer 2 has evolved from preISDN 64 kpbs online devices and 2 Mbps PDH trunk encryption devices to current GigaEthernet encryption solutions that are either embedded into switches and routers or build in separate devices. Since physical security was structured as onion, also COMSEC was defined to follow the familiar one inside the other -structure. If layer 2 encryption did equal perimeter 4, then additional layer 3 encryption was good for perimeter 3 and additional layer 4 encryption was equalling perimeter 2 domain.
So more and more data transfer capability was utilized to encrypt IP-packets at different layers. There was not much sense making utilized on how much risks really was mitigated with this layered encryption but it was utilized since it was available and familiar way to solve security problems. One example of this design is illustrated in fig 6.
Figure 6: An example of COMSEC architecture in domain based IT security
Here basic level of extranet is protected by L2 encryption and together with physical perimeter they compose domain that ensures information management for restricted level. This extranet is isolated from outer world and especially from Internet threats by Aircap defence. There might be other domains at this same level of security but since their control is with other authorities they are divided from rest or basic level extranet by OSI level 3 encryption and firewalls. This is typical when for example Air Force wants to keep their domain perimeter intact but utilize Armed Forces general network services.
Within basic domain there is the extended level security for management of confidential information. COMSEC is using layer 3 encryption called Virtual Private Network, (VPN) thus disabling all attempts to tap communications from lower level. There might also be one way only -gateway between restricted and confidential levels of security. This “diode” is used to transfer data via transactions from lower level to upper level of security but not to the other way. There are many attempts to build these one way only -gateways but their integrity remains always relational similarly as it is with the protection from Aircap isolation. Where there is a human being as a link in this chain of security, he will remain the most vulnerable for exploitation by an outsider.
Functionally structured military organizations have been building these system, service or organization unit based domains while sustaining their control, authority and self-defined development. “Need to know” information management policy spread out from operational level down to tactical level. NATO and US military organizations faced results of this tendency back 2009 when then ISAF Commader General Stanley McChrystal, seeing his force ineffectively trying to share information via “sneaker network” (manual download, transfer, upload procedure), called for better information sharing to counter networked adversary. Afghanistan Mission Network program and quest towards “share to win” policy was created 2010 to integrate numerous separate domains within NATO and within National force structures as described in fig 7.
Figure 7: Example of attempts to solve multidomain interoperability while maintaining domain trust based security
Since then a massive gateway structure together with aligned security policies have been built to allow different systems to be used via one core platform: NATO Secret Mission Network. National domains are attached to this core by Network Interconnect Points (NIP) that are cross domain gateways allowing users from NATO secret level to access any secret level system provided by contributing nations. This enable the shared use of about 165 applications of which 55 were critical to mission. Mission Network was finalized when important part, Network Operation Centre (AMNOC), was opened to enforce common policy throughout federated domains.
Because of tight schedule to build up this core network it was done with a cost of inner security. First there was no defence structure inside NATO secret core but later monitoring and reaction based security structure was adopted from US NIPR network. This had started 2006 and was called Host Based Security System.
TRUST BASED ON MONITORING AND REACTION CAPABILITIES
As the number of federated domains and number of nodes interconnected increased, perimeter based security policy doomed to be futile. There was something to be done behind high walls of domain perimeters to control security and react when malevolent incidents were detected. This is again very basic military tactics to survey larger space of operation and react with tactically positioned rapid reaction forces to counter any insurgency. Host Based Security System , HBSS was created in US DISA together with McAfee and BAE Systems, who were given the contract to implement first monitor agents to all hosts in network. All hosts that either process data or store it were provided with agents or equal function to produce required surveillance information to Security Operation Centre (SOC). SOC has control over IT Operations change management and configuration management and can quickly change configuration when malicious behaviour is detected from information environment as illustrated in figure 8.
Figure 8: An example of Host Based Security concept by HBSS and McAfee
Basic principle is to define baseline or ‘whiteline’ of existing normal features within IT-domain. Special detectors are created to detect anomalies out of baseline patterns. When anomaly is detected, alert is forwarded to SOC, which creates security incident and starts executing countermeasures. Another approach is more proactive where security engineers are using Sandbox environment and penetration tools to test vulnerability of each ICT-component. Components are patched and hardened before released to operations environment. This process when executed continuously keeps Operational ICT up-to-date and as sustainable as possible. There are always failures in systems that are not remedied yet. They are called 0-day vulnerabilities. To compensate these vulnerabilities, special thresholds around these components could be installed to detect any attempts of exploitation.
Further host based security requires additional information from possible “honey pots”, systems outside cross domain gateways, that lure possible penetrators to capture their attack profiles. There is also a need to connect with larger society of cyber experts that continuously monitor malevolent behaviour in networks, collaborate and make better sense of incidents in networks as depicted in fig 9.
Figure 9: An example of Security Operations Centre concepts within Host Based Security
Explained Deterministic and statistic approach may be complemented with more heuristic surveillance methods. They are capturing full packets from both core and front switches and using advanced big data analyses tools over a vast amount of data. This enables to capture different attack profiles and silent trends.
NEW CHALLENGES OF ZUCKERBERGIAN ERA INFORMATION MANAGEMENT
From Gutenbergian culture of information management there is a long leap to Zuckerbergian culture of information management as illustrated in fig 10. The amount of information is increasing faster than ever before, produced by both people and machines online. Text is replaced by pictures and videos just because it is easier and people can capture essential information from those better than from plain text.
Figure 10: A point of view that illustrates the change in information management from Gutenbergian culture to postmodern culture that Zuckerberg’s Facebook era represents
Data and information policies of Gutenbergian culture cannot keep up with emerging magnitude and speed of Zuckerbergian era. Book takes too long to write and publish. Web page, blog or wiki are much faster and more able to manage larger amounts of information between people. Data virtualization will change information sharing between Things in Internet. Internet can transfer more data than anything this far. It can connect billions of both people and Things to create intertwined man-machine systems.
Information security based on sites, perimeters or hosts is not able to scale to Zurkerbergian era amounts of information, where Facebook is extending by 210 terabytes (1E12) per hour and 20 % of users per year. Even in military domain amount of data is increasing exponentially with image capturing. General Gartwright estimated that when DoD is evolving to cloud computing and mission network of Things, a military force in one operation is managing about one exabyte (1E18) of unique data in a month. As thousands of sensors create new data continuously publishing it in computing cloud where huge clusters of HADOOP file system (Facebook’s biggest Hadoop cluster is handling about 100 petabytes of data ) store it and provide it to analysing tools. It is clear that file, host or relational database based security cannot provide required confidentiality, integrity or availability of information for this data revolution.
SERVICE BASED SECURITY TRUST
Last attempt to provide IT security for exponentially increasing data is to collect it as fast as possible from sources whether they are people or technical sensors and store it into logically centralized datawarehouses. Large amount of data is closed within inner structure of “cloud computing” platform which is better controlled and data integrity and availability is more easily sustained. Confidentiality is based on user identification and role based access via application or presentation layer. This security structure is based on onion model of so called “defence in depth”, where network, host, application and data based IT security measures create integrated solution as depicted in fig 11.
Figure 11: Some principles of onion structure of IT security
When network society grows too large to be cost-efficiently monitored and behavioural baseline changes too quickly to recognize any normality, one has to once again gather all information to ‘libraries’ and create strict access policy and librarians to enforce it.
There is no trust on end user devices thus their integrity has to be restored by compliance check and reconfiguration. To do this effectively the baseline of end user device has to be simple and configuration “thin”. Terminal has come back to vocabulary from late mainframe and early Unix era. Terminal is very thin client that may only remotely operate any complex applications merely by keyboard, screen and mouse.
There is no trust on access network so all sessions has to be encrypted over untrusted and in many cases roaming access networks. There might be Mobile IP solution that enables terminal to roam between available and cost-effective network connections and most often encryption is integrated into Mobile IP application.
There is no trust on user names or single passwords but stronger identification is utilized. This may vary from smart card based token that includes secret key to biometrics based authentication like fingerprints, face picture, hand vessel picture or retina. User and Service needs bilateral authentication to create a temporary trusted session over untrusted environment. This requires bilateral authentication protocol to verify both entities. Often third parties offer certification authority services to both instances.
Since there is no trust on incoming terminal nor the communications protocol it is using nor the content it is proposing, a complex access gateway between service base and outer world is needed. These gateways include number of firewalls, demilitarized zones and interruptive proxies with content checking and filtering.
Within “Computing cloud” there are several layers of defence starting from very first portal and access management layer, where users are allocated to roles and roles have authorized rights to run applications and process data. This enables to manage hundred thousands of users categorised into thousands of roles and further allow access to applications and data content. This is called identity and access management. All subjects are under constant surveillance to detect anomalies and kill intruders before they are able to fulfil their operation. There are different gateways for man-machine sessions and machine-machine sessions to detect more easily different behaviours.
Applications may have structured aligned with Service Oriented Architecture where each function is requested via Service Bus and applications themselves may locate in different instances. This requires particular application identification and authentication structure within SOA platform.
There are many service based security services available in modern time Internet. Most eGovernance/smartGovernance or online Financial services are constructed in this manner. In military domain there are similar features to be found in NATO Future Mission Network and DISA All Partners Access Network . Examples of service based security implementations are illustrated in fig 12.
Figure 12: Examples of service based trust structures in IT security
CONTENT BASED SECURITY TRUST
If we are living in a world where platforms and connections are changing swiftly, there is no longer single layer of trusted platform to be defined. Besides people there will be billions of Things connected to Internet both producing and processing data. Definable server will evaporate somewhere in software defined network and cloud. SOA and Semantic web will disperse monolithic applications to distributed applets that form temporary functions according to requests of each processes. Text files will change to structured data with both format that machines can understand and metadata that ontologies can make sense of. Databases will be gradually virtualised first as loose structure of several databases but eventually to a datafabric stretched over whole cyber space where data items are addressed as we are now addressing web pages.
There is a possibility to lay trust structure around all the data items if they are restructured in semantic web way and equipped with metadata. Another base of trust is the user identity, which is tied to data items via 3rd party certification authority services. This enables sensitive data to be stored, processed, presented and transferred within untrusted ICT-platform while optimizing its assurance according changing situations. This may be called also software defined security . See fig 13 for examples of transformation and semantic web security structure.
Figure 13: Evolution of Information Technology and examples of content based security structure
One possible way to provide new structure for trust in content based security is described fig. 14. Availability is provided by distribution of resources since there is no guarantee enough for one node or centre to be available as required. This is typical especially to military environment. All entities in space should have a unique address with which they can be found and addressed. Every entity has to be authenticated based on strong identity. Tokens and biometry are already there for people but strong machine identification and authentication remains to be implemented.
There has to be logical structure both in data and applications to ensure that they are what they seem to be and functioning as expected. Each data content should be encrypted or signed to ensure data confidentiality and authenticity. There is a need to implement separate certification authentication and key management structure which is one base of authority and identity.
Figure 14: Example of trust structure in content based information security
Encryption key management is following the chain of authorization from user to assigned application, which is provided with needed key material to be able to process user required data.
Applications of content base security are still rare, but one can find them within some cloud computing environment and at very tactical Battle Management System level.
IT SECURITY ROADMAP FOR MILITARY ENVIRONMENT
This study started from very basis of our information security based on tangible container of information, a physical location of information and authorized process in accessing information. Based on these structures of trust, military have been building gradually their digitalized information management and accordingly IT security from pure site based approach to controlled domain and further trying to monitor and control all possible hosts that either process, transfer or store information. Now military is facing a major leap in magnitude, speed and format of information and they are advancing towards service based IT security and have visions of content based information security.
Since IT security is not an asset itself but always a quality of existing information structure where both people, processes, information and technology are changing there is no ultimate end state in this technical roadmap that is illustrated in fig 15. Since IT security is based on risk management, there are some categories of information that are using more technically advanced structures whereas top secret information still remains on paper and is stored in vaults. Military have been last 10-15 years following civilian IT security measures where finance and commerce have been leading implementers.
Figure 15: A roadmap for IT security within military environment
On this map there are different roads that military may choose based on their risk management, organizational, process, information and technology maturity. There is the basic path of SITE-DOMAIN-HOST-SERVICE-CONTENT, which has been followed in NATO and DISA structures. There has also been examples of successful journeys through other paths. Netherlands Armed Forces showed example early 2000 when they were promoting TITAN –structure for mission IT structure. Parallel with this program Finland was piloting their Transferable Operation Centre, TOC concept. Both of them left domain based security and went directly to service based security.
MultiNational Experiment –exercise has been developing Service based structure since 2006 for Crises Management operations in order to have all stake holders collaborating with each other in complex crises situations. Finland supported MNE 4 exercise with Shared Information Framework & Technology (SHIFT) that “demonstrated method to share information across various military, governmental and non-governmental information domains”.
Finnish Defence Forces took path from domain based to service based between 2007 – 2012 in their national operational command and control support. FinDEF did change from site based 22 domains to one private cloud computing based service structure where information services were provided from restricted to secret. It was not fully successful since some parts of Defence forces were not as mature as others so there was not equal starting point to this journey but implementation server as a model for others to follow.
DISA operated networks improved their perimeter defence with host based security early 2006. Afghanistan Mission Network went through transformation from very domain based structure 2009 to more flat and host based security by 2013.
Finnish Land Forces are on their way from site based security directly to content based security with their next generation Battle Management System and tactical communications M18.
There are plethora of references I have not included in this revision. Please ask a copy with references.
