A short study of military information security policies and their application for multi-level security

Situation:

Current military information security policies are still using domain or facility as trust foundation. This is keeping military from improving their mobility and survivability.

Task:

1. To your experience are there any other bases for trust that might be available to Armed Forces if they could move past air gap and bastion concepts?
2. Apply other approaches for security trust foundation.

Analyses:

Current information security policies are based on traditional thinking of fortification architecture.

Figure 1: Traditional “fortification” approach to information security

IT-systems are isolated from other systems with Air Gap like moat isolated fortifications from even ground. Physical protection is being built like walls around castle keeping malevolent outside and beneficial inside. Reality requires people to enter and exit from fortifications via drawbridge as firewall is allowing transactions and sessions between other means separated systems. High towers are providing better surveillance and detection possibilities in fortification as security event and incident management is currently used in cyber environment.

What happened to medieval fortifications? They were conquered with battering rams, infiltrations from inside, besieging and finally with powder. Modern digital fortresses are breached with advanced persistent threats, spearfishing, distributed denial of service and finally with worms creeping everywhere.

There is an evolutionary roadmap of military information security architectures that roots in keeping important papers in vault. Vault become a building. Building was connected with other buildings by means of communications. In the end monitoring applications were spread on every host to gain pervasive control over everything that is moving. Then the cyber world connected further and control did not hold. Threats evolved with exponential pace and outmatched any attempts of deterring them via recognition. Vulnerabilities in existing systems are revealed faster than they are patched. The area of vulnerability is beyond any fortress to protect it.

Figure 2: Example of bases of trust and its evolution in operational military networks

What makes Military to release their trust on physical world and take leap towards virtual possibilities? 

Constraints:

There are very persistent mind models with military as:

• Isolation is the best way to keep your networks and computing out of harms of connected world.
• Isolation is hard to achieve as in real world information must flow between different fortified domains to provide information superiority. ISAF operation was suffering of “sneaker network”. Information was copied to CD, DVD and USB memories in one domain and dispatched to other bypassing security policy controls.
• Malevolent software has long ago breached the Air Gap isolation and infecting systems via audio, electromagnetic radiation, hardware supplies, etc.
• Optical cabling is the only way to connect sites since it does not radiate electromagnetic waves.
• Optical cable is possible to tap by dispersing the radiated light from it.
• Cabling is keeping troops in one position where as wireless communications is enabling the mobility
• One medium for communications is enough if it is state of arts military design.
• Military communications have fallen into measure and countermeasure race. Radio propagation is dispersed over time or frequency by spread spectrum technologies whereas spectrum analysis is improving faster with more powerful processing and wideband detecting.
• Hierarchically structured radio stars with long ranges are easy to detect and locate in area of operation. After precise location radio stations and command posts are destroyed by indirect or airborne fire. One radio emission type is a single point of failure in battlefield.
• One medium is not enabling effective emission control, EMCON. There needs to be communications mediums in different frequency bands together with wired applications that provide enough tactical freedom for electromagnetic deception.
• Encryption is the only thing that safeguards your information.
• Bulk encryption protects from man-in-the-middle tapping but does not prevent information misuse once user entity is breached. Injecting malevolent software by spear fishing is efficient especially when user terminal, session, application server and database server are not protected.

 

Options for solution:

A. Simple one way data transfer system up and manual transfer systems down as illustrated in Figure 3

There are several technical solutions (data diode) for one way data transfer from lower level to higher level class of confidentiality assuming that data is formalized and structured (NFFI, JC3IEDM, VMF, J-series). The challenge is to provide controlled downhill transfer. This option is proposing manual broker between classes of confidentiality. The basis of declassification of information is provided by managed life cycle. Simple policy of having plans confidential but their execution restricted provides rules for declassification at level of operations centre (3 function) where holistic understanding of ongoing operation is assumed thus the best understanding of needed information is also merged. This option forgets the other mediums of information sharing such as telephone, messaging and video teleconferencing as they are merely for informal and formal but unstructured information.

Figure 3: a concept for automated uphill and manual downhill in transferring data between different classes of confidentiality

B. Automated and policy controlled transfer of data between same classes of confidentiality as illustrated in figure 4

Since military C4I-systems are built and implemented separately, there are several systems at same theoretical level of confidentiality but for various reasons (as a fear of over extending the area of vulnerability within air gaped fortifications) they are not trusting each other to be connected directly. In this case various technical gateways has been introduced to exchange formal and structured data between domains. Afghanistan Mission Network (AMN) started with defining generic gateways between national domains. The main data transfer metamodel was JC3IEDM.

Figure 4: a concept for data transfer between same class of confidentiality but untrusted domains

C. Automated hierarchical systems up data transfer between different classes of confidentiality as illustrated in Figure 5

Applying the previous option B for connecting controlled way several classes of confidentiality provides military a systems up concept. This concept allows formalized and structured data being transferred in automated way uphill, from lower levels of confidentiality towards higher levels. Again in this case unstructured and sometimes informal information is communicated downhill via emails, audio, video, files and messages. So called “sneaker network” was main breach in security policy in Afghanistan before AMN implementation 2010 onwards.

Figure 5: a concept for hierarchical systems up data transfer between different classes of confidentiality

D. Cloud computing solution for multi-level information security as illustrated in Figure 6

With modern cloud computing and identity and access management technologies military can provide both uphill and downhill flow of information. For uphill information flow, basic formalized and structured data gateways are used. Downhill feeds are provided by role based accesses from less trusted domains. Terminals are treated as zero trusted and information is only presented in their screens not stored in their non-volatile memories.

Figure 6: a concept for cloud computing solutions for multi-level information security