Meeting national security_space_needs_in_the_contested_cyberspace_domainDocument Transcript
Meeting National Security Space Needs in the Contested Cyberspace DomainGrowing concern over emerging cyber threats is shifting attention to mission resilience—the ability tooperate through new and evolving threats in the cyberspace domain.RAMI R. RAZOUK AND FRANK C. BELZDuring the last two decades, the U.S. government and private sectors have come to heightenedawareness of the challenges to national security that are emerging from cyberspace. News reportsregularly highlight the vulnerability of industrial systems to intrusion and the resultant loss of massiveamounts of data and even the loss of control over industrial processes. These challenges raisequestions about the resilience of the functions of the economy and government while undercyberattack, including those functions provided by the national security space community.As cyberspace becomes an increasingly contested domain, many aspects of national security spaceare also in flux. National security space has witnessed several periods of transition involving thenature of threats to space systems, the purpose and structure of space missions, the technologiesthat affect space system construction, and the role of systems in the missions they serve. Today,there are significant transitions occurring in all of these dimensions.Many of today’s national security space capabilities were first conceived during the Cold War withwell-defined and well-studied adversaries, and many of these capabilities (such as missile warning)were developed as isolated, single-mission systems. Today’s environment is dramatically altered andthe threats are very different.The strategic concerns of the Cold War are a relatively small, although still important, component of amuch more complex environment today. The emphasis in the space community is now on fusing awide variety of data sources to achieve information superiority for warfighters and intelligenceanalysts. This has created unrelenting pressure to connect information systems and to communicateall over the globe, including to users in the field. This connectivity is both an enabler and an Achillesheel: creating pathways for information to get out to authorized users can also help adversaries findpathways to get in to that same information.Connectivity of systems is not the only source of vulnerability. If it were, then the solution would besimple but painful—disconnect the systems. This has been the response of last resort taken byseveral defense contractors under cyberattack in the last few years, but it would be a cripplingresponse if it were necessary in the midst of an international conflict.Another source of vulnerability is the increasing reliance on a wide range of commercially suppliedhardware and software components that are manufactured throughout the world and provide ampleopportunity for the introduction of malicious hardware and software. Any of today’s space systemcommand and control centers contain a wide range of routers, firewalls, printers, desktops,telephones, video devices, disk farms, computing clusters, databases, Web servers, and otherinformation processing capabilities, components of which may and probably do originate fromindeterminate sources.The inexorable trend of increased connectivity among national security space systems—withcomponents of uncertain pedigree—amplifies the risks associated with system (and systems ofsystems) complexity. Increased complexity alone raises the risk of a cyberattack because moreattention must be focused on managing the system just to achieve proper functioning, usually at theexpense of attention on understanding the risks being created and new means of cyber intrusions.Whether or not increasingly complex systems (and even more complex systems of systems) canfunction properly under cyberattack becomes correspondingly more difficult to assess.This complexity and the sheer magnitude of recent national security space systems have alsochanged the system acquisition process. Space systems are now acquired as separate segmentswith distinct acquisitions. These separate acquisitions make it harder to fully assess end-to-endbehaviors when all of the segments are put into operation, and make it difficult to identify side effectsor other unintended behavior under cyberattacks. The result is that developers often fail to obtainanything beyond a superficial understanding of the end-to-end system design, which reduces theeffectiveness of understanding the true risks to the system.
Aerospace, along with its FFRDC partners, is focusing on space cyber domain issues that are uniqueto national security space throughout the acquisition lifecycle: concept exploration, military utilityanalysis, requirements definition, system architecting, system development oversight, deployment,and sustainment support.New Technology RisksThe increasing pace of introducing new technologies into national security space missions createsanother set of challenges in the cyberspace domain. For example, the need to make ground systemsand mission processing systems more efficient—in effect, to do more with less—is fueling a desire tomigrate terrestrial information technology capabilities to cloud services. Cloud computing allowscomputer users to tap into servers and storage systems scattered around the country and the worldthat are tied together by networks. Cloud services are designed to give users better, more reliable,more affordable, and more flexible access to much needed information technology infrastructures. Onthe other hand, the most significant barrier to adoption of clouds is trust: Will mission dataconfidentiality, integrity, and availability be better ensured by residing on the cloud? Will missionstakeholders be able to rely on the cloud? Will the cloud be as resilient and robust as the informationwould be in a more traditionally independent private operational environment? Aerospace is workingwith its customers to help them understand the vulnerabilities associated with cloud-based services.Another area of concern is new mobile-user devices including smartphones, iPads, and other tabletcomputers, which are rapidly becoming integrated into the operational environment. As these newdevices enable new concepts of operation, they introduce a dynamically changing need for servicefrom national security space systems, as well as an increase in the need for adaptive, on-demandservice provisions. Agile acquisition strategies and rapidly adaptable space asset architectures arebecoming increasingly necessary to address the effects of these transformative and rapid technologychanges. But these changes, as with migration to cloud environments, raise the specter of newvulnerabilities in national security space systems. Aerospace is conducting research on wirelesssecurity effects and countermeasures. In the future, new end-to-end assessment frameworks will beessential for understanding the dynamic system risks and for updating systems to address newthreats.Even the devices and software that are incorporated into national security space systems for thepurpose of security represent an added level of complexity that makes managing systems achallenge. Firewalls and other devices that restrict information flow from one security regime toanother, authentication and key management systems, access audit systems, and other mechanismsto control and observe possibly hostile access to mission critical information are themselves complexto develop, test, understand, configure, and control during operations. The result is that while somemeans of cyberattack may be attenuated by these mechanisms, others may be introduced, and theoverall attack surface of the systems may become larger, and certainly becomes harder tounderstand. Furthermore, when systems with distinct mechanisms for implementing security policiesare connected in new ways, inconsistencies may arise, introducing new gaps in the defensemechanisms that may be exploited by attackers.
Cyberattacks at all levels are difficult to detect, attribute, or stop. There is increasing evidence ofattacks designed to collect intelligence and disrupt space operations. Low-end (cyber crime) and high-end (nation-state) attacks are underway. This chart illustrates the type of cyberattacks, targetsidentified, and effects of the attacks on computer and space systems. Courtesy of U.S. Air Force.Cyber ThreatsConcern about cyber vulnerabilities has been dramatically growing, commensurate with the number ofpublicly acknowledged successful penetrations into information systems. Many of these cyberattackshave focused on theft of personal information (such as social security numbers and credit cardnumbers) used for identity theft and financial gain. The trend rapidly evolved to include cyberintrusions to steal intellectual property from the government and from private industry. In the last 5 to10 years, such intrusions have become multiyear cyber campaigns across a broad spectrum ofgovernment and industry. To defend against these attacks, an entire industry has arisen to providesecurity to enterprises and individuals who use and depend on the Internet. In a predictable response,cyberattacks have extended to this industry. For example, there have been significant attacks againstcryptographic certificate and security providers in an attempt to gain authentication information thatwill enable future cyberattacks to pass through existing protection barriers.This growing list of cases certainly represents an alarming trend, and the theft of information is aserious concern for the U.S. government. But this trend does not accurately foretell the kind of threatthat will likely materialize during a conflict with a near-peer adversary. In fact, today’s cyber threatsand attacks could be viewed as preparation of the (cyber) battlefield. As systems are penetrated toextract information, it is possible that implants are being put in place that could be called upon intimes of conflict.The most concerning threat during a cyber conflict will likely be attacks that disable systems througheither overt action (such as denial of service) or covert action (subtle manipulation of data andsystems). The latter is particularly worrisome because of the difficulty of identifying the threat,attributing attacks to adversaries, understanding the extent of compromise, and assessing the extentto which trust in the systems has been endangered. No commander wants to engage in a missionwith equipment he or she cannot trust. Once systems are compromised during conflict, the impactmay go beyond the specifics of the attack. Entire systems may become untrusted, and thereforeunused. Deceptive false indicators and warnings can provoke this unfavorable condition, so that trustmay be lost even though actual cyber compromise has not been achieved.Protecting Space SystemsThe current offensive/defensive posture in cyberspace is asymmetrical: the offense has a substantialadvantage over the defense. Cybersecurity is only as good as its weakest link. Consequently, there isa need to defend everywhere, and executing the defense needs to happen perfectly. On the otherhand, the offense need only succeed in identifying and exploiting the weakest link of a system to besuccessful. These types of attacks on space systems are not currently coming from everywhere, butthey could come from anywhere.Attacks can be directed at many layers of a system’s operational structure and can cross layers.These include a physical layer with wired and wireless communication media; a hardware layer ofnetwork interfaces, routers, antennas, encryption/decryption devices, firewalls, computers, printersand many others; a system software layer with firmware in many of the devices on a network and theoperating systems, database management systems, Web servers, virtualized servers, etc.; anapplication software layer with a broad range of custom-developed and commercial-off-the-shelfsoftware such as e-mail systems, document management systems, and collaboration tools; and amission layer that comprises the unique software and hardware used to accomplish a particularmission (such as missile warning).
For defense in the cyber domain, each layer must be protected in its own way. Much attention hasbeen focused on protecting the physical and network layers of national security space systems.However, an attacker who introduces malware at higher layers can bypass these layers. Similarly, thebest efforts to protect applications can be bypassed by attacks at the physical layer. All of theselayers can be bypassed through social engineering. This involves manipulating the people whoconduct the interface through malicious tactics like spear phishing, which consists of targeting peoplewith apparently authentic personal appeals that, when responded to, unleash malware on theirsystem and enterprise.While the offense has a clear edge over the defense, it is important not to overestimate thecapabilities of attackers, which could result in paralysis and an incorrect conclusion that the situationis hopeless. The offense does have a great advantage in being able to generally penetrate systems,exfiltrate data, and perform denial of service attacks. However, achieving specific effects is not asstraightforward. An analogy can be made to the contrast between going fishing and catching aspecific fish (no pun intended). Designing an attack to target a very specific component of a system—to achieve a specific effect such as altering a command sequence on a satellite—is a very challengingengineering problem. Much of what is happening today consists of relatively broad attacks intended toachieve broad effects.However, there have been successful attacks to achieve specific effects by advanced persistentthreat actors, who have sufficient motivation and resources to develop and conduct precisioncyberattacks. For example, several cybersecurity researchers who reverse-engineered components ofthe widely publicized Stuxnet worm have commented that Stuxnet could have only been developed bya highly skilled team with extensive financial and intelligence resources. Stuxnet attacked supervisorycontrol and data acquisition (SCADA) capabilities governing cyber-physical systems that conductprocesses in the real world, and it was reputedly able to damage those systems, disrupting theirprocesses. It is an example of malware whose impact moves beyond cyberspace into the physicalworld, with potentially deadly consequences. National security space systems are also cyber-physicalsystems engaged in processes critical to the nation’s security, so it is natural and appropriate to beconcerned about cyber threats like Stuxnet.Stuxnet-like attacks are not simple to execute; the attackers are challenged in testing the attacks in arepresentative environment and understanding the effectiveness of a particular attack after it hasbeen deployed. In this regime of cyber conflict, the defense has significant opportunities to improve itsprospects for protection. For example, introducing variability in a particular system may make thedesign of an attack more challenging. Creating countermeasures that introduce uncertainty forattackers can also be an effective defense, and in some cases, even act as a deterrent.Still, the challenge of defending national security space systems from Stuxnet-like and othercyberattacks is daunting, especially if the adversary is an advanced persistent threat actor. Recenthistory has made it clear that these threats cannot be entirely kept out of any system importantenough to attack. It is prudent to assume that such adversaries may already be in U.S. spacesystems, or will eventually be, and therefore the biggest cyber challenge has become what to do oncethey are in.Aerospace is building upon one of its core strengths, information assurance, by adding to existingcorporate expertise in the area of computer science engineering and technology. The corporation is
working to understand the vulnerabilities posed to space systems via cyberattack. Aerospace isleveraging its expertise across the national security space community and is working closely withother FFRDCs to better understand the challenges and opportunities presented in the world of cyber.Mission ResilienceAccording to recent studies by the U.S. Air Force Scientific Advisory Board, the viability andpredictability of successful attacks from advanced persistent threat actors mandates that attention befocused on the need for the United States and allied military forces to be able to “fight through andcontinue to operate” in the presence of attacks on the cyberspace infrastructure. The need formissions to be resilient in the presence of attacks and counterattacks has always been apreoccupation of military strategists and tacticians. However, the difference now is that attacks maybe launched and conducted in part or in whole in cyberspace, and many traditional yardsticks bywhich to measure the resilience of missions (and of the systems they use) are no longer sufficient oreven applicable.Migration from a protection perspective to a resilience perspective requires several key activities.Resilience implies that the functionality of a system will continue despite the challenges that comewith an attack. While continuity of missions is a key goal of resilience, continuity at full strength of allaspects of an entire mission is unrealistic—invariably the mission would be somewhat degraded. Inthis case, one solution might be that some lower-priority tasks have to be discarded—lowerperformance for certain missions may be acceptable and some “nice to have” sources of data may bediscontinued.Designing for resilience requires a thorough understanding of what the critical cyber components of asystem are and how they impact a mission. These could be low-level items such as a database orswitch, or a higher-level subsystem, such as command and data handling or a mission planningsystem. Identifying these elements requires an in-depth understanding of the mission, how it isperformed (tactics, techniques, and procedures), the elements of information required to conduct themission, the interdependencies among those elements, and the cyber components that are necessaryto the flow of those elements. In the case of space cyber, analyzing criticality of components requiresan intimate knowledge of the satellites, payloads, mission planning software, and the mission effect ofthe national security space system’s products.Aerospace is supporting the Department of Defense in developing policies that extend to theseprogram protection areas. As part of the Mission Assurance Improvement Workshop, Aerospace isworking with the government and contractors to develop guidance for acquisition, development, andoperations to improve space segment information assurance and mission resilience. Aerospace isalso conducting research on the impact to space systems resiliency when trust in critical information islost in varying degrees as a result of cyberattacks and other threats.Implicit in mission resilience is that some particular functionality in a system may have to be sacrificedto enhance the continuity of the mission. Limiting the loss of functionality may not always be possibledepending on the overall architecture (software and hardware) of a system. Identifying the mostcritical cyber components enables tactics for resilience to be employed in a cost-effective way, suchas introducing redundancy of critical components but not ancillary ones, or architecting systems toallow for separation and isolation of mission functions.Monolithic systems are quite challenging to secure from cyberattacks because even an attempt tosacrifice some functionalities to save others may not increase security by an appreciable amount. Forexample, intermixing mission-critical ground segment functions on the same local networks asnonmission-critical functions may not only compromise the security of one function, but also mightprevent the implementation of any measures to reconstitute another impaired function. Similarly, theinformation architecture on spacecraft may depend on a single spacecraft bus to the extent thatisolation of compromised payload functions may not be possible, jeopardizing the mission impact ofthe other payloads involved. The goal is to understand the role of cyber-critical components, allowingfor a carefully articulated assurance profile that reflects different degrees for some elements, ratherthan one uniform bar that is so high as to be effectively ignored, or so low as to be useless.In support of national security space customers, Aerospace developed a framework for assessingsoftware architectures to ensure they are being built to meet current and future mission needs. Theframework has been extended to include emerging needs for system and mission resilience,especially related to mission resilience in the contestedcyberspace domain. This enhanced assessment frameworkis being applied to ongoing customer programs, and refinements are being introduced based onlessons learned.
Traditional domains are characterized by kinetic activity; the cyberspace domain is characterized byvirtual activity. While threats against national security space assets and information may involve anyand all domains, particular attention is focused on "space cyber," found at the intersection of spaceand cyberspace.One area that is notoriously difficult to secure is conventional Web-based architectures (designedusing World Wide Web technologies). To address this challenge, Aerospace is exploring new Webarchitecture concepts, which are compatible extensions of conventional techniques, and are expectedto enable trusted sharing among mutually suspicious networked parties.One foundational component of mission continuity while under attack is cyber situational awareness.To effectively defend a system there needs to be knowledge that an attack is underway. The words“under attack” evoke thoughts of distributed denial of service attacks coming over a network, but amore accurate definition may be that the system is compromised, and that action by an adversary ishaving an effect on the system or its information. For example, a system under attack could be one inwhich data in a system has been altered, or one for which certain command sequences to a satellitehave been modified to achieve a desired effect.Recognizing when such sophisticated attacks are underway is perhaps the greatest challenge ofcyber situational awareness. By comparison, recognizing that data is being exfiltrated from a systemis a relatively simple task. For example, a rudimentary form of an attack recognition process involveschecking the checksum of an executable program to determine if it has been modified. While thisprimitive check can be easily circumvented, the introduction of a number of simple consistency checkscould significantly enhance situational awareness and make it more difficult for compromises to goundetected. However, sometimes understanding the cyber situation proves more challenging.Situational awareness may require the use of multiple sources (trusted to different extents) to identifydiscrepancies in systems; likewise, warnings and indicators signaling an attack may be underwaymight require more sophisticated follow-up analyses to confirm the existence and nature of the attack.Aerospace is working with DOD, the intelligence community, and the civil space sector on informationassurance and cybersecurity services. This chart details some of Aerospace’s customers and thework being done for them in the cyber realm.Aerospace has a broad spectrum of research projects underway that are focused on developingtechniques and technologies for cyber situational awareness. One project looks at individual satellites
and addresses onboard techniques for autonomous threat detection, assessment and recovery, andthe design of feasible trusted computing and communication mechanisms on board. A second projectfocuses on the design of a distributed system-of-systems architecture that enables timely sharing ofmultiple-source threat/attack data to concurrently generate and update local and global situationalawareness pictures and conducts collaborative assessment with tailored information sharing ondemand. A third project addresses enterprise-level network anomaly detection, and a fourth exploresthe use of satellite-based communication to introduce timely trust assessment of routers in a TCP/IPnetworking architecture.Resilience in systems also requires the identification and development of countermeasures that canbe automatically triggered or put in the hands of system operators. Countermeasures are wellunderstood in the air and maritime domains, but they are not as well understood in the cyber domain.In physical domains, countermeasures are developed to address specific attacks or specific classesof attacks (e.g., heat-seeking surface-to-air missiles). In the cyber domain, countermeasures arerarely focused on specific threats because they are evolving so rapidly. Countermeasures need to bemore generic and address broader classes of attacks.Defensive countermeasures in the cyber domain might involve a simple virus check, or they could beas complex as presenting to the public interface a honeypot or honeynet—a deceptive substitute for the actual system under attack—or modifying the network topology(disconnecting some systems or subnetworks, and reconnecting them only when adequate boundarydefenses can be employed). Another possibility involves reconstituting a system on alternatehardware or software, or reconstituting databases from known trusted sources. How to reconstitutesystems by automatic or semiautomatic migration of computational and informational objects is anongoing area of research at Aerospace.Cyber countermeasures, much like those in the air, terrestrial, and maritime domain, are generallyintended to get a system into a configuration that may be degraded in functionality but is moreresistant to continued attack. Developing and employing such countermeasures requires a clearunderstanding of classes of attacks (at different levels), strong knowledge of the critical componentsof a system that are needed to continue to operate, effective predictive modeling of the potentialconsequences of employing countermeasures, and decision aid tools for the employment ofcountermeasures that require human intervention. The choice of which countermeasures to employmay depend on the degree of confidence operators have that the actual cyber situation is wellunderstood, and that the countermeasure will achieve the desired effect.This illustrates that an essential component of national security space mission resilience is thevigilant, well-trained operator. While defense of cyber systems will require someautonomous response, human engagement will nearly always be required. Aerospace anticipates thatthe current organizational distinctions between cyber operations specialists and space system andmission operators will be refined over time to yield more effective and timely responses to adversarialcyber intrusions and attacks. Future national security space systems operators will need significantlygreater training in cyber situational awareness, in the understanding and use of countermeasures,and in the ability to use systems with degraded functionality. The Aerospace Institute, the educationand training arm of The Aerospace Corporation, is developing a cybersecurity curriculum designed toaddress some of the needs found at the intersection of space and cyberspace.FURTHER READINGAerospace Report No. TOR-2011(8591)-22, “Space Segment Information Assurance Guidelines forMission Success” (The Aerospace Corporation, El Segundo, CA, 2011).D. Alperovitch, “Revealed: Operation Shady RAT. An Investigation of Targeted Intrusions Into MoreThan 70 Global Companies, Governments, and Nonprofit Organizations During the Last Five Years,”McAfee, http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf (as of Nov. 8,2011).W. Hennigan, “Taking iPads Into Battle,” Los Angeles Times, Sept. 25, 2011.McAfee Labs and McAfee Foundstone Professional Services, “Protecting Your Assets. LessonsLearned from Operation Aurora,” McAfee, http://www.mcafee.com/us/resources/white-papers/wp-protecting-critical-assets.pdf (as of Nov. 8, 2011).K. Stouffer, J. Falco, and K. Scarfone, Guide to Industrial Control Systems (ICS) Security (NationalInstitute of Standards and Technology, U.S. Department of Commerce, Special Publication 800-82,June 2011).
Technology and Innovation Subcommittee Hearing, “The Next IT Revolution?: Cloud ComputingOpportunities and Challenges,” http://science.house.gov/hearing/technology-and-innovation-subcommittee-hearing-cloud-computing (as of Nov. 8, 2011).United States Air Force Scientific Advisory Board, “Defending and Operating in a Contested CyberDomain Abstract,” https://www.sab.hq.af.mil/TORs/2008/Abstract_Cyber.pdf (as of Nov. 8, 2011).