1. nss2013_profile_0410_pg12,14.qxd 4/1/2013 12:04 PM Page 1
12 www.spacenews.com
April 10, 2013
29TH NATIONAL SPACE SYMPOSIUM
OFFICIAL NEWS SUPPLEMENT
PROFILE Riley Repko
PRESIDENT AND CHIEF EXECUTIVE, TRUSTED CYBER SOLUTIONS
The Mental Game
Of Cybersecurity
T
he past year has brought re- requires a different way of thinking, says
ports that unauthorized signals Riley Repko, a retired Air Force officer
had been sent to a pair of and former civilian adviser to the service
NASA Earth observation satellites and, on cyberoperations. U.S. military think-
more recently, that a group based in ing often is compartmentalized and driv-
China had hacked into the computer en by lengthy program development
networks of numerous U.S. companies, cycles, which he says are liabilities in the
including those involved in the satellite face of a threat that is ubiquitous, col-
business. laborative and evolving at the pace of
Meanwhile, U.S. military and other technology.
government officials have been warning The U.S. military does a good job of
that their computer networks are under protecting its networks, said Repko,
constant attack. At a time when the who in addition to running a consultan-
Department of Defense (DoD) is cutting cy is a senior fellow in cybersecurity
back almost all of its activities, U.S. Air with Virginia Tech. But every network is
Force Space Command, which is respon- only as strong as its weakest link, and
sible for cyberoperations, is dramatically this often can be found in outside
expanding its workforce at bases respon- organizations with which the military
sible for that activity. does business.
But protecting against the threat Repko spoke recently with SpaceNews
requires more than just manpower; it Editor Warren Ferster.
SPACENEWS PHOTO BY MIKE MORONES
How vulnerable are military space networks to ence on this vulnerable technology is vir-
cyberattack? tually a very clear target to the very
clever community of hacker adversaries.
The issue is nearly every conceivable
component within DoD is networked We’ve heard a lot of talk that the biggest prob-
and space systems are no different. In lem is the theft of intellectual property.
fact, I feel they epitomize the value of command and control jamming, and It’s certainly possible, but in general it
data being properly managed and DoD and its contractor base have already command and control exploitation or would be more likely that such adver-
soundly secure. These networked sys- sustained staggering losses of system usurpation. The first two represent the saries would jam links rather than seek to
tems and components are inextricably design information incorporating largest threat surface for satellites. All take control of the satellites. Satellite
linked to the department’s ability to decades of combat knowledge and expe- satellites could be vulnerable to com- control is provided by operators through
project military force and the associated rience that provide adversaries insight to mand and control exploitation or the virtual private networks. Commands
mission assurance. Yet these networks where we are today … virtually leapfrog- usurpation — while this is perhaps the are uploaded to the satellites on encrypt-
are built on inherently insecure archi- ging our investment for their own bene- most effective attack in the long run, it’s ed links. The links are certainly vulnera-
tectures that are increasingly using for- fit. This is a real challenge as stealing also the most difficult to execute. ble to jamming but most satellites have
eign parts embedded in our systems. intellectual property is big business and Satellite control networks are typically alternative frequencies to provide con-
While DoD takes great care to secure the severely hurts our innovative base, much operated on closed networks that do not nectivity to the spacecraft. If the com-
use and operation of the hardware of its of it residing with small and mid-sized connect to the Internet. Finally, the mand links are interrupted, most satel-
weapon and satellite systems, the same innovative technology businesses and insider threat is always a major concern lites are able to operate independently
level of resource and attention is not academia. from a cybersecurity perspective, espe- for days or weeks at a time.
spent on the complex network of infor- cially at the operator level.
mation technology (IT) systems that are What are the specific threats to satellite networks? Is there such thing as a closed-loop network or
used to support and operate these How plausible is a scenario in which a U.S. mili- do all networks have some level of exposure to
weapons or critical IT capabilities There are a variety of threats against tary or civil-government satellite system is taken
embedded within them. DoD's depend- satellites, particularly uplink jamming, over or rendered inoperable by a cyberattack? SEE REPKO PAGE 14
2. nss2013_profile_0410_pg12,14.qxd 4/1/2013 12:04 PM Page 2
14 www.spacenews.com
April 10, 2013
29TH NATIONAL SPACE SYMPOSIUM
OFFICIAL NEWS SUPPLEMENT
REPKO FROM PAGE 12
cyberthreats?
There are plenty of purely isolated DoD
networks that are air-gapped from the
Internet, and are therefore relatively
immune to traditional Internet-based
cyberattacks. The JWICS [Joint
Worldwide Intelligence Communi-
cations System] is an example. However,
many of these networks use the same
fiber-optic infrastructure as the Internet
or are tunneled across links of the
Internet, so major Internet outages
could cause outages to portions of these
networks.
Some of the Pentagon’s space-related networks,
such as the one that runs the Joint Space
Operations Center, rely on badly outdated com-
puting infrastructure. Is that a liability from a
cybersecurity point of view?
There are a number of viewpoints on
this topic. Older hardware and software
have pros and cons when it comes to
resiliency against cyberattacks. In partic-
ular, older software is much less com-
SPACENEWS ILLUSTRATION BY LANCE H. MARBURGER
plex, and therefore is less likely to con-
tain implementation flaws that would
allow for its exploitation. However,
newer, more complex software is able to
take advantage of more intelligence that
enables resilience under attack. The key
liability would come from the infrastruc-
ture’s inability to leverage newer adapta-
tion algorithms that would provide some Are networks that integrate commercial off-the- Can you be more specific? advanced awareness of the capabilities
resilience to an attack. shelf (COTS) software products more vulnerable than and capacities sought in cybersecurity
those that run on proprietary software systems? End points can be anything — tactical will require many of what I call the 18th
Can computer network modernization programs radios, cellphones, even desktop com- century, silo-driven thinkers to think
introduce new vulnerabilities to cyberattack? Security through obscurity has been puters in the Pentagon. A typical mili- much differently. Collaboration will be
the mantra for use of proprietary sys- tary scenario involves a communica- paramount to finding new, nontradition-
Of course. Any new technology achieves tems. This generally provides some tions satellite link to a terrestrial net- al and innovative insights and solutions,
functionality before it achieves security. level of security against the broad hack- work, which could be distributed using independent of the classification issues.
New technologies offer new attack vec- er community, but provides no addi- wired Ethernet to desktop computers, These can always be worked.
tors that were not present in older tech- tional security against nation-state-level or could be connected to a cell base sta-
nologies. However, newer technologies adversaries who have the financial tion providing service to smartphones What, in general, can the government do to prepare
also introduce new ways of coping with resources to obtain and reverse engi- and tablets. In terms of command and itself against cyberthreats that it cannot see?
such exploitation. There is no such neer target systems. COTS products control usurpation, these devices are
thing as perfect security as advances in have the advantage of much wider much more vulnerable than the satel- The best defense against the unknown
technology will always outpace our abili- deployments that generally reveal secu- lite infrastructure. Satellite end user cyberthreat is intelligence. We cannot
ty to effectively secure our networks rity vulnerabilities much more quickly devices have very similar vulnerabilities build a firewall to protect against an
from attackers. because there are many more eyes look- as other networked devices using terres- unknown threat; however, if we have
ing at the product. trial systems. intelligence analysts tracking the bad
Does the adoption of Internet Protocol technology cyberactors across the globe, under-
for space programs raise the risk of computer You’ve said cyberhackers look for the weakest Are there cultural issues in the Air Force that get in standing the types of attacks they are
attack? link to break into computer networks. When it the way of efforts to improve cybersecurity? employing, and the targets against
comes to government space networks, where which they seek to employ them, we can
Internet Protocol means that systems are might hackers look for the weakest link? The military in general has a procure- get out in front of the threat. It comes
now addressable on the network, which ment timeline of 10 to 30 years for major down to leveraging signals intelligence,
can potentially increase an adversary’s The weakest points are generally at the strategic systems. This can cause major human intelligence and other resources
ability to access them using common edges, not the core, and the space net- problems in an environment where the to understand what the credible
protocols. However, as long as the sys- works represent the strategic core. technology is changing every month; I cyberthreats are against the United
tems have the appropriate safeguards, Attackers would generally have more like to say, “This technology depreciates States and ensuring we know about the
they may not be any more exploitable. luck attacking the end point devices. like a head of lettuce.” Having the attacks before they happen.