Defence contractors and the military are charged with keeping national military secrets safe and are expected to employ the highest levels of security on their networks and computer systems.
When these defences are breached, it implies cyber attacks by hackers or enemy states have defeated security systems which failed to stay a step ahead. This made it particularly shocking when cyber attacks against supposedly secure sites made headlines over the last few months, with three particularly notable incidents.
Three key attacks
In May 2011, Lockheed Martin was subject to a significant cyber attack, widely held to have originated in China. The company said its security team had identified the threat immediately and ensured none of its systems had been compromised.
Japanese defence giant Mitsubishi Heavy industries did not come off so lightly when its systems were breached in August. The company denied any data was taken, but a source close to the incident told media that one of 300,000 illegal accesses to the company’s server resulted in the transmission of a large volume of data, suspected to concern the Type 80 ASM-1 missile.
In a third incident in October, a computer virus which records every keystroke made by operators was detected in the ground control systems (GCS) used by operators to remotely control armed drones on overseas missions. The attack hit Creech Air Force Base in Nevada, from which pilots control armed Predator and Reaper drones which have been used in Afghanistan, Iraq, Pakistan and Libya.
The GCS cockpits are not connected to the public internet for security reasons, so it is likely the virus was introduced via a removable storage device, the use of which is severely restricted by the military.
A holistic approach
Attacks of this nature have been happening for decades, but it only recently they have been disclosed to the general public. According to Tom Burton, Head of Cyber for Defence with Detica, BAE System’s information intelligence division, this is no bad thing.
"I think that the publicity that surrounds these attacks is helpful because it increases the awareness of potential target companies," Burton said.
"Making cyber attacks a board-level issue means it isn’t delegated to the IT security manager but is treated by chief executive officers in the same way as other major risks."
Burton believes the cyber domain is equally important as traditional theatres of war and should be treated similarly. "With the ascendency of cyber threats, this is a new domain beyond land, sea and air, over which adversaries try to achieve the same ends – commercial or national advantage – using a different set of ways and means," he added.
Detica’s cybersecurity portfolio takes into account the adaptability of the humans behind the ever-evolving attacks by searching for patterns that could identify a security breach rather than taking the antivirus approach of looking for a signature that might identify a particular virus or Trojan.
This could be events that follow an email being read and a dangerous attachment being opened. These methods of detecting the pattern of attacks form the basis of future cybersecurity solutions Detica is researching which could spot insider threats, as well as external assaults and take the appropriate action.
Detica is also working on ways in which employees can carry out standard internet browsing seamlessly in the same environment as working with the company’s most sensitive intellectual property without compromising security.
"Separating the high-risk activities from the high threat, high impact activities enables companies to further increase their defences," said Burton.
The non-networked attack
Organisations need to be aware that not all cyber attacks originate over the internet.
Some military systems, including the remote UAV ground control systems (GCS) at Creech US Air Force Base, are non-networked – a security measure known as ‘air-gapping’.
Elizabeth Quintana, Senior Research Fellow, Air Power and Technology at the Royal United Services Institute (RUSI) has a background in aerospace and control systems.
"The US has a ban on memory sticks and portable storage devices, so the fact that this virus came in from an unrelated source is an indication of quite a serious security breach," she said. "Networked military systems like the GCS often use portable disks to transfer data from one system to another, but unfortunately it shows vulnerability."
Quintana says as far as she is aware, this is the first time UAVs have been subject to this kind of attack, but the implication they could be affected is worrying.
"If UAV signals were intercepted and controlled by somebody other than the pilot at the ground control system, that has serious implications. If an armed UAV is used to commit war crimes it is on the head of the military that allowed it to happen."
Quintana believes the recent attack would not have a detrimental effect on UAV operation, but the fact the virus was introduced at all has implications about the checks and processes that personnel go through, not just the computer security.
Protecting data in transit and at rest
One company with an insight into ensuring security of data in storage devices as well as during transmission is broadband satellite communications and security specialist ViaSat. ViaSat’s business areas incorporate encryption of data at rest on a storage device, secure communications, satellite communications and blue force tracking.
Alan Back, Business Development Director, said this end-to-end service delivery enables ViaSat to ensure security at all points.
"We provide security solutions for military and government customers looking to protect their own data. Satellite communications is just one medium over which that data travels," Back said.
"There is data travelling out and back in, so there are two points where that data meets. We fit our KG range of in-line data encrypters at either end of that line to keep it secure."
ViaSat’s encrypters are accredited as secure by US authorities, and the company’s latest product range, Eclypt Nano, brings the same level of security to data at rest. The ruggedised, waterproof USB storage devices are certified to Top Secret level by the UK Government’s Communications-Electronics Security Group (CESG).
"If it was used by an unauthorised person without the key, Nano simply wouldn’t work," explained Back. "The device is effectively dead and the data at rest is secured."
ViaSat’s technology would not currently address the problem of the virus introduced at Creech, but a solution could be incorporated, Back said.
The human factor
It is clear that no level of cybersecurity technology solutions will be 100% effective without taking into account the human factor through screening and training.
"It is increasingly important for organisations to increase the awareness of their entire workforce," said Burton. The technology works best when operated by the right people.
"It’s about having the right experts monitoring the network who are able, using intelligence derived from an element of automation, make a judgement call as to whether it is an attack or not, and if so what action to take."
In a worst-case scenario, without taking into account the human factor, impenetrable cybersecurity technology could prompt adversaries to approach individuals in the workforce to be an insider threat.