The Cyber-Digital Battlefield: Part 3
Intelligence agencies and the military have a deep understanding of cyberthreats, and they have developed some of the most advanced methods to secure embedded systems. The Department of Defense (DoD) has long partnered with universities and the private sector on research and development of technologies from the internet to advanced cyber-physical systems. Now, to increase deployment speeds, the military is commissioning and acquiring more off-the-shelf, plug-and-play systems rather than developing purpose-built equipment. “There is a big push across the DoD to move away from the traditional system procurement model, which is extremely expensive, extremely slow, and doesn’t always lead to a desired outcome,” explains Irby Thompson of Wind River. Going forward, the military will be working more and more with commercial software developers, AI vendors, cloud service and network providers — all part of the backbone of the intelligent edge.
For any organization that will rely on an intelligent edge, this is an opportunity to reach for a level of security that has not been present in the push to advance edge capabilities, during which many products have been rushed to market without anyone thinking through the security implications. “Most of the people who run critical infrastructure are not security experts,” points out Thompson. “They look to hardware and software providers to tell them what needs to be done. We’re bringing the intelligence behind decades of work with the DoD architecting security for military and government systems. And we recognize that many IoT devices share a lot of the same threat space. We’re bringing that knowledge base to all our clients.”
How Hard Is It to Hack the Government?
Three recent incidents demonstrate that not all threats to military, intelligence, and critical infrastructure come from state actors. Any combination of lax security in hardware, software, data, or systems can open the door to compromise. For example:
Reverse engineering an embedded device: An eBay posting (since deleted) came from a seller of a computer, but the person trying to sell it wasn’t sure if it was operating correctly. The seller did mention that a sticker on the system stated: “Controlled Cryptographic Item,” a National Security Agency term for equipment used to perform critical communications security functions. In the wrong hands, controlled devices can be reverse-engineered unless they are decommissioned or programmed with a self-destruct option to prevent tampering.
Fitness trackers used to map military installations: In 2018, the fitness company Strava released detailed geolocation information of the exercise routes of its users, thousands of whom happened to be soldiers who had been supplied with fitness trackers through a DoD pilot program, according to RAND Corporation. The maps Strava released were so detailed that they potentially revealed hidden U.S. military bases and camps, exposing the life patterns of military personnel and civilians. As a result, the military changed its policy to forbid deployed service members to use apps or devices such as Strava.15
Back doors through open source, tools, and third-party components: The FBI issued an alert in 2020 after hackers stole data from U.S. government agencies and enterprise organizations via internet-exposed and insecure SonarQube instances. SonarQube is an open source platform for automated code quality auditing and static analysis to discover bugs and security vulnerabilities in projects. The SonarQube hack is a reminder that the tools that are supposed to help create secure software can also become threat vectors.16
Fitness trackers were banned by the military after an app released maps showing exercise routes of its users, potentially exposing hidden U.S. military bases.
Nearly half of U.S. companies using IoT have experienced security breaches. One of the issues is the “sheer diversity of edge and IoT infrastructure,” explains Mary Shacklett, president of Transworld Data. “The edge can be a network node, a sensor, a gateway, hardware, or application software. There are many moving pieces and many different vendors providing them. The end results are more vulnerabilities and heightened security risk.”17
Some of the weakest points in any cyber-physical system occur where discrete technologies connect through insecure gateways. Many systems were never designed to work together, and many devices — particularly in healthcare and industrial settings — become vulnerable when they are connected to the internet.
Hackers have already wreaked havoc by infiltrating connected IoT devices. “Paradoxically, they usually aren’t targeting device owners, who often remain unaware of security breaches. Instead, the hackers simply use IoT devices as starting points for attacks directed against another target. For instance, the 2016 Mirai attack used IoT devices to attack the internet infrastructure, causing shutdowns across Europe and North America that resulted in an estimated $110 million in economic damage,” according to McKinsey.18