July/August 2005 issue

Camouflage communications

Matthew Stibbe

The fog of war may soon give way to the cloud of the network, but that brings it’s own problems.

John Pringle embodies a paradox of information security in the military today: you’d think it’s all ultra-tech James Bond gizmos, but much of it is actually very familiar to commercial users.

Major Pringle is a member of the British Army’s elite IT security unit, the Land Information Assurance Group and commanded a forensic IT unit during the second Gulf war. However, he is an army reservist and in Civvy Street Mr Pringle does pretty much the same job.

His unit was formed in 1998 when the Ministry of Defence recognized a growing threat to military systems from internet connections. The unit has around 40 reservist officers, all experts in their fields.

“We’ve found the issues that face the military are paralleled by the same threats that bother industry,” he says. “If we were in the civilian world we’d probably be one of the biggest independent security consultants in the UK.”

His experience in the Gulf, where his unit provided the coalition’s entire computer forensic effort, illustrates cognitive dislocations of doing a familiar job in extraordinary circumstances. They had to put together a complete forensic solution that could be deployed overseas in a matter of weeks. With the help of Ibas, a digital forensics consultancy, they were ready in time.

The “Op Telic Gold Card”, a reference to the British code name for the war effort, meant that money wasn’t a problem. But that was the only easy part. The unit arrived in Baghdad two or three days after the fall of Saddam Hussein and had to operate in tents in searing temperatures. Working with coalition forces and in near-real time were unique challenges. Sometimes an Iraqi would walk in with a laptop and Pringle’s outfit would have to scan it while intelligence officers interrogated him.

In a few months the unit handled 5,000 items and two terabytes of information. Characteristically, Pringle downplays the effort. “(It was) nothing that any commercial firm couldn’t do if it was asked.” But he adds: “The bullets flying and the Scuds overhead were an extra.”

Business as usual
Within the armed services, there is a distinction between the REMFs (the support staff, administrators and brass) and the grunts (the front lines soldiers, sailors and airmen). The further you go from the front line, the more the armed services look like a regular business and face the same problems.

For example, there have been several stories of defence ministry officials losing laptops stuffed with confidential information. This is also a problem for businesses. However, strict classification rules mean that the military need more robust protection. For example, earlier this year, the German Bundeswehr signed a contract with Ultimaco for 20,000 copies of its laptop encryption programme.

“We really need high-level protection. A notebook that belongs to someone in the Bundeswehr is a very tempting target for a thief. For us, espionage is not just an abstract risk; it is a real threat which we must protect ourselves against.” says Lt Col Peter Warnicke, IT security officer for the Bundeswehr.

Collaboration and independence
In other ways too, the armed services resemble civilian companies. The political and military coalitions that fight most wars nowadays look a lot like business joint ventures and outsourcing. And they present the same challenges. “You need interoperability, but not too much,” says Simon Wiseman, a QinetiQ Fellow. QinetiQ is the privatised UK defence laboratory. Not too much? The services might be in a coalition today with nations that were adversaries recently or which may become adversaries in future, he explains.

Take for example Operation Combined Endeavour 2005 in Lager Aulenbach, Germany in May this year. Over 1,200 personnel from 43 countries combined to test communications interoperability for humanitarian and peacekeeping operations. This included satellite communications, video conferencing, voice over IP and IP networks with support from NET Federal, a specialist in secure communications and interoperability.

“Ultimately we want to make sure that when a crisis occurs, such as a natural disaster or a peacekeeping mission, the military units of a multinational force can immediately work together and communicate effectively,” says Lt Col Joseph Angyal, the Combined Endeavour exercise director.

Critical infrastructure
Commercial systems may be in the front line of future wars. In late May, Wired News reported that the CIA ran a war game called ‘Silent Horizon’ to simulate a massive electronic attack on the USA. The fear of a digital Pearl Harbour has been around since the attacks of 11 September 2001. Indeed when widespread power failures struck the northeast United States in 2003, many thought that they were the result of terrorist attack.

While some downplay the risks, there is evidence that interconnected systems are vulnerable. In 2003, the New York Times reported that the US Nuclear Regulatory Commission found that the Slammer worm infected the computer network at a nuclear power plant and disabled its safety monitoring system for nearly five hours.

In the UK, the NISCC (National Infrastructure Security Co-ordination Centre) was formed in 1999 as an inter-department centre to protect the country’s critical national infrastructure, more and more of which is run by the private sector. While other branches of government, notably the intelligence services, work to disrupt potential attacks, NISCC’s role is more to raise consciousness, communicate dangers and precautions, and research. It is not a trivial effort; this year it will involve around 85 staff and cost £10m.

This is also a risk to the armed services. “The military is putting more and more things on the internet and it has to interconnect with more and more non-military agencies,” says Major Pringle. “As you start opening up networks and making information more accessible, that increases the threat profile.”

Unique military challenges
Even though the line between military and civilian security is blurring in areas such as the crossover of personnel and techniques or with the growing attention to critical national infrastructure, there are still some unique challenges to military security.

For a start, national defence is the most critical of critical missions. Get it wrong and lots of people die unnecessarily. Not only that but the system has to work under war conditions. In the words of a consultant at Siemens, who wished to remain anonymous, “You’re looking to provide a service not only in good times, but potentially in very, very bad times. Best endeavours ain’t good enough.”

Not only that but military systems have to operate in the presence of an active enemy. QinetiQ’s Wiseman says: “The military mind always asks ‘how can you make sure that it always does that, even if someone is trying to break it’. It’s an assurance question.”

Paranoia strikes deep
“The threats we see today have lots of available resources and the will to continue regardless,” says Mat Smith, client manager at Telindus, a systems integrator.

The result is a level of paranoia far higher than you’d find in most commercial organisations. “If pen testers can’t break into your system, that (still) doesn’t cut it,” says QinetiQ’s Wiseman. The military worry about how to foil a determined enemy who knows more than you and can invest time and resources to find very sophisticated ways to attack your systems, he says.

The responses to these challenges also transcend what is normal in the civilian world. In the first instance, the armed forces can use on their command hierarchy and discipline to enforce security policies. In addition, men with guns provide great physical security. But it goes deeper. “We allow only trained, qualified, vetted UK military personnel on our systems,” says Major Pringle.

The classification system affects every aspect of military information security. Military people understand how it works and apply it routinely. The same goes for security systems. For example, every security-related item on a military network in the UK has to be approved by the Communication Equipment Support Group at GCHQ, part of the British intelligence community. This can take six months or more.

This level of scrutiny applies to networks as much as to components. “Every network must be approved for its classification. You can’t just build a network. Someone is going to come along an accredit you,” according to Telindus’s Smith. The result is walled gardens and networks that don’t. It’s not uncommon to see two or even five different computers on some desks because each is on a network with a different security clearance.

Issues and challenges
This advanced level of scrutiny and higher specifications means that the military faces some tough problems. Certification is expensive because evaluators review the design, requirements, features and even source code for products. Some countries, such as the UK, have their own standards while others, such as Germany and Austria, use so-called Common Criteria. These are more of a one-stop shop for certification. Either way, each release has to be certified independently.

The result is that approved equipment tends to be very expensive, lower in functionality and lags several releases behind the commercial equivalent. Once in operation, the requirement to give users greater control over processes means that much functionality and automation is switched off, resulting in a further expense and inefficiency cost.
However, the military procurement agencies are trying to buy more kit off the shelf in a bid to lower costs. This could bring the uniformed and civilian information clouds even closer.

A further hidden cost is the danger of conservatism. There is much resistance to new technology such as wireless networks. “There’s still a mentality that wiring the network is much safer in the long term than going wireless,” says Smith. “I’m ex-Royal Signals and I’ve gone into the field to deploy a network. It can take you four or five hours to wire up an HQ that’s only going to be in use for three. With wireless, you can network while you’re [still] in convoy.”

However, just as there are significant obstacles to overcome, digital networks and electronic communication a poised to create what the American armed forces describe as a revolution in military affairs. This is ‘network-centric warfare’.

And the UK is not far behind. The government in March signed up the ATLAS Consortium, consisting of EDS as lead contractor, tier 1 partner Fujitsu Services, and key sub-contractors General Dynamics, EADS Defence and Security Systems and LogicaCMG, to provide a new Defence Information Infrastructure. The £2.3 billion, 10-year DII(Future) project will create a single communications platform for 340,000 military personnel and civil service staff and will connect 150,000 desktop PCs, laptops and other devices at permanent military sites, airfields and staging units as well as warships at sea. The goal is a single network with a unified login.

“We’re talking about a mesh of multiple pathways and hops that link warships to warehouses, intelligence to internet,” says QinetiQ’s Wiseman. “An attacker won’t care how you use these pathways; he’ll just attack you through them.”

Atlas may have carried the world on his back, but he’ll need Argus’s eyes to guard it.

Matthew Stibbe is a freelance business and technology journalist and writes for Director and Wired among others. On the web at www.stibbe.net

.