
Winning the Cyber Battle: Trusting Your Digital Assets
Digital assets are mission-critical elements of combat environments. They could be as complex as a modern fighter jet, as simple as an air purity sensor, or as commonplace as the cell phone that soldiers carry on them. From their role in communication and intelligence gathering, to their presence inside weapon systems that assist critical-missions cannot be disregarded. However, over the years, these digital assets have become complex ecosystems that are cumbersome to manage and protect against the risks of interference and exploitation from third-parties.
In this article, we explore the factors that catalyze the wariness among the armed forces in adapting to digital assets in combats, discern the critical need to trust and adopt digital assets in critical-missions, and the necessary precautions the equipment manufacturers and the military can adopt to ensure trust in digital assets.
Introduction
In this epoch of robotics and artificial intelligence, digital assets (electronic systems that rely on digital logic and an embedded circuit to perform a task) have made in-roads into almost every aspect of our lives-from communication and transportation, to medical care and home automation. Their influence in combat environments has also evolved commensurately.
Lenk, chief of service strategy and innovation, NATO Communications and Information Agency predicts that in 5 or 10 years from now, the military world will be full of devices that are talking to each other, talking to command and control systems and talking to everything! [1]
When you think about it, the benefits of using digital devices in combat is fairly obvious: – improved situational awareness and logistics support, expert medical assistance (anywhere-anytime), enhanced accuracy in intelligence gathering and surveillance, secure communication, etcetera. Indeed, in modern warfare with its asymmetrical dimension, it does seem difficult to imagine military successes without the aid of digital assets.
Nevertheless, the adaption to these digital devices in the armed forces hasn’t been easy. It seems that our dependence on digital technologies is at odds with the level of trust we can place in them.
Why the distrust?
Various factors have contributed to the wariness among the armed forces for adopting digital devices in combats:
Erstwhile exploitations: There are diverse reasons why an adversary would want to compromise a device, as part of the overarching aim to gain a strategic or tactical advantage. If they can disrupt its functionality, deny its services to legitimate users, degrade its performance, deceive its users into performing unintended actions or destroy it completely, their position becomes stronger. Adversaries can do so by compromising vulnerabilities present in the devices. In recent times, this has been realized in various digital weapons and devices. For instance, drones -digital devices used by the military to generate interference in enemy signals and for long range surveillance- have been the subject of exploitation by enemies and insurgents over the years:
- In 2009, insurgents in Iraq compromised drones using a software available on the Internet for $26 a piece. They intercepted live video feeds that were relayed back to a US controller from the drones. The information leakage revealed potential targets targeted by the US and aided the insurgents in taking evasive actions. [2]
- In 2011, a computer virus infected the drone control center of Predator and Reaper drones and monitored keystrokes during missions carried out in Afghanistan and other war-zones. The monitoring and relaying of the keystrokes during missions potentially revealed classified information to the enemy. [3]
- At the 2015 DEF CON event, security researchers successfully compromised a Parrot A. R. Drone using open WIFI and an open Telnet port to remotely terminate the process that makes it hover [4]. Thereby, providing a proof of concept for a possibility of a compromise while in combat.
- In early 2016, hackers at AnonSec claimed to have developed a method for gaining partial control over one of the Global Hawk drones used by NASA [5]. But, NASA has completely denied that its drones were hijacked [6].
The empirical hacks, proof-of-concept hacks and the blatant denial of hacks from trusted parties, has implanted a sense of suspicion in drones and other digital devices among the armed forces.
Prevalent Device Vulnerabilities: lack of adequate security measures or improper implementation of the security measures in devices accompany loopholes that can be compromised by malicious persons. Exploitations of these vulnerabilities/loopholes can result in leakage of sensitive, classified information from the devices, putting combatants at a strategic disadvantage on the battlefields as stated earlier. Some common hardware vulnerabilities and attacks that require a mention are:
- Hardware Trojan [7]: is a malicious modification of the circuitry of an integrated circuit (IC). Hardware Trojans could be placed into the system by the manufacturer for debugging and maintenance tasks. However, an adversary would place a Hardware Trojan on the target hardware to cause subtle disturbances or catastrophic system failures; like accept inputs that should otherwise be rejected, such as co-ordinates over a no-fly zone, leak cryptographic keys used for secure communication, perform Denial of Service attacks, etcetera.
- Hardware backdoors [8]: are similar to Hardware Trojans, but involves code that could reside in the firmware of a computer chip. Hardware backdoors can be deliberately placed by the manufacturer for testing, debugging and maintenance purposes or could be placed by an enemy after a device has been compromised to enable them to control the system remotely [9]. Hence, their effect is as catastrophic or maybe even more so, than that of a Hardware Trojan.
- Unified Extensive Firmware Interface (UEFI) vulnerabilities [10]: UEFI is a specification that defines a software interface between the operating system and platform firmware. Existing vulnerabilities in UEFI can be exploited to install highly persistent malwares on to the device that would allow the enemy to control the entire system to their will [11], regardless of any security measures that might be in place.
- Semiconductor doping: is the process of adding impurities to silicon-based semi-conductors to change or control their electrical properties. Chemicals such as phosphorous and arsenic are used to alter the properties and are widely and easily available. Doping performed by an adversary on the device aids malicious Trojans to pass build-in tests that are primarily designed for reporting manufacturing or operational defects in the devices [12].
- Hardware devices, in general, are susceptible to hardware side-channel attacks such as timing attacks, power analysis and fault injection that could be used to steal sensitive in- formation, eavesdrop, etcetera [13].
It is interesting to note that the vulnerabilities and subtle modifications of chips in the devices are virtually impossible to detect in a timely manner on the battlefield. Also, these vulnerabilities being pervasive, completely undermines the trust the soldiers have in these systems.
Poor response to vulnerabilities: Delayed remediation of vulnerabilities in devices has been a consistent concern among the armed forces. The flaw in the 2009 drone attack by the Iraqi insurgents on US drones is said to be dated back to the 1990s according to a military technology analyst, Peter Singer [14] and another US official stated that the flaw was finally identified and fixed over a period of 12 months [2]. Though the military was aware of the flaw, it assumed that its adversaries would not be able to take advantage of it.
The inaptness in handling the vulnerabilities and “security by obscurity” attitude has persisted over the years and with increasing complexity of devices and the confusion over legal responsibility for security with no single party (either manufacturer, integrator or end user) assuming this role has undermined the confidence the soldiers have in the system as a whole.
Globally sourced technology: Nations that lack the ability to fulfill the capacity requirements needed to manufacture computer chips for classified systems are moving offshores. Nonetheless, nations are also concerned about the risks generated from using globally sourced technology for implementing and manufacturing digital devices. Counterfeit computer hardware components are viewed as a significant problem by private corporations and military planners [15].
A recent White House review also noted that there had been several “unambiguous, deliberate subversions” of computer hardware components. The specter of subversion causing weapons to fail in times of crisis, or secretly corrupting crucial data, has come to haunt American military planners. This problem has grown more severe as most American semiconductor manufacturing plants have moved offshore (to countries such as China) [16], [17] and resulting in countries like China to acquire a monopoly over manufacturing and implementation of chips and device.
Furthermore, the Chinese government has been noted to include hardware backdoors in some commercial components manufactured in China on the pretext of prevention and investigation of terrorists’ activities. Thereby, putting third-party nations at a risk of being snooped or digitally hacked by the Chinese [18], [19], [20], [21], [22]. The risk of being hacked is a concern that subverts trust in any globally sourced device.
Opaque decision making: Digital devices can make many thousands or millions of decisions each second that govern its operation and actions. Users and operators often have no visibility into the reasoning behind these decisions, so it becomes difficult to evaluate their accuracy and outcome. There have been numerous occasions where devices have malfunctioned while in practice.
One instance is the malfunctioning of an antiaircraft cannon (Oerlikon GDF-005). The anti-aircraft weapon used by the South African National Defense Force is computerized and designed to use passive and active radar to obtain its target data. The malfunctioning killed 9 persons and injured 14 others. It is believed that a software glitch in the machine caused its malfunctioning [23].
Another instance is the malfunctioning of G36 assault rifles used by the Germans in combat. The German troops reported that the rifles lost accuracy after sustained firing in hot environments [24]. Likewise, during an Indonesian Navy exercise on September 14, 2016, two Chinese made C-705 missiles failed to hit their targets after launching from two KCR-40 attack ships [25].
The uncertainty in determining if a device would make the “right” decision on the battlefield is a matter of concern in the military.
Dependence on insecure third-party communication channels: On April 8, 2010, state-owned China Telecom rerouted U.S. and other foreign Internet traffic, causing 15 percent of the all internet traffic to travel through Chinese servers for nearly 20 minutes [26]. Although the long-term impact of this rerouting remains unknown, there is a gaping possibility of military information leakage during this incidence.
While heeding to the above incidence, it can be stated that third-party network providers are inherently insecure and susceptible to attacks such as man-in-the-middle attacks, snooping, sniffing, etcetera [27]. Moreover, lack of knowledge or use of cryptographic primitives in communication channels only adds to military’s concerns.
Why the need for trust and adaption?
Digital assets may be a strong target during Phase Zero, or pre-conflict operations. In the Internet age, controlling information is as important as influencing opinions on an international platform such as the United Nations (UN). For instance, network attacks widely believed to have originated in China have targeted diplomats from the United States and partners, politicians, human-rights campaigners, military networks, and corporations to glean confidential information to influence in matters of interests to China. [28]
The Chinese government acknowledges the strategic culture of defeating an enemy prior to the onset of hostilities. Its intentions are to bend the will of an adversary nation without having to resort to force [29]. In accordance with its philosophy, the Chinese government has carried out not only sophisticated computer-network operations [30], but that it has also been taking measures to target embedded devices. In 2007, Jonathan Evans, the Director „General of the UK Security Service, MI5, stated that the Chinese “continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects and trying to obtain political and economic intelligence at our expense.” [31]
Another instance of Phase Zero operations is the injection of Trojan horses by the United States in the 1980s. The American Intelligence added a Trojan to a gas pipeline control software to ensure that the machine – being shipped through Canada to Russia – would work erratically and could be disabled remotely. The machine was bought by the Soviet Union from Canadian suppliers to control a Trans-Siberian gas pipeline. However, the doctored software failed, leading to an explosion in 1982, an outcome that met the interests of the United States [32], [33]. Similarly, Crypto AG, a Swiss maker of cryptographic equipment (Enigma) is believed to have colluded with NSA to rig the equipment provided to certain countries. The Swiss reputation for secrecy and neutrality lured Iranians and other nations to buy the equipment. In the aftermath, NSA’s access to the hardware back door in the company’s encryption machine made it possible to read electronic messages transmitted by many governments [34], [35].
However, other nations focus on building capacity-of-partners and influencing potential adversaries to avoid wars. Such nations do not engage in tactical approaches as the Chinese do. As a result, these nations lack the strategic advantage that the Chinese government possesses. Therefore, in order to stand side-by-side on international platforms such as the UN without being tactically coerced by adversary nations, these nations need to adapt and trust their devices. They need to employ trust measures to safeguard their devices and eventually their will.
What does it mean to trust a digital asset?
The word “trust” in this context means relying on a device to effectively perform a functionality. In other words, devices should not function to aid the enemy. Examples of device abuse include:
- Spying on behalf of the enemy to glean confidential information to undermine the efforts of the armed forces using the device.
- Providing false or dated information to allies that could jeopardize a mission. An instance of this could be providing wrong location co-ordinates for the launch of a missile. The outcome of the launch could potentially kill innocent civilians.
- Inadvertently revealing confidential information to the enemy. This can be attributed to employing insecure communication channels where-in the data is not encrypted or that the enemy possesses the encryption key to the encrypted data transmitted over the communication channel.
- Acting as a launch-pad for enemy attacks or take false inputs from an adversary to mar the outcome of a critical functionality. An instance of this could be the use of the kill switch by the enemy at their will, thereby undermining the efforts of the armed forces in a mission.
- Revealing its location or the location of other assets to the enemy in the event of stealth operations. This is made possible either by insecure communication methods or by com- promising the device by a Trojan.
- Performing in a reduced capacity so as to disrupt the sup- ply-chains. Thereby, drastically impacting the performance of the military due to shortages of food, water, ammunition and other basic supplies.
How to ensure trust in digital devices?
Securing a device can be daunting, complexity of the chips and device functions only add to the difficulty of providing robust security controls. However, security can be ensured.
While presuming that the hackers/insurgents/enemy have the technical prowess to hack into digital devices remotely or exfiltrate information from the devices when in possession of it, some measures that could be employed for ensuring trust include (Figure 1):
Figure 1: Ensuring trust in digital devices
- Establishing an effective threat intelligence and monitoring operation can inform operators of vulnerabilities before they impact a mission. Although not specific to device security, these operations are vital to ensure proper countermeasures are developed and deployed without undue delay.
- Adopting secure device update mechanisms can rectify vulnerabilities in a timely and secure manner. Inherently, no system is resilient against all future threats at inception. Digital devices must be developed to provide provisions for secure updating of its software and firmware. This act will allow for countermeasures against new threats.
- Ensuring a comprehensive device security assessment can alleviate the mistrust in digital devices. Hardware is the crux of any digital asset. If the hardware is compromised, all components -firmware, software- stand compromised. Establishing advanced labs for hardware and software evaluations that identify and address security vulnerabilities is a necessity and a step towards ensuring trust. Recruiting expertise in embedded security, white box cryptography, Security on chip (SOC), and IoT-enabled devices is critical as well. An assessment may include:
– Evaluation of communication protocols for man-in-the-middle attacks, sniffing, etc.
– Source code analysis for buffer over-flow attacks, information leakage, etc.
– Cryptography analysis for leakage of secret keys, implementation errors etc.
– Hardware Analysis for side channel attacks, fault injection attacks, imaging and IC modification attacks, backdoors and Trojans, etc.
– Supply chain evaluation.
- Adopting anti-tampering technology and compromise/threat detection mechanisms in the device. This involves countermeasures that enable the detection of a compromise or a break-in. Encryption Wrappers, Code obfuscation, software watermarking and fingerprinting, Trusted Execution Environments (aids in detection and reporting of unauthorized changes to the operating system or programs, detects rootkits), etc. [36] are few techniques that help achieve threat detection and prevention. In conjunction, access control mechanisms and identity management systems also help prevent the emergence of rogue devices and impersonation.
- Developing fail-safe mechanisms. These mechanisms enable devices to fail (in a safe and predictable manner) in the event of an attack or on tamper detection. Once such mechanism is the implementation of hidden kill switches in devices. Switches enable to disable computer-controlled military equipment from a distance if the device fell into enemy hands.
- Implementing cryptographic primitives can ensure secure communication (authentication, integrity and confidentiality of the information in transit) over third-party communication channels, and secure over-the-air patching and updates to the devices. It is increasingly important in today’s combat environment to use cryptographic primitives because enemies and potential adversaries are rapidly acquiring “jamming” and “hacking” technologies; giving them an ability to interfere with and compromise device operations. To achieve secure communication, device manufacturers can embed secure elements like Trusted Platform Module (TPM) into the device. Secure elements are specialized chips on an end- point device that stores encryption keys, performs cryptographic computations, and authenticates the devices.
- Implementing trusted computing. This involves computing involves the development of a Trusted Computing Base (TCB) into the device. TCB is the set of all hardware, firmware, and/or software components that are critical to the devices’ security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system. It contains four primary security mechanisms – a security policy, identification and authentication, labeling, and auditing. TCBs are usually accompanied by Trusted Execution Environments (TEE), a secure area of the main process that evaluates the code and data loaded onto the chip for confidentiality and integrity. TEE also provides hardware root of trust functionality. Root of trust supports features such as:
- Secure boot and secure access control.
- Secure identification and authentication.
- Firmware integrity assurance.
- Secure storage for the rest of the chip.
- Secure debug and test access control.
- Runtime protection. o Secure field updates.
Conclusion
War zones are being digitized. In addition to the undisputable benefits that these digital devices provide, the low cost of much of these technologies (sensors, drones, etc.) is facilitating their permeation in to the military and industry at a rapid pace. While the security of much of these devices seem obscure, nation states across the world are researching [37] vehemently the utility, risks and challenges of deploying digital assets in war zones. Nevertheless, additional responsibilities need to be adopted to ensure trust.
All parties – from device manufacturers to end users need to make an effort to enforce trust measures in digital devices. Security needs to be enforced throughout the lifecycle of the device – from procurement to design, development to deployment, and maintenance to retirement. Supply chain must enforce accountability and responsibility. Policies and laws need to be enacted by nation states to support the same.
Finally, discretion in ensuring that the established-trust remains consistent across all domains of device operation via practical demonstrations and comprehensive evaluations of risks vs benefits can greatly alleviate the concerns of soldiers and help them adapt to new digital devices.
Literature
[1] https://www.afcea.org/content/?q=Article-nato-stu-dying-military-iot-applications
[2] https://www. theguardian. com/world/2009/dec/17/sky-grabber-american-drones-hacked
[3] https://www. wired. com/2011/10/virus-hits-drone-fleet/
[4] https://www.csoonline.com/article/2970932/security/ten- scary-hacks-i-saw-at-black-hat-and-def-con.html
[5] https://www.hackread.com/nasa-data-leaked-nasa-dro-ne-hacked/
[6] https://www.hackread.com/nasa-denies-anonsecs-claim-of-hacking-global-hawk-drone/
[7] https://en.wikipedia.org/wiki/Hardware_Trojan
[8] https://en.wikipedia.org/wiki/Hardware_backdoor
[9] http://www.dailymail.co.uk/sciencetech/article-2152284/Could-vulnerable-chip-allow-hackers-Boeing-787-Back-door-allow-cyber-criminals-way-in.html#ixzz28fcdeOdm
[10] http://www.securityweek.com/researchers-find-se- veral-uefi-vulnerabilities; https://threatpost.com/cert-warns-of-uefi-hardware-vulnerabilities/110213/
[11] https://www.pcworld.com/article/3187264/security/ue- fi-flaws-can-be-exploited-to-install-highly-persistent-ran-somware.html
[12] https://arstechnica.com/information-technology/2013/09/researchers-can-slip-an-undetectable-trojan-into-in-tels-ivy-bridge-cpus/
[13] http://gauss.ececs.uc.edu/Courses/c653/lectures/SideC/intro.pdf
[14] http://www.cnn.com/2009/US/12/17/drone.video.hacked/index.html
[15] https://www.scientificamerican.com/article/the-pent-agon-rsquo-s-seek-and-destroy-mission-for-counter-
feit-electronics/
[16] http://www.nytimes.com/2009/10/27/science/27trojan.htm-
l?mcubz=3
[17] http://www.homelandsecuritynewswire.com/fa-
ke-chips-china-threaten-us-military-systems
[18] https://www.theguardian.com/technology/blog/2008/
oct/06/security.china
[19] http://gizmodo. com/5897493/all-chinese-made-electro-
nics-could-be-bugged-says-former-head-of-us-counterter-
rorism
[20] https://www.schneier.com/blog/archives/2012/05/back-
door_found.html
[21] http://www.popsci.com/technology/article/2013-07/
spy-agencies-have-banned-lenovo-computers-becau-
se-theyre-chinese
[22] http://www.reuters.com/article/us-china-security/chi-
na-passes-controversial-counter-terrorism-law-idUSKB-
N0UA07220151228
[23] https://www.wired.com/2007/10/robot-cannon-ki/
[24] http://www.popularmechanics.com/military/weapons/
a21427/german-troops-dont-trust-their-weapons/
[25] http://www.janes.com/article/63815/indonesian-presi- dent-watches-failed-firings-of-chinese-made-c-705-missi-
les-at-naval-exercise
[26] http://www.foxnews.com/politics/2010/11/16/internet-traf-
fic-reportedly-routed-chinese-servers.html
[27] https://www.wired.com/2014/03/how-huawei-beca-
me-nsa-nightmare/
[28] http://diplomacydata.com/cyber-security-and-cyber-espio-
nage-in-international-relations/
[29] Phase Zero: How China Exploits It, Why the United States
Does Not Scott D. McDonald, Brock Jones, and Jason M. Frazee (https://www.usnwc.edu/getattachment/eef71cb7- abe7-4410-adaf-d78d085d933e/Phase-Zero–How-China- Exploits-It,-Why-the-United-)
[30] http://www.npr.org/2013/02/19/172373133/report-links-cy- ber-attacks-on-u-s-to-chinas-military
[31] http://www.telegraph.co.uk/news/worldnews/asia/chi- na/8597485/China-and-Britain-locked-in-cyber-war.html
[32] https://www.cia.gov/library/center-for-the-study-of-intel- ligence/csi-publications/csi-studies/studies/96unclass/fa- rewell.htm
[33] http://www.nytimes.com/2009/10/27/science/27trojan. html?_r=1&ref=science&pagewanted=all
[34] https://web.archive.org/web/20080202225034/http:// www.inteldaily.com/?c=169&a=4686
[35] http://www.atlasobscura.com/articles/a-brief-history-of- the-nsa-attempting-to-insert-backdoors-into-encrypted- data
[36] A Survey of Anti-Tamper Technologies by Dr. Mikhail J. Atallah, Eric D. Bryant, and Dr. Martin R. Stytz (https://pdfs. semanticscholar.org/50b5/e90d919cc7641225281bfb84cb- daf5751d17.pdf)
[37] https://www. cso. nato. int/ACTIVITY_META. asp?ACT=8647