Network-centric U.S. military systems and the rise of CMMC

The digital revolution has enhanced military capabilities in so many positive ways. In the U.S., this is referred to as a Revolution in Military Affairs (RMA) (Stiennon, 2015). Reconnaissance through unmanned aerial and marine vessels; the use of GPS to refine target coordinates; and digital communications are just some examples of systems that have been enhanced to provide the military with enhanced capabilities resulting in a reduction of casualties and improved efficiency. However, with this network-centric dependency on digital capabilities comes an increased exposure to new attack vectors. Let’s explore where some of those vulnerabilities exist; how they can be exploited; and recommendations on how to mitigate them.

The United States military has been developing a network-centric model of warfare since the 1990s, with the goal of becoming more efficient and gaining a tactical advantage over its adversaries. The idea of being able to communicate and share information in real-time from the field was enough to spark a huge push for creating the infrastructure to support networked systems. Improving communications, developing precision weapons and sensors, and improving command and control systems all contributed to the desire to achieve network-centric warfare (NCW) systems. 

In the haste of attempting to get these systems in place, little thought was given to the possibility of network infiltration or exploitation of vulnerabilities (Stiennon, 2015). In most cases, the notion that these systems could have been exploited by the enemy state was not even conceivable. Implementing systems in air-gapped environments, such as SIPRNET, made the concept of enemy infiltration foreign, and a bit of arrogance shown on the part of the U.S. in thinking that no other nation had the technical knowhow to penetrate these systems was a recipe for disaster.

As with many organizations, silos plague the military. Communication across commands, departments and divisions is often vague, at best. As with many civilian organizations, network security staff are separate from end-point security, which are also separate from the software development teams who are more concerned about functionality than security. Legacy strategic thinking lead USCYBERCOM to be more concerned with protecting assets from physical attack rather than looking at vulnerabilities within the system itself. 

In addition to the lack of focus on system vulnerabilities, there is a lack of control of the supply chain used to support NCW efforts. The use of “common off the shelf” (COTS) products that are procured from around the globe adds to the attack surface. In the case of the F-35 Joint Strike Fighter, for example, the IEEE Spectrum indicated that there were an estimated several hundred to a thousand different chips that were difficult to trace back to their origins (Stiennon, 2015). In terms of hardware concerns, those who are writing the code for the software used in these systems hold a great deal of power. Without control over the software and firmware that is being used to program and manage systems within aircraft, precision weapons and communications systems, there is no guarantee that the system is secure. There is a need for a clear understanding of the supply chain, down to the component level. Without it, there is a possibility of software/firmware tampering, man-in-the-middle hardware tampering or malware injection into a system. 

Today, there are four capabilities that enable the Department of Defense (DoD) to modernize tactical networks: command post mobility, secure wireless communications, cybersecurity and edge computing (Kawasaki, 2019). Traditionally, physically moving command posts is an arduous task that requires many man hours of work requiring tent infrastructure, generators, network platform, cable infrastructure and satellite communications to be implemented. All the while, the battle is still going and there is a potential for a lapse in communication during the move. Next-generation, smaller, efficient command post equipment is being designed and put in the field with a tactical focus. 

New methods of wireless communications are being implemented along with these increasing mobile command posts. Transmitting classified information over wireless networks is risky business. This is best demonstrated when U.S. military drone footage was intercepted in Iraq and Afghanistan in 2009. Without the proper secure encryption, wireless communication leaves the military open to myriad of vulnerabilities. Today the NSA has established a program called Commercial Solutions for Classified (CSfC). This program allows for COTS equipment, with the proper certification, to be used for communicating classified information over wireless networks. The dependency on COTS products, even with the required certifications, still requires a certain level of trust that the supplier has control over the supply chain down to the component level.

The implementation of this newer, sleeker gear with “next level secure communications” is only as good as the source it comes from. A repeated theme in the history of the development of the Internet: first the technology is developed, then attacked, then the defense. Edge computing and artificial intelligence (AI) are the latest trend in the Internet of Things (IoT). This is also true for military solutions. Smart-sensors, analytics and AI are all being introduced into the theater of warfare to improve situation awareness. These systems are often controlled remotely through cloud-based systems improving response times and decreasing risk to soldiers. If the communications are severed, sometimes the device will be autonomous relying on computing power at the edge (Kawasaki, 2019). 

These new platforms that are being implemented are making the United States military fully dependent on digital systems. The paradox lies in the fact that digital systems make the military vastly more capable and equally, vastly vulnerable. So, what does one do? First, as mentioned earlier, having a firm grip on supply chain is imperative to mitigating interference with hardware and software. Using trusted platform modules (TPM) to house encryption keys is a start. In addition, requiring digitally signed firmware implemented in conjunction with secure boot capabilities will eliminate the risk of device tampering in transit.

Currently, the federal government is rolling out a program for DoD contractors called the Cybersecurity Maturity Model Certification (CMMC). The purpose of this program is to enhance the protection of controlled unclassified information (CUI) within supply chain. There are 17 capacity domains, five levels which process maturity, and 171 practices across the five levels to measure technical capabilities within the certification model, each building upon the last. The program requires contractors to meet specific standards and best practices that range from basic cyber hygiene to advanced cyber capabilities, each corresponding with the level of classification of information being handled (Office of the Under Secretary of Defense for Acquisition & Sustainment, 2019). The CMMC uses the NIST Special Publication (SP) 800-171r2 standard.

According to the DoD, the CMMC establishes cybersecurity as a foundation for future DoD acquisitions. The CMMC levels align with the following focus:

• Level 1: Basic safeguarding of federal contract information (FCI)
• Level 2: Transition step to protect controlled unclassified information (CUI)
• Level 3: Protecting CUI
• Levels 4-5: Protecting CUI and reducing risk of advanced persistent threats (APTs)

It is recommended that any organization that expects to be a part of the DoD supply chain should maintain a minimum Level 3 certification. This level will cover most standard DoD contracts. There is a COTS exemption that was a rather gray area for a short period of time; however, this exemption has been clarified to include any product that is not modified in any way during the procurement and implementation process. One example is fuel since it is purchased in the state that it is used and therefore the providers are not subject to the CMMC. In the case of security products, however, modifications that include network addressing, user policies, system integration and physical installation must take place to properly implement the endpoint devices. As such, this exemption does not apply. 

Network-centric warfare systems have provided our military with capabilities that have exceeded expectations. In their infancy, they gave they U.S. major advantages over opponents. However, over the years, the lack of focus on system vulnerabilities has left the 15,000 networks, seven-million computing devices across hundreds of countries around the globe that are managed by the DoD at the ready for exploit by its adversaries. Without taking swift measures, such as securing the supply chain and improving collaboration with the commercial sector as a vital part of the supply chain, the U.S. military will remain at a disadvantage against persistent threats to its networks and even worse, could fall victim to attacks that could alter the balance of power in the free world.

References

Kawasaki, C. (2019, January 14). Four future trends In tactical network modernization. Retrieved April 15, 2020, from https://www.army.mil/article/216031/four_future_trends_in_tactical_network_modernizatin

Office of the Under Secretary of Defense for, & Acquisition & Sustainment. (2019). Cybersecurity Maturity Model Certification (CMMC). Retrieved April 15, 2020, from https://www.acq.osd.mil/cmmc/

Schneider, J. (2016, September 6). America’s Digital Dependency and the Capability/Vulnerability Paradox | The National Interest. Retrieved April 15, 2020, from https://nationalinterest.org/blog/the-buzz/americas-digital-dependency-the-capability-vulnerability-17601

Stiennon, R. (2015). There Will Be Cyberwar. Birmingham: IT-Harvard Press.

Antoinette King is a Key Account Manager with a focus on End User engagements in the NY/NJ region. She has 20 years of experience in the security industry, beginning her career as a field technician responsible for the installation, design, and implementation of integrated security solutions. During the 17 years leading up to her joining Axis Communications, Antoinette worked for several security integrators as an outside sales account manager, designing security solutions and project managing. 

Antoinette is a Board-Certified Physical Security Professional (PSP). She has an Associate’s Degree in Criminal Justice, a Bachelor’s of Science in Managing Security Systems, and is currently pursuing her Master’s Degree in Cybersecurity Policy and Risk Management. 

Antoinette actively participates in many industry associations. She is a founding member of the Association of Data and Cyber Governance. Antoinette is also an active member of ASIS holding positions as Chapter Chairperson of the Hudson Valley Chapter, member of the Women in Security (WIS) Global Council, serving on the WIS Publications Committee, and WIS Strategic Alliance Committee. She is also an active member of the Security Industry Association (SIA), serving on the Ethics Working Group, Data Privacy Advisory Board, and the Cybersecurity Advisory Board, and is a member of Women in Cybersecurity (WiCys).