GAO releases Report on Department of Defense Cyber Stategy issues

The U.S. Government Accountability Office (GAO) released a report on Monday entitled “Defense Department Cyber Efforts: DOD Faces Challenges In Its Cyber Activities“. The report focuses on and highlights the hurdles and issues that US cyber security efforts are facing.

Some of the highlights from the report include:

DOD’s current cyber defense is decentralized, and covers a vast area.

  • DOD is taking proactive measures to better address cybersecurity threats, such as developing new organizational structures, led by the establishment of the U.S. Cyber Command, to facilitate the integration of cyberspace operations.

DoD currently has several joint publications concerning cyber-space topics

  • DOD recognizes the need to develop and update cyber-related joint doctrine and is currently debating the merits of developing a single cyberspace operations joint doctrine publication in addition to updating all existing doctrine.

Current Command & Control of Cyberspace is confusing and issues could affect multiple commands

  • Without complete and clearly articulated guidance on command and control responsibilities that is well communicated and practiced with key stakeholders, DOD will have difficulty in achieving command and control of its cyber forces globally and in building unity of effort for carrying out cyberspace operations.

DOD’s cyber workforce is undersized and unprepared

  • While the department’s review of some cyberspace capability gaps on cyberspace operations is a step in the right direction, it remains unclear whether these gaps will be addressed since DOD has not conducted a more comprehensive departmentwide assessment of cyber-related capability gaps or established an implementation plan or funding strategy to resolve any gaps that may be identified.

The GAO brings out some great points. The DoD is facing some pretty steep challenges. But I feel that the report and recommendations are a good idea and with proper leadership, staffing and funding will lead our cyber defense in the right direction.

The full highlights and the complete report can be found on the GAO’s website.

Researchers Break Military Chip Encryption Keys using Nvidia Tesla GPUs

German IT Security researchers at Ruhr University have recently released a report documenting the ability to crack strong encryption used in programmable chips. These chips are used in Military and Aerospace embedded systems.

According to Government Computer News, the researchers were able to crack the encryption key and access data on two different model Field Programmable Gate Array (FPGA) chips using an attack called differential power analysis (DPA).

In the attack, power use is monitored during the power up sequence of the chip. As it is powered up, the chip accesses a key used to decrypt the configuration data file and data stream. By analyzing the power used, the team was able to decrypt the key:

“Side-channel analysis attacks follow a divide-and-conquer strategy,” they wrote. “That is, the key is recovered in small pieces.”

The keys were extracted in eight pieces of 32 bits each from the data gathered in a single power up for each chip. They analyzed the power consumption of 50,000 encrypted bitstream blocks for the Virtex 4 and 90,000 blocks for Virtex 5.

According to the report, a set of four nVidia Fermi Tesla C2070 GPU’s analyzing the data could obtain the key from a Virtex 4 device in about 6 hours, and a Virtex 5 device in about 9 hours.

But what could an attacker do if they obtained the key? An attacker could possibly reverse engineer the bitstream, modify the device configuration or implant a hardware trojan.

Defenses against this type of attack exist, but according to the research some new chips do not use the defense technology and some existing chips may also be vulnerable. Though at this time no known attacks using DPA exist,  that doesn’t mean that some nation states have not thought about using it in an attack. Paul Kocher, a developer of DPA and president of Cryptography Research, had this to say:

“If China gets a piece of military equipment and breaks the key in an FPGA, they wouldn’t talk about it, but if [the researchers] can do it, the presumption is that anyone else who wants to could.”

Counterfeit network gear intended for the US military has already been recovered by FBI agents. It is not a long stretch to think that FPGA chips could also be a target of foreign nations.

* Update – “Cracks in encryption security for embedded chips not fatal, company says” – GCN

Cyber-Espionage may cause US to redesign Secret Weapon

Excellent Reuters article on Aviation Week titled “Pentagon Tries to Lean Forward in Cyberdefense“. According to the article Deputy Defense Secretary Lynn recently stated the US must move from a passive minded cyber strategy to an active strategy. Also, recent data breaches of defense contractors have caused the military to redesign one of its new weapon systems:

Aviation Week also reported that Lynn said one U.S. weapon system under development may have to undergo redesign following a cyber breach in March. He did not identify the system. More than 24,000 files containing an unspecified but large amount of data were copied from a defense contractor’s internal databases, according to Lynn. Whether and how much redesign will be necessary is still being studied.

It would seem that cyber theft and cyber espionage is a much greater threat to our country at this time than a full blown “Cyber War”. It is easier and far cheaper for nation states to just steal our technologies through data breaches then to spend the money to develop them.

The article compares the current defense tactics used by the military to the Maginot Line of WWII. Our nation is spending time, effort and energy to try to build better defenses. But as Germany showed, it is easier and costs much less resources to bypass these defenses.

But there is hope. According to Marine Corps General James Cartwright, cyber defense in the DoD realm needs to shift from defensive to offensive:

How do you build something that convinces a hacker that doing this is going to be costing them and if he’s going to do it, he better be willing to pay the price and the price is going to escalate, rather than his price stays the same and ours escalates.

Though it will be very difficult itself to create a system that detects, and correctly identifies an attacker. The question still remains, what level of response will be acceptable when an attacker is successfully identified?