2012-12-17 By Murielle Delaporte
The same way preserving minimum strategic stocks and oil reserves nationwide was one of the numerous Cold War challenges in the West, establishing a minimum guard against the 21st century threat, i.e. cyber vulnerability, is on its way to becoming conventional wisdom as an unavoidable security requirement.
However, the road to implement common minimum standards across the nation, nay even internationally, has still quite a few bumps to overcome.
At the forefront of this effort and a path maker in the United States, but also beyond its borders given the global nature of the issue, is Lockheed Martin; at the source of such a driver’s role is the 2003 game-changing cyber attack the company experienced and had to overcome in the best manner possible.
Almost a decade later, these efforts have led to a comprehensive strategy exportable to everyone, since, as Linda Gooden, Executive Vice President of Lockheed Martin’s Information System and Global Solutions, said “everyone has a cyber issue.”
According to the experts gathered at a seminar organized last week by Gaithersburg-based Lockheed Martin Information Systems & Global Solutions at its NexGen Cyber Innovation and Technology Center, the good news is that the challenge, given the company’s lessons learned, is less rooted in the threat itself, but in the way our societies can reach the necessary level of awareness, preparedness and readiness to address it on time and in a preventive pro-active way, as opposed to react to an upcoming catastrophe [1].
Inside Out
As Chandra McMahon, Vice President and Chief Information Security Officer at Lockheed Martin, explains, her company underwent a major infrastructure transformation to address internal security concerns about two decades ago: the first challenge came in the 90’s with the M&As’ wave and the necessary consolidation of legacy networks and systems these types of restructuring required then following the motto “One Company, One Team.”
Increased cost structure and lack of interoperability had to be fought with standardization and consolidation: the key lesson learned is that the main difficulty has been to overcome the cultural resistance to change within the workforce. Contrary to expectations, cost on the other hand has not been an issue as long as the savings generated in resisting managing and modernizing legacy systems were directly re-invested into the next phase and used as a force-multiplier.
The 2003 APT attack – Advanced Persistent Threats or APTs are harder to predict and fight and account for 20% of cyberthreats, the remaining 80% being usually countered by off-the-shelf products – is described by Mrs. McMahon as “the defining moment” for Lockheed Martin, since it implied a nation-based threat against the company and triggered the creation of the first Security Intelligence Center.
In addition to the one in Maryland, centers were also established in Denver and in the United Kingdom [2] .
The goal has been to improve the visibility, manageability and survivability to the threat by working on people and processes. LMC’s strategy has hence been three-fold:
- Educating employees who are at the frontline of the threat about malicious emails and proper security behavior regarding the internet;
- Developing alliances and clusters of industrial and government partners generating common approaches and technologies to deal with the issue via these centers of excellence, like the NexGen Cyber Innovation & Technology Center;
- Working with international partners to enhance critical infrastructure protection: Lockheed Martin works closely with the UK, but also Australia and Japan.
Towards a Cyber ConOps
Developing new technologies to deal with the consolidation challenge, such as in the case of LMC moving 200 servers under a single cloud, or keeping up with new behaviors linked to constant technological innovation in the field have brought a new set of challenges companies and agencies have to address in order to protect themselves: dealing with and being able to process an ever larger volume of upcoming information (internet-based research; FAA data for flight management; hundreds of thousands hours of video-recorded data for the warfighter; etc) – the “Big Data” challenge -, cloud computing, but also the growing mobility trend add up to the traditional cybersecurity concerns.
However, the reassuring fact is that none of these challenges will be left unanswered.
Lt-General Charles “Charlie” Croom, USAF (ret.), former director of DISA (Defense Information Systems Agency) and Vice-President, cyber solutions, compares the new war to a classic asymmetric war and states : « the battle is asymmetric when fought on the adversaries’ terms, but the advantage does not always belong to offense, unless we allow it to be. Every successful commander knows that shaping the battlefield – choosing where, when and how to fight – is essential to securing a strategic advantage and, ultimately, defeating the enemy. For too long in cyber space, the enemy been allowed to choose the terms of battle. It is time for that to change. » [3]
Indeed a new cyber security vision is being advocated based on Chief Intelligence Analyst for the Lockheed Martin Computer Incident Response Team (LM-CIRT), Eric Hutchins’ CKC7 doctrine, i.e. a cyber kill chain which relies on a seven step process whereby an enemy can only succeed if he goes through all of them.
These steps which can lead to a successful intrusion are: reconnaissance, weaponization, delivery, exploitation, installation, C2, actions on objectives. Analyzing the delivery systems, the malware, and the patterns of action of targeted campaigns (i.e. the TTPs – Tactics, Techniques and Procedures – of the enemy) tends to give the defender the “upper hand”, says Eric Hutchins, even though the enemy keeps coming back, adapting faster and reducing the window of opportunity between an attack and the response.
Currently, the adversary’s response time is between hours and days, but soon it will be minutes and hours. Assessing our resiliency to such aggressions is a key goal and the Lockheed Martin Cyber Kill Chain™ is one of the tools to do so.
The Enemy Within
However, the difficulty is to protect a fortress which is hard to fully seal. It is often a matter of months for someone or a company to be aware that it has been the victim of a cyber attack.
Indeed one of the major concerns Lockheed Martin struggles the most with at this time is to secure the supply chain.
Lockheed Martin encourages members of their supply chain to participate in information forums to bolster their defense.
A number of issues remain:
Cultural: educating people, adopting a common language and harmonizing threat intelligence sharing standards are high priorities LM is pushing by leading by example;
Ethical: issues such as the border between crime and war in the cyber world or the protection of privacy need to be socially and probably legally addressed;
Legal: enforcing regulation is not unattainable, but the proper balance must be kept between government action and economic incentive, one of the difficulties, as stressed by Mrs. McMahon, being the fact that the cyber field is in constant flux and in need of constant security updates and upgrades;
Economic: at a time of budgetary austerity, investing in what can be perceived as new “constraints” for companies and agencies may not look attractive and as cost-efficient as many are already functioning in survival mode.
The battle is, however, raging and time is key to keep the upper hand on a global scale, the way Lockheed Martin has been obviously successfully doing it in the past decade.
——–
References
[1] For more data on this, see: LM-Cyber-Security-Transformational-Technologies.
[2] F-35 data were stolen from LM’s industrial partner BAE Systems in 2007 and 2008 through computer hacking, leading to curious resemblances in the Chinese Chengdu J-20 fighter two years later (see on this issue: Blair Watson, Cyber threats and Security: Protecting the Information Fortress, Frontline Security, Ottawa, Canada, Spring 2012, pp. 35-37). (See: 12_SEC1_BlairWatson_Cyber)
[3] Lt Gen Charles Croom, The Cyber Kill Chain: a Foundation for a New Cyber Security Strategy, High Frontier, December 2012. (See: The Cyber Kill Chain)