Cyber Security and MLS

Cyber Security and MLS
by Justin Marston
 
There’s been a flurry of interest in cyber security building over the past year, with President Obama highlighting the issue, and the White House publishing a Cyberspace Policy Review in May last year.  The following month, a memorandum came out of DoD announcing the new CYBERCOM (US Cyber Command) to be hosted at NSA.
 
Cyber Security can be split into two domains – offense and defense – NSA is actually structured around this separation.  Multi-level security has little to do with the offense side of the house (other than perhaps being a target) – it has a lot more to do with defense in cyber security.
 
Think about having big offense teams at different nations going at it with each other.  As a software vendor, most of us think about single point weaknesses, and protect against averagely motivated attackers.  Protecting against large, well funded, very bright teams of ‘hackers’ is on another level, and it helps to explain why the government has a unique networking architecture.  This topic surfaced recently in the news, as a Chinese organization used a weakness in Internet Explorer to hack Google’s Gmail service, and access accounts of human rights activists.  Wired called it “ultra sophisticated”, and a McAfee VP commented, “We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack…  It’s totally changing the threat model.”
 
You just can’t trust most commercial software in the high assurance (very secure) cyber security realm.  Commercial firewalls are not reliable, regular commercial software is not safe.  Their security controls and coding practices are not able to defend against a sustained and motivated attack.  Government security professionals worry about multiple point attacks, e.g. an insider, customized Trojan viruses and data hiding techniques – all rolled into one concerted attack.  Supply chain attacks have also become a big topic.
 
So what do you do if you are a government?  You set up private networks that aren’t connected to the internet – such as SIPRNet (US Secret) and JWICS (US Top Secret).  These networks allow commercial software such as Microsoft Windows and Office to be run in closed ‘sand boxes’ that are protected from more sophisticated adversaries.  Today, the US government has many of these networks – there are over 80 CENTRICS (coalition) networks today, because you need a network compartment for each combination of national allies (all with different trust levels) that work together on operations.
 
One of the great challenges today is balancing information sharing with cyber security.  Counter terrorism and irregular warfare operations drive information sharing – you need to get to a single view of the data rather than having it in lots of separate stove pipes, so that analysts can make those critical linkages between the dots, and warfighters in Afghanistan can orchestrate coalition forces including the Afghanis.  But how do you share this information securely?
 
There isn’t a magical answer to that question.  The answer involves a lot of really hard thinking and accreditation processes.  But the answer has been improving as technology in the commercial space has become more powerful.
 
The post 911 rush to improve information sharing, coupled to a new level of coalition partnering in Iraq and Afghanistan, led to significant growth in the population of fielded cross domain solutions.  Cross domain systems move data between two domains – typically network domains at different security levels.  This also increased the cyber security risk surface area, because every cross domain connection point introduces risk of a motivated attacker finding a way to exploit it – to jump between the ‘sand boxes’ (private networks).
 
More recently, various IA leads in the US defense and intelligence communities have highlighted unease at the increase in tactical deployments of these cross domain transfer data guards, with many of the deployments growing up organically.
 
So how can multi-level security help cyber security?  It revolves around the amount of data crossing between domains.  Typically, in cross-domain transfer systems, a large amount of end user generated content moves between domains – the more data that flows between domains, the more types of attack a hacker can attempt, and the easier it is for a hacker to mask their attacks and any data flow from their exploits.
 
In multi-level security, the strategy is to leave the data on the right network, but orchestrate it into unified views.  Similar in concept to commercial ‘mashup applications’ that leave data on the right servers but still provide a single interface for the user.  By doing this, you can ensure that access controls (Mandatory Access Controls) are enforced – so users (or processes posing as users) can’t ‘copy and paste’ data in content that flows between networks.  MLS also significantly reduces the volume and complexity of content flowing between domains.
 
At BlueSpace, our design philosophy has been to minimize:
1)      The amount of code that deals with data passing between domains.
2)      The volume of data that passes between domains.
3)      The permissible complexity of data that passes between domains.
 
In the past, MLS systems have meant heavy, clunky applications that typically get left behind – with highly customized code bases implementing special security controls (labeling).  It doesn’t have to be that way anymore.  The convergence of MLS with virtualization now allows regular commercial software to be used as part of medium and high assurance systems.  At BlueSpace, we use Google Search appliances, Google Earth servers, and conventional email / AMHS servers as part of our MLS solutions – and we’ll be adding to that list this year.
 
The US intelligence community should seriously consider broader adoption of MLS capable desktops such as the High Assurance Platform (HAP) managed by NSA and the DoDIIS Trusted Workstation (DTW, now termed SABER) managed by AFRL.  Living at Top Secret all day is fine if all the people you need to share data with have access to that level, but given most warfighters don’t have Top Secret clearance and the need for ‘real-time intelligence’, that model doesn’t work well anymore – which is why there are so many data guards in place today.
 
Any defense strategy being formed as part of a cyber security initiative should take a new fresh look at MLS technologies.  Giving users one view of the data while enforcing rigorous security and auditing allows a balance to be struck between information sharing and cyber security.  MLS isn’t a magic bullet, but it can ‘take the ball up the field’ compared to current practices.
 
A question I get asked a lot is, “But what about the commercial space?”  I wish this wasn’t true, but the reality is that government security requirements are just much higher than those in the commercial community.  Does Goldman Sachs have a big offense hacking team going after Morgan Stanley?  I think not.  Having said this, the use of hacking by criminal gangs is maturing considerably, and many of their successes never make it into the public eye.  This isn’t vendor scare tactics (I used to be one of those skeptics), it is based on real events.
 
Virtualization is continuing to evolve commercial data centers.  The cost of running multiple logical networks (domains) on a single physical infrastructure has dropped dramatically in the past few years, as VM Ware, Sun, Oracle, Dell, Red Hat, Green Hills, Wind River and LynuxWorks have matured their solutions.  Can MLS help with corporate cyber security?  You bet.  It probably won’t be called MLS, but it will be the same technology addressing a similar problem, and it may well be to do with high assurance management of separate virtual machines on virtual networks.  Dell and Integrity (part of Green Hills) are going out to market aggressively in the commercial arena with MLS-based technologies.
 
This is just my personal view (hey, it’s a blog), but I think CYBERCOM should take a hard look at how it can help high assurance technologies such as those in MLS crossover more effectively into the commercial realm.  After all, does any organization understand robust security against a range of threat types better than NSA?
 
The rapid adoption and success of virtualization should pave the way for a new paradigm of looking at what networks mean, and how to partition and control data effectively.  The HAP at CSC (in NSA) was an important step, but to go mainstream, the user experience needs to become even more integrated and polished – 97% ready rather than 93% ready.
 
I wrote the term “crossing the chasm to reach the tipping point” in a recent email to a Harvard MBA, and he said it was like being teleported back into business school.  But for MLS to impact on cyber security (both in the government and in the broader corporate ecosystem) it’s a true statement.