Edward Tessen Tanaka
Jan 27, 2012
Featured

The NSA and military cloud computing: Just painting a cyber bullseye for attackers?

18 minutes isn't a very long time for most of us who operate in the civilian world. However, in April of 2010, the Chinese government took control of 15% of the Internet for 18 entire minutes and redirected all traffic through their networks. This, of course, included all military and civilian traffic.

This action by the Chinese is part of a long list of recent attacks by hackers both at home and abroad, leaving many Americans feeling like they have little protection online -- and according to the Department of Defense, they may be right. In a statement released last week, General Keith Alexander, who heads both the National Security Agency (NSA) and the newly formed U.S. Cyber Command (USCYBERCOM), said that our current military networks are "not defensible."

In operation since May of 2010, USCYBERCOM is the military's formal response to the steadily increasing attacks happening in recent years. According to its mission statement, "USCYBERCOM is responsible for planning, coordinating, integrating, synchronizing, and directing activities to operate and defend the Department of Defense information networks and when directed, conducts full-spectrum military cyberspace operations (in accordance with all applicable laws and regulations) in order to ensure U.S. and allied freedom of action in cyberspace, while denying the same to our adversaries."

Take, for instance, the virus that infected military Drones last September. Security experts at the Creech Air Force Base in Nevada detected malware that was recording pilots' keystrokes and subsequently spent two weeks repeatedly removing the software, which regenerated itself numerous times. This meant that they were forced to erase and rebuild hard drives multiple times -- a very time consuming project. No information was lost or stolen even though both classified and unclassified machines were hit, but it was reported (and denied) that the Air Force was unaware of the attacks until a technology news site published the story because Creech officials did not report the attack upon learning of its existence.

The NSA's solution to this and similar security threats? Cloud computing. Last winter, DARPA began setting up mobile hot spots for military use. Its system, called Cloud to the Edge, will mirror Google's online suite (minus the search function), but will be hosted on a private server by the Defense Information Systems Agency (DISA) for obvious security reasons. Gen. Alexander says that, if implemented correctly, cloud computing could save up to 30 percent of the IT budget by 2016. Cuts have already been made, with 40 percent of data centers being consolidated and the number of help desks down to 450 from 900.

Currently, the military has over 15,000 networks, data centers and help desks. Gen. Alexander wants to see this number down to 3,000. The military's cloud will house unclassified, secret and top secret information, but Alexander says that it is both cheaper and more secure than the existing infrastructure. The NSA, he says, is hoping to lead by example and persuade others to do the same.

However, while the General's intent is admirable, using the NSA as a case study for the proposed military Cloud does pose a few practical concerns that should be considered before migrating to such an architecture.

For example, outside of its declared and official public mission, the NSA collects as much data as possible -- both domestically and internationally -- and later mines this information for relevancy.  The paradox of mass data collection is in the fact that worthless data today may be extremely important information tomorrow.

Therefore, outside of technical merit, the philosophy -- based on efficiency and flexibility -- behind Cloud computing has a strong complimentary fit with the data collection practices routinely undertaken by the NSA.

Ultimately, a large pool of data -- which needs to be maintained into infinity -- is a good thing and makes unobtrusive data collecting even easier because it centralizes such data as a best practice in the name of efficiency. The seamless fashion in which a Cloud can be configured, for example the iCloud recently adopted by Apple, encourages data storage on the Cloud by automating such functionality. Plus, it is highly convenient. On the downside, hackers with criminal intent and those sponsored by foreign powers are already ramping up their efforts to exploit the Cloud because of this guarantee that it will hold vast amounts of important data. Ironically, while not as efficient, existing disparate architectures based on legacy systems also serve an important security function by compartmentalizing data and information.  Whether this was the original intent or not is irrelevant as many recent security breeches could have been dramatically worse if the information was stored on a Cloud.

In practical terms -- as related to privacy and confidentiality -- a Cloud when hacked is like Facebook on crack. Facebook has shown repeatedly -- through deliberate hubris, and shady privacy policies -- that when public information is consolidated properly, astounding insights can be gained into personal behavior. This means that hacking a Cloud can be done for two reasons. The first is to gather targeted information. The second is to capture raw data -- much like the NSA currently does -- which can be studied to extrapolate personal, trade and state secrets. The aggregation of data with the purpose of discovering secrets is called Mosaic Theory. Regardless of the underlying reason for the action, neither outcome is desirable.

Cloud computing, in military terms, fosters a target-rich environment because the very things that make the Cloud appealing also make it a tempting mark. Because of this and the high probability that a vast amount of data will be stored on a Cloud, attackers only need to be lucky once as compared to having to be lucky multiple times when attacking a legacy system. With this in mind, a more appropriate question to the NSA would be “what kind of information would your organization refuse to place on a Cloud?”  

These issues are important to consider due to the amount of information that will coexist within a Cloud. A few decades ago, people used to say things like “Imagine all the gold in Fort Knox!”  The modern version of this saying may soon be, “Imagine all the gold in the Cloud!” For example, the Apple iCloud holds the intellectual property, personal secrets and state secrets for a sizable percentage of social, industry and governmental leaders in the United States, not to mention many of their immediate family members and coworkers. This service, to enemies of the state and to criminal hackers, is not an iCloud, but an iBank. Back to the Chinese and what can be accomplished in 18 minutes ... ever heard of a few trillion dollars being stolen in less than 18 minutes?  

Don’t worry, thanks to The Cloud, you just might.

Tags
7
FBI
cyber crime
cloud technology
NSA
cyber warfare
DARPA
USCYBERCOM
0 Comments
Login
Related Articles
Edward Tessen Tanaka
Jan 3, 2012
DARPA, military smartphone apps and UAVs: Integrating consumer UI and OS into aerospace R&D
Imagine an iPad application that allows a soldier to pilot an unmanned aerial vehicle (UAV) fitted with an inexpensive metal... Read More
Alejandro Freixes
Jan 25, 2012
Northrop Grumman to develop RF transmitter tech for DARPA
Northrop Grumman Corporation has been awarded a contract by the Defense Advanced Research Projects Agency (DARPA) to develop more efficient... Read More