Cybersecurity risks: Network-enabled weapon systems and humans
In this Q&A with Gil Nolte, executive advisor to Booz Allen Hamilton, he discusses the cybersecurity concerns that the Department of Defense (DoD) has with weapon platforms and the human factor that plays in that cybersecurity role. He also covers the various cyber threats facing the private citizen, financial industry, and the direction the DoD is taking with programs like “Hack the Pentagon.”
MIL-EMBEDDED: Please provide a brief description of your responsibility within Booz Allen Hamilton and your role within the company.
NOLTE: I am an executive advisor within Booz Allen Hamilton. At present, my job is within the company’s strategic innovations group, specifically with the cyber futures group focusing on industrial cybersecurity. My job is to work with DoD weapons and platforms to help the department think about and address cyber from a full scope perspective.
MIL-EMBEDDED: What type of cyber threat is the DoD most concerned with?
NOLTE: I think the department is extremely worried about any kind of cyber threat from any kind of adversary whether it’s nation state, a hacking group, or even kids trying to find access to systems. I would agree that cyber threats would vary across different geographies. Cyber attacks can happen in different ways and from different perspectives. Where an organization sits inside the United States, the safety nets may be bigger versus somewhere in Europe, in Asia, or in Afghanistan. There are people who are willing to do harm to the United States and I think the threat vector has yet to be thought of from a different perspective.
Scope-wise, I think the department is also worried about what I would consider their core commercial-based information technology. Today, looking at operational technology – like industrial control systems – things that really apply to weapons and platforms from a cyber perspective; if we reference back to the Department’s Operational Test and Evaluation Organization (OT&E) – I think the gentleman who runs the organization is Michael Gilmore. At the end of the year, they typically publish results from OT&E with a cyber section, and for the past two years it has specifically called out how they have looked at a variety of weapons and platforms and almost unilaterally they have some sort of cyber vulnerability. So if you think about how we use our military might and any of that might be at risk from a cyber perspective. That has to have a huge worry point from their department today.
We are starting to take an in-depth look at some of the military platforms, some way a cyber event could degrade that military capability and could put our armed forces at risk and ultimately the U.S. at risk. That is, clearly, a worry I have. If I didn’t see the OT&E reports on a couple of year’s basis, I keep saying these platforms that we have looked at have cyber vulnerabilities under scribed in broad terms in the reports. That is something I’m very worried about. We, as a country, invest lots of money to make sure that we have the military might to do what we need to do around the world and protect the U.S. and its citizens and for some reason that could get degraded in some way and put our people and our country at risk, I think that should keep a lot of people up at night.
MIL-EMBEDDED: Is it possible for someone to hack into a weapon system and assume control to use it against the United States?
NOLTE: My personal opinion is that you can’t ignore the possibility of someone hacking and taking control of a weapon system. If any kind of platform or weapons system connects to something else there is a potential that it could be vulnerable. An offensive adversary might be thinking that they have time on their side, how do they look for that weak link in that system, that platform, that at some point in time they could take advantage of it? I don’t know that we have seen something like that, but again anything that connects to something could have a mechanism to induce a weakness and be vulnerable from a cyber perspective.
MIL-EMBEDDED: What is the biggest challenge when implementing cybersecurity measures in DoD platforms?
NOLTE: Humans are a challenge. One of the advantages I have in the work I’m doing today is working and helping with weapons programs or DoD platforms that didn’t consider cyber in the beginning days. More and more technology is going to stay out on the field for longer periods of time and cybersecurity was not considered as weapon systems were designed and developed, and how do you adapt those platforms? And how do you make operators aware that something that they may see may be a fault or something malicious from a cyber perspective?
An example we’ve used: you have a military helicopter carrying a military crew to perform a mission and an overheat engine warning light comes on. What happens? Well, they abort the mission and land as safely as they can to save human life and the equipment. But does the human who really goes through that post analysis, in that light turning on, that fault, was it really a fault or was it something that got inserted into the system? That notion is a cyber effect. The human part of understanding both what they are working on and operating on, looking for phishing attacks, but also when something funny starts to happen, how do you ask the right questions? How do you get more people who are more tech savvy and would understand that attack vector would come in and help. That is a huge reason why the human is the problem.
MIL-EMBEDDED: How do cyber threats faced by the DoD differ from those faced by the financial industry or everyday citizens?
NOLTE: Threats differ in a couple of different ways. What I believe of the financial industry or everyday citizens, the threat is about - in some cases - financial gain. Sometimes we look at it from a DoD perspective, where in the defense industrial base we could see a cyber event happen where it could degrade our military capability and/or steal intellectual property to understand how any one system might be designed.
The DoD perspective – looking at what we would call operational technology is something a little different than what you might see in the financial industry or with everyday citizens. I’ll give you my personal example on the everyday citizen; my mother is 85 and went online. Something pops up such as “your system is hacked,” and to call this number, which she dutifully calls. She gives them her credit card, and they said don’t worry your card is going to show a charge from somewhere not in the U.S. I worry about folks like her, where she’s just on Facebook or using e-mail. The human in the middle, clicking on something that doesn’t look malicious and it’s malicious underneath. Everyday citizens are at a huge risk and they don’t think what the perils or implications are. Luckily it worked out for mom.
For the financial industry, I think there’s on the record of how a cyber attacker got into a retail company and they got in through their HVAC Systems - their heating and air conditioning systems - that had a network-based capability and it was connected to their host network. So, when they got in that way they were able to get access to other things.
MIL-EMBEDDED: Does the technology to keep all systems secure differ between the financial industry or private citizen and the DoD?
NOLTE: The department goes way above what’s out there commercially for everyday citizens. What is commercially available is the starting point for every part of the DoD. A good anti-virus capability, something that might be looking malware, but the department goes further. They look at what happens at the boundary between their DoD Internet, the Non-classified Internet Protocol (IP) Router Network (NIPRNet), and Secret Internet Protocol Router Network (SIPRNet).
They monitor and look for malicious things going on there. They also have huge worries on the DoD classified systems and that security goes further, and further above what you see commercially. Everything is built on what is out there available in commercial technology. But the department adapts it and does it in different ways to look for much more than what would typically affect the average citizen.
MIL-EMBEDDED: Is the DoD heading in the right direction to combat all cyber threats?
NOLTE: From a military perspective and where the department is, they’ve done a lot of things right and continue to do a lot of things right. Again I think the evolving threat, it’s just a continual thing. If you look at the recent press articles from the “Hack the Pentagon” where they went out and publicly had people hack the pentagon. One of the top guys is 18 years old. Luckily he is in the U.S. and doing that work. Even with decades of investing and doing the right things, because there are some underlying vulnerabilities in commercial technology or layers of commercial technology, or a human did something in a different setting or violated a policy – there are risks. I think we are going to continue to see risks from all different perspectives. We are not going to be done for a long time from a cyber perspective, it’s going to be something the department and every citizen is going to have worry about for a long time.