Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America

by

Robert G. Ferrell

August, 2012

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America

The modern battlefield is evolving dramatically away from the traditional symmetric struggle between opposing professional armies of two or more sovereign nations along defined battle fronts to an asymmetric guerilla model where at least one of the primary combatants has no recognized state support and employs nonconventional tactics at transient flash points in or near strategic targets of opportunity. While this mode of conflict has no doubt existed for as long as human combat, it has assumed a considerably higher profile in recent decades and can no longer be regarded as an operational anomaly. Traditional armies are limited in size by logistical considerations: provisions, materiel, fuel, and field medical facilities being among the most crucial. The asymmetric combat force exhibits much less reliance on self-supplied infrastructures and due to their relatively small fragmentarily dispersed units can employ a “pay-as-you-go” approach to resupply not available to larger military presences deployed in theater. A combination of foraging, commerce with legitimate sympathetic or neutral locals, and “black market” channels suffices to support the highly mobile strike teams most commonly deployed by hostiles in asymmetric operations. Since the strategic objectives of asymmetric warfare are often limited to local or regional sociopolitical destabilization, rather than immediate full control of all civilian and military infrastructure, the criteria by which military success is measured in these operations are considerably less stringent than those applicable to traditional armies. The adverse effects of allowing enemies to achieve those objectives are no less significant for their non-comprehensive nature, however. Extremist ideologies thrive in a climate of 2

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America fear, uncertainty, and the constant threat of violence, and it is precisely these conditions that asymmetric warfare tactics excel in bringing about. The vast majority of innovations in warfare are generated not by military personnel, but by private industry working under contract to the various military organizations worldwide. In the United States these contractors fall primarily under the aegis of the National Industrial Security Program Operating Manual, or NISPOM (DoD 5220.22-M). The purpose of this document is to provide broad security safeguards under which technologies of military significance requiring access to classified information may be developed while minimizing the threat of compromise of that information by hostile interests. The Defense Security Service (DSS), under the direction of the Under Secretary of Defense for Intelligence, provides governmental oversight for those contractors subject to the NISPOM. Research and development in the military technologies arena requires an enormous commitment of both financial and human capital. State-supported espionage efforts by hostile interests are quite naturally an area of significant concern and counterintelligence operations to neutralize these efforts are well-defined after many years of field experience. However, the organizational structure of asymmetric warfare operatives is likely to be far less tangible and will rely on espionage targets of opportunity rather than formally funded long term intelligence-gathering initiatives. These targets of opportunity are inherently transient, high-value, and more difficult to predict using conventional threat analysis models. As a result of the unique day-to-day partnership between DSS field agents and the National Industrial Security Program contractors whom they support, the DSS is ideally 3

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America situated to form the front line of defense against intelligence-gathering operations conducted by these asymmetric hostile interests. While other government organizations must rely on the contractors themselves not only for reporting of suspicious activity but for implementing preventative security measures, the DSS provides direct onsite logistical support to these contractors in the form of security vulnerability assessments and advise and assist visits. In traditional conflicts the bulk of the security threat is focused in those areas where the opposing forces are in close physical proximity. While HUMINT and psychological operations have always been part of the overall tactical picture, these missions were limited in scope and required considerable logistical support, both acknowledged and covert, to carry out. With growing military reliance on ubiquitous computer networks, however, technologically adept combatants can launch a wide range of both intelligence-gathering and cyber offensive operations from remote, physically secure locations. Compromise of critical data, denial of service at strategically significant points of failure, and more subtle threats to tactical data integrity—which can collectively be termed ‘cybertactical operations’—are becoming increasingly commonplace as cyberwarfare assumes its role as an integral dimension of battlespace. Cleared Defense Contractors, or CDCs, are significant targets for hostile cybertactical operations in that they generally present a broad Internet-facing threat horizon as a result of business communications requirements. While in theory critical data is not accessible via this vector, in practice that barrier is semipermeable. The degree of permeability is dependent on a number of factors, including the logical proximity of the public-facing gateway to sensitive information repositories, the types of technical data 4

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America available on the unclassified systems, and the overall security posture of the facility. Some of the most valuable data for cybertactical collectors, in fact, is unclassified contact information for engineers, technicians, and contractor leadership, as this knowledge enables them to conduct more effective social engineering operations. These run the gamut from ‘spear-phishing’ (explicitly targeted information solicitations appearing to originate from a trusted source) to ‘joe-jobbing’ (spoofing the harvested email addresses as the sender of mass unsolicited emails in an attempt to elicit retaliatory actions against and/or tarnish the reputation of the spoofed sender) to apparent trusted contacts directing recipients to sites where malicious software may be installed on their machines by exploiting operating system or application-specific vulnerabilities. In asymmetric warfare one or more of the combatants often has no formal (or at least acknowledged) support from a sovereign state. This disenfranchisement works in their favor during cybertactical operations, especially, since avoiding network paths that can easily be traced back to them is thereby greatly facilitated. While many operational considerations regarding the role of CDCs are common to both asymmetric and conventional warfare, the unique components of the relationship between CDCs and asymmetric combat operations merit closer examination. Asymmetric combatant commands most often lack the infrastructure and financial resources to conduct significant weapons or telecommunications research and development on their own. As a result, they are almost entirely dependent on sympathetic states and/or the “black market” for materiel. This creates a climate in which the strategic value of industrial espionage is even more pronounced than that for traditional sovereign-state militaries which enjoy the luxury of state-supported research 5

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America and development activities. Phishing, social engineering, and other forms of Internetbased harvesting are ideal intelligence-gathering vectors for hostile interests with limited manpower and fiscal resources. No real technological aptitude is required beyond that necessary for running any of a number of exploit tools freely or relatively inexpensively available on the Internet. Exfiltration of classified, proprietary, and otherwise strategically significant information is and will continue to be a major threat to national security. Much of that information is in the hands of CDCs. Classified information (both collateral and SCI) generated or safeguarded by CDCs is under the security oversight of the DSS, DIA, or the government contracting activity (GCA) that owns the information. However, a great deal of Controlled Unclassified Information (CUI) exists regarding weapon systems, operations, and support services. While not classified per se, this information could nonetheless be extremely useful to our adversaries and its loss would have a significant negative impact on national interests. Protection of this valuable information is left largely to the individual CDC with little to no oversight; the result is that protective measures vary widely from one organization to the next. The absence of a uniform protective strategy for unclassified but strategically important information creates innumerable pockets of opportunity for gleaning activity by adversarial factions, often with only a small probability of detection. While individual exfiltration episodes may net only a small amount of data, multiple operations directed at a given program may eventually result in the loss of entire datasets through cumulative compilation. Several agencies have field operatives who play direct or ancillary roles in the effort to curtail loss of critical information by CDCs, including the FBI, the military 6

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America component investigative agencies, and DHS. None of these possesses the depth of relationship with key CDC security and management personnel enjoyed by DSS, however. As a result, DSS Industrial Security, Information Security, and Counterintelligence Field Operations agents are uniquely and ideally positioned to take a lead role in both security measures education and mitigation of threats presented to the Cleared Industrial Base by asymmetric cyber adversaries. While attacks on CDCs’ classified systems are limited almost exclusively to insiders with access, clearance, need to know, and motivations ranging from ideological fervor to simple avarice, unclassified data processing is subject to threats across a much broader horizon. The classified environment is tightly controlled, with extensive security requirements covering all aspects of operation, but there exist no globally implemented security standards for unclassified computing. While the NISPOM, ICD 503, NIST 800 series, DISA STIGs, and other standards documents impose a relatively uniform set of requirements on contractors processing classified information, IT security policies and processes on the unclassified side are markedly inconsistent across industry and often even within a corporate entity. State-sponsored exfiltration operations most often target categories of data known by counterintelligence agencies to be of interest to a particular nation as a result of documented or suspected technology gaps. As an example, the USSR was known to find critical military technologies to be of particular interest during the cold war. After the collapse of the Soviet Union, however, harvesting efforts shifted dramatically away from military products to civilian telecommunications and information processing technologies. 7

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America Asymmetric adversaries are harder to profile in this regard and are much more prone to seek wide-spectrum targets of opportunity. Hostile entities conducting cyber operations against CDCs are often looking for any available information, rather than keying on one or a small number of specific data targets. This indiscriminate harvesting creates an urgent need for robust information security controls on unclassified systems across the entire CDC community. Ranking a particular facility or program based on how likely their technologies are to be targeted and applying information security controls only on those systems containing more ‘attractive’ data is not an effective threat mitigation model when asymmetric opponents are considered and is merely a form of “security through obscurity.” Mitigation of threats to AIS is best approached using holistic proactivity, rather than reactively. Reactive mitigation is more akin to damage control, which implies damage has been sustained. The ideal response to cyber threats may be termed ‘bastioning,’ where layered defenses including reduction of attack vectors, intrusion detection/countermeasures, and solid operational security practices combine to create a hardened target with minimal risk of compromise. While formally established incident response measures are appropriate when the bastion has been breached, they should not be mistaken for constituting an adequate defensive posture in themselves. The DSS field counterintelligence role is currently limited to providing threat briefings and collecting voluntarily supplied data concerning suspicious contacts targeting a facility or its personnel. However, given the agency’s unparalleled access to and close working relationships with CDC Facility Security Officers and Information Systems Security Managers, a relatively small investment aimed at increasing the DSS 8

Industrial Security, Cyber Operations, and Asymmetric Warfare Domestic Intelligence Threats in Post-9/11 America counterintelligence presence in the field⎯providing cyber counterintelligence specialists and counterintelligence analysts for every field office, as well as significantly increasing the number of field counterintelligence specialists (FCIS), for example⎯would reap potentially enormous benefits. When the facility/FCIS ratio is reduced to the point where the FCIS can develop functional rapport with each individual Facility Security Officer, the quantity of suspicious activity information reported increases dramatically. With analysts in the field office to review and correlate this incoming data, passing up to headquarters only the truly useful information, the considerable increase in NISP threat analysis and response capabilities of the DSS, and therefore the DOD, would easily justify the investment. We can track enemy movements and counter their operations very effectively on the battlefield; it’s time we take these essential steps towards increasing those capabilities here at home, before the results of those operations pose additional threats to troops in harm’s way. An exfiltration prevented is a warfighter saved.

9