The explosive growth in the number of devices connected to defense networks has enabled the Department of Defense (DoD) to better manage information, conduct operations, manage assets, move people and supplies, and support service personnel.
Soon, everything and everyone on the battlefield will be connected, often carrying multiple sensors, computers and communications devices. This emerging internet of battlefield things (IoBT) will transform the American way of war. But at the same time, it could create enormous cyber vulnerabilities for DoD as unauthorized and insecure devices are connected to defense networks. It is imperative that the Pentagon implement a security framework that allows only authorized and properly secured devices to access defense networks.
The Internet is continually growing and evolving. Where once it primarily connected computers, now everything is networked, including smartphones, cars, airplanes, baby monitors, medical devices and household appliances. It is estimated that there are some 25 billion connected devices worldwide. This number is expected to triple by 2025.
The same phenomenon is occurring in the Pentagon. The number of devices connected on defense networks is growing rapidly. Sensors, weapons, platforms and even soldiers already are connected. In some cases, individual systems and assemblies such as engines, gears and actuators have sensors that communicate with maintainers and logisticians.
But the Pentagon is driving toward what has been called the internet of battlefield things (IoBT) in which powerful sensing, computing, storage and analytic devices will be small, portable and everywhere. Massive amounts of information will pass across networks to empower all military echelons from the National Command Authority to the individual warrior. Supporting these devices will be advanced cloud architectures such as that envisioned in the planned Joint Enterprise Defense Infrastructure program.
While the IoBT promises to transform the management of military forces and conduct of military operations, it also could result in the creation of cybersecurity vulnerabilities. As more devices reside on government and defense networks, the risk from those that are unauthorized or just insecure could undermine the utility of the IoBT. Earlier this year, hackers accessed a $25 build-it-yourself computer that had been connected without authorization to a NASA network. The hackers were able to access two of the Jet Propulsion Laboratory’s main networks and steal 500 megabytes of data. The Department of Homeland Security’s Inspector General found more than 40 unauthorized devices on the department’s networks.
This is a growing problem. At a recent forum on national security technology, Brig. Gen. Dennis Crall, deputy principal cyber adviser in the Office of the Secretary of Defense, defined DoD’s requirements for securing networks to which new devices are continually added. He said that:
“We’ve got to make sure I know what’s on the network, and not just on the operating system level but the mobile devices we have, and at the tactical edge. We’ve got to make sure that not only can I see or detect what I have; I need to have the ability to make a decision, to qualify the interchange I have with all of these devices and the new ones that are coming. I’ve got to decide whether to let them join the networks that we’re dependent on. I’ve got to decide, if they’re out of scope, to patch them or to put them into compliance or to quarantine them.”
Enter Comply to Connect (C2C). The Pentagon created C2C as part of its overall strategy for continually monitoring networks even as the number of devices they support grows almost exponentially. C2C will employ existing commercial platforms to automate device discovery, compliance evaluation, continuous monitoring and access control. These solutions ensure that only approved devices, those with the proper security protocols, are allowed access to defense networks and that those that are not compliant are either remediated or have their access blocked.
It is imperative that any solution to protecting the IoBT from unauthorized and insecure devices be highly automated. Current methods for identifying tracking and validating devices using government networks are manpower intensive, slow and costly. Only an automated system can keep up with the rate at which new devices are added to the IoBT.
In 2014, the National Security Agency examined several pilot programs by the Air Force and Marine Corps employing Comply to Connect applications. The results were extremely positive. Based on its pilot programs, the Marine Corps is planning a full rollout of Comply to Connect for all its networks.
Congress directed the Department to implement Comply to Connect in 2016. The Pentagon has done pilot studies that prove its effectiveness. Yet, while the Pentagon has made Comply to Connect a central element of its network security strategy, it has failed to commit the necessary resources to actually deploy proven solutions. The incoming Secretary of Defense, Mark Esper, needs to make funding a robust Comply to Connect deployment one of its first priorities.