Defending mobile networks: An uphill battle against endless threats

COTS solutions are the mainstay of military security, but they bring their own issues.

Mobile military networks have become increasingly flexible, adaptable and accessible over the past several years. The technologies and methods used to safeguard wireless network data have also advanced significantly in recent times, allowing an array of handheld and vehicle-based communication devices to be securely used almost anywhere, including the tactical edge.

Still, despite the advancements, mobile networks and their users continue to face an almost endless number of threats, including open channels, unprotected endpoints, unsecured devices, poor encryption, weak passwords, bogus applications unwittingly downloaded by end users, and security technologies and approaches that vary widely between different networks and devices. Overcoming these obstacles is the most formidable problem now facing military wireless communications experts.

Related coverage:

The future of military comms on the battlefield

“When you're talking tactical, the biggest threat is the RF layer where [data is] going across the airwaves,” said Bruce Bennett, program executive officer for communications at the Defense Information Systems Agency in Fort Meade, Md. “Anybody with a receiver and the right technology can potentially intercept the radio frequency, like anybody can listen to [Washington, D.C. broadcast radio station] WTOP just by tuning into it.”

Alike and yet different

Nearly all military communications experts agree that locking down mobile networks requires a combination of technologies, virtually all of which have their roots in the commercial world. “There is a little more risk with using commercial, but commercial is orders of magnitude better than it was 10 years ago,” Bennett said.

“You will find very similar defenses in the military as you would in the commercial sector,” said Anup Ghosh, who from 2002 to 2006 was a senior scientist and program manager in the strategic technologies office of the Defense Advanced Research Projects Agency. The military and businesses "really use the same commercial, off-the-shelf components for network defense — firewalls, VPNs [virtual private networks], that sort of thing.”

Ghosh said any uniqueness found in military networks lies in the network itself, not in the tools and techniques designed to safeguard the environment. “You don't find your Joint Tactical Radio Systems in the commercial sector, but from the networking element perspective you do have many of the same networking elements, like firewalls, that you would see in a standard commercial network,” he said.

Defending mobile networks at the tactical level involves the use of a full range of security tools. “Assuming that these networks are under control of DOD, then firewalls, authentication and communications encryption can be used,” said Rick Engle, principal Windows technologies specialist on the core infrastructure team at Microsoft Federal in Washington. “If they are public networks, then security within the OS needs to be utilized to scan for malware, encrypt data at rest and data in transit, and implement multiple layers of security, like VPNs.”

Military organizations also rely on advanced network control approaches to create enhanced security. “Some network controls block device access by IP address or by its MAC address,” Engle said. “A device can be required to be enrolled, or domain-joined, by getting a certificate that authorizes connectivity.” Two-factor authentication is often used with a PKI [public-key infrastructure] to allow network access only with the use of a valid Common Access Card.

COTS mobile devices can actually be more challenging to secure than tactical radios, Engle said. “A retail device like a tablet or smart phone has a lot more potential data connections than a tactical radio,” he said. “With many ways to connect, store and share information, securing those devices is much more complex.” The operating systems used on mobile COTS devices must be covered by a DISA Security Technical Implementation Guide (DISA STIG), Engle said. “Network connectivity and data at rest need to be encrypted, and security policies and device management controls need to be implemented,” he said.

The weakest link

End users are the weak link in the mobile network security chain, liable to making wrong decisions under pressure and placing unwarranted trust in e-mail and software. Ghosh said some U.S. adversaries are already relying on user ignorance and gullibility to uncover military IT secrets. “Most campaigns that dig at the DOD are spear phishing campaigns,” he said. “What are they after? Mostly intellectual property: plans, designs...future innovations.”

Like a summer cold, such adversaries can be hard to shake. “Once they get a user to infect [his or her] machine, they move laterally within the network, effectively colonizing the network,” Ghosh said. “They get a ton of data, then they try to figure out what's the relevance. It's really the new way that spying is done: on a nation-state-to-nation-state level, and it's entirely effective.”

Ghosh is CEO and founder of Invincea, a startup based in Fairfax, Va., that develops software designed to protect users from themselves and the network from the behavior of its users. Originally formed with DARPA funding, Invincea has created a completely segregated operating system that hosts a device’s Web browser. The specialized virtual environment isolates malware and prevents it from attacking the host operating system and blocking lateral movement within the network.

While generally useful, stringent network security measures often generate their own problems. “Security always impacts users because it makes communications more difficult,” said Scott Morrison, chief technology officer and chief architect at Layer 7 Technologies, a data protection products vendor located in Washington. “For example, multi-factor authentication means additional steps and onerous password regimes mean that people write down their passwords.” According to Morrison, “good security is always a game of finding an appropriate balance between risk and convenience.”

Network and device performance can also suffer when security is layered on, particularly high-level encryption. “Anytime you put security measures in place, you add additional overhead to the transmission,” Bennett said. “It may be that you're sending out 1 megabit of data, but if you're totally secure you might be sending 1.5 megabits of data.” Yet Bennett observed that slightly degraded performance is usually viewed as an acceptable trade-off for obtaining enhanced security. “It's better to get data that you are sure is secure.... That's the price we pay for dealing with a little bit higher order of encryption.”

Jamming sessions

Jamming is a mobile network security problem when intentional interference keeps team members from communicating with each other, preventing the exchange of potentially life-saving information. “As adversaries become more sophisticated and have access to better equipment, perhaps because of state-sponsored terrorism, they will increasingly have the ability to jam signals,” said Karl Fuchs, vice president of technology at iDirect Government Technologies, a military communications product vendor located in Herndon, Va.

Bennett said jamming can also be unintentional. “Unintentional jamming is when you've got too many people in the same RF spectrum, and they're talking over top of each other,” he said.

“Developing waveforms that can defeat jamming equipment is vital to the military,” Fuchs said. “This might be the tie-in for the spread spectrum, because the technology behind spread spectrum [wider bandwidth] is the same technology that can be leveraged for anti-jam capabilities.”

The great challenge

Today, with mobile network and device technology advancing rapidly, the biggest task now facing wireless developers is ensuring a seamless, transparent, compatible and resilient security environment. “Right now, the great challenge in building out secure mobile networks is that engineers must pull together a patchwork of a la carte solutions,” Morrison said. “The industry needs fully integrated, turnkey solutions for securing mobile traffic.”

Bennett said cohesive and easy-to-deploy commercial security technologies are essential to the military’s long-term mobile networking strategy. “We're moving more and more toward a commercial model and providing layers of security, just like the commercial guys are,” he said.