Engineering Enterprise: From the perspective of the Air Force and Department of Defense, what do you think are the most prominent security issues now, and how have they changed in the last year or two, if at all?

John Gilligan: I don't think the situation has changed much in the last couple of years, although there is greater visibility now on the set of issues that I view as most important. The most pressing security challenge is to get a better handle on the consequences of commercial software delivered to us in the Air Force — the same software that is delivered across the world, that has insufficient quality. As a result, inherent logic flaws can be exploited and used as the basis of attacks against our systems — viruses, worms, as well as more sophisticated attacks.

EE: Is this just for the business side of the Air Force, or does this include Command and Control as well?

JG: This is an issue across the spectrum of our mission areas and systems.

EE: So it's not just Microsoft Windows and Office?

JG: No, but Microsoft provides the primary operating system and desktop software that we use across the Air Force. We also have Unix-based systems and other commercial software that is being exploited in a similar manner. These include Cisco routers, Oracle databases, and Internet utilities. Microsoft tends to get the most visibility because it is the biggest software supplier in the world. Because it is the biggest, it is the focus of the largest number of exploits. But we see the problem across the board.

And why is this the most significant security problem? Because when you look at the successful penetrations of our systems and disruptions of Air Force operations, roughly 90 percent are based on the exploitation of previously discovered logic flaws in commercial software products. The remedy has been to patch the software flaws. However, the rate of discovery of these logic flaws is increasing to almost one per day. In an environment like the Air Force, where we have 500,000 Microsoft desktops, patching 500,000 computers is a non-trivial exercise.

EE: Everyone can't just go to the Microsoft website and download the update?

JG: Oh they can, but just think of the logistics of getting 500,000 people to have enough knowledge to go to the Microsoft site, download the patch, and install it properly. We don't do that. What we do is push the patch to our major commands and our bases, and our bases generally have their IT folks install the patches for the users on the base. Increasingly we're using automated tools to install the patches, but the automated tools are not fully fielded, nor do automated tools let us cover the full gamut of different configuration and vendors of software systems.

Two years ago I told the president of Microsoft that "we are now spending more money patching and fixing your software than we are spending to buy it." Since then, the rate of discovery of flaws in Microsoft and other commercial software products has been a growing problem. Because 90 percent of the successful exploitations of our systems are exploiting this path to disrupt Air Force operations, whether it is root access to our systems or just denial of service, this becomes the most pressing security problem. I've got to dampen this security problem — why? Because it's consuming an awful lot of resources and, to be honest, most of these attacks are coming from relatively unsophisticated people. These attacks can mask what could be a much more serious attack from a more sophisticated adversary, who might be using methods that are less "noisy," less visible, and could have potentially greater consequences.

Unfortunately, dampening the impact of exploitation of logic flaws in commercial software will take years because it will take that long for the software industry to dramatically improve the quality of its software. Moreover, modern software products consist of many millions of lines of code. I do not expect software will be delivered without any exploitable logic flaws in the foreseeable future. However, we hope within five years we'll see a significant improvement in overall software quality.

I believe that the engineering practices used to ensure reliability and correct operations in other disciplines will become increasingly important for software. I also predict we will see a rebalancing of the business equation for commercially provided software. In the past, those who got to market with new features were the ones that captured market share. I predict that, in the future, software quality will be increasingly important in the purchase decision. Improved quality will reduce lifecycle support and, therefore, total cost of the software product. I envision the maturing process for software as analogous to maturing the automobile industry. In the early days of the automobile, quality wasn't important; it was features. Now, many consumers look at Consumer Reports for quality and operating cost assessments before purchasing an automobile.

EE: It seems like the trends you are talking about so far have just been the disruptive ones, as opposed to manipulative ones.

JG: Let me attempt to put what I have described in context. In our unclassified computing systems, we manage our aircraft maintenance operations, our supply activities, and our personnel training qualifications. Each of these capabilities is absolutely essential in order to operate our aircraft and conduct combat operations. The same systems and networks that support these functions also support our back office finance and personnel support functions. The architecture of our network enterprise is based on the philosophy captured in the phrase: One Air Force, One Network. Our computer systems are architected with trust relationships such that one computer can talk to another. Moreover, leveraging networking protocol conventions, these systems interact with a higher degree of trust than a system that is not part of our Air Force network. As a result, if you break into one computer, depending on how sophisticated you are, you may be able to get into any computer that we have on our Air Force network. One can postulate a scenario that on the first night of a military conflict, such as in Iraq, an adversary triggers an exploit against a software flaw that denies the ability of the Air Force to get at maintenance, supply, and critical pilot information. If not detected and countered in a fairly short period of time, you could ground our Air Force. This is my nightmare scenario.

EE: Why do you think that hasn't happened? Are people not up to the task yet?

JG: I think there are a couple of reasons. One, it is not trivial to pull off the type of scenario I just described. It's pretty complex. Second, we work very hard in the Air Force to defend against such scenarios.

Within the Air Force, we have installed patches for each of the previous worms and viruses (I LOVE YOU, Code Red, Blaster, SoBig, Slammer, etc.), but let's face it; the patches we're putting in are somewhat like band-aids. We still have exposure because an adversary only needs to find another logic flaw in a software product that exhibits similar attributes.

I should note that some computer security aficionados have hypothesized that the series of viruses and worms that we have seen over the past couple of years have been the test bed for a well-planned effort to launch a very potent attack at some point in the future. They have reasoned that sophisticated attackers have been trying out their techniques, seeing how quickly they propagate, assessing the impact, and monitoring the defenses and response actions. The theory is that the source of many of these attacks is more sophisticated than misguided teenagers. They suggest a well-coordinated effort that is gathering intelligence and refining the tool set and doing it fairly publicly in order to use the media to gauge impact and reactions.

On balance, I think it is important to say that we are, in fact, dramatically improving our defenses in the Air Force. In the military, we have robust command and control of our network of computers, and we have made dramatic improvements in the methods used to detect an attack and to counter cyber attacks. Even when we see major attacks, we are able to rapidly isolate the source and the target. We use filtering at the Internet Protocol level to quickly block types of traffic and certain types of activity. We then use more fine-grained methods to mitigate the effects of the attacks.

EE: This is at the Internet Protocol level?

JG: In many cases, yes. At the main gateways to our networks, for example at the routers and firewalls into our bases, we block selected IP addresses and certain protocols. When we see an attack, we extend the Internet Protocol blocks. Other large organizations are also using similar techniques. Within the military, we have a Command and Control structure that orchestrates our cyber defenses. The structure starts with the four-star commander of Strategic Command, Admiral Ellis, at Offutt Air Force Base in Omaha, Nebraska. Strategic Command has command links to the military services, and then to each of our major commands and bases in a highly parallel fashion. Within minutes of detection of an event, we are able to execute cyber protection actions that may not patch all the targeted computers, but at least mitigate the potential damage. We're continually working to increase the effectiveness of our detection and response actions.

EE: You mentioned different vendors and the problems of the quality of the software. What is going to bring about the change? Is the Air Force waiting for the commercial world to deliver what you want, or are you more proactive in trying to get that world to provide the quality?

JG: I mentioned that two years ago I met with Microsoft to ask it to focus on this problem. My message to the president of Microsoft was that the Air Force could no longer stand the cost and risk of the poor quality of software that Microsoft was providing to us. I was basically informing them that that "I'm going to start going public. It is not because Microsoft is the worst offender, but you are the biggest." Since the Air Force is Microsoft's largest customer, and a highly visible one, the message got to Bill Gates. Immediately after September 11, 2001, my message and similar messages from other customers started to get a lot of attention. Recently, there has been a chorus challenging Microsoft and other software vendors for the poor quality of their products.

Unfortunately, it is going to take a long time to improve the quality of the many millions of lines of code that have been fielded. To its credit, Microsoft initiated its Trustworthy Computing effort right before September 11, 2001. It has addressed all aspects of its software efforts, including culture, training, tools, and testing processes. Likewise, Oracle, Cisco, and the other vendors have initiated similar efforts. This is non-trivial change from an engineering perspective because, in the case of Microsoft, you're changing a business culture that very successfully followed the model that "you write code as quickly as you can, get an adequate level of quality, and push it out the door." Features are what you're after. And we're now saying, "no, we want well-engineered, high quality code." This is a major change for the software industry.

As a relatively immature field, software doesn't have the same definition of quality attributes and methodologies and process that are in other engineering disciplines. I'm not an expert in the details, but the Sustainable Computing Consortium at Carnegie Mellon University is focusing on the root problem, which is "what are the measurable characteristics of quality." It then hopes to begin to establish these characteristics as recognized standards. Long term, this is going to be the type of effort that is going to pay off. I'm seeing more emphasis on this type of effort now, because the lack of quality is hitting everybody in the pocketbook.

EE: Are there any investments that the Air Force has to make because the commercial world just won't do it?

JG: The investments that we're making are not unique because the commercial world won't do them, but I will say we incur a lot of expenses because we have to do workarounds to compensate for the fact that the quality is not good. We spend an awful lot of money for patch distribution and verification. In the future, we plan that these capabilities become part of the standard architecture and toolset. My goal is that if we are going to have to patch systems, we want to be able to do it instantaneously and then verify patches on a continuing basis. We spend a lot of money on firewalls, filters, and intrusion detection systems, when in many cases, if the software quality was better, we wouldn't have to place so much reliance on these defense mechanisms. We do spend a lot of money on our hardware and software cyber defenses. However, the biggest cost of our cyber defenses is manpower. When we get one of these virus or worm attacks, it takes a lot of manpower to deal with the immediate actions and then clean up the consequences.

EE: So there really aren't threats that are unique to the Air Force. If you can deal with the threats that are the primary concern of the commercial world, those are the primary ones you're concerned with, too.

JG: Yes and no. I can say that most of the threats are going to be common between the Air Force and the commercial world. But I think there is a source of threats that are of more concern for us than they would be for many in the commercial world. Obviously, our job in the military is very specific and we're the first line defenders, especially in homeland security. So if someone wanted to attack the United States or potentially prevent us from being able to take military action in other parts of the world, one of their focus areas could be Air Force networks and computers. So, we think we have a higher priority on some adversaries' radar than some parts of the commercial sector. Although I'll add that when you look at the effect of the recent blackout in the Northeast, if someone were going to attack the United States, they might not worry about the military networks if they could successfully take out the power grid. Or they might disrupt the water supply. Critical infrastructures can also become key cyber targets, communications and electricity being the two that are most fundamental.

EE: That sounds like the military and civil blend together from an infrastructure point of view.

JG: When you're talking about homeland defense, yes. In the United States, the military relies heavily on the civilian infrastructure. Once we go outside the confines of the United States, then the military is much more self-contained from an infrastructure standpoint.

EE: How have the homeland security issues affected your priorities and initiatives?

JG: Candidly, not a lot to this point in time. However, increasingly, the military focus is changing. Until fairly recently the military believed we were always going to fight overseas, so we didn't have to worry about the interaction with state and local governments and other Federal agencies. We're now realizing that for any conflict that has its focus in the U.S., it is absolutely essential that we are able to coordinate with and leverage state and local activities, industry, utility providers, etc. There is now a robust dialogue that is coordinated by the new Department of Homeland Security and by the Northern Command, the military organization that supports homeland defense, with the many Federal, state, and local organizations. They are spending an awful lot of their time working with state and local governments to set up communications, to establish protocols for cooperative agreements, and it is still early. It is a massive task.

EE: You talked before about the situation where someone could breach one weak link within the Department of Defense, and then communicate with other computers as more trusted than they are justified. How about when you deal across organizations in homeland security? If they could reasonably penetrate the fire department, for example, could they then communicate with the Air Force, Marines, and police in a trusted way?

JG: Today it is less likely. The good news is, since we don't have better electronic sharing relationships with the civil organizations such as fire and police, that's less of an avenue of attack. However, as we move forward to better link our military and civil systems and databases, an attack that exploited these trust relationships could become more likely. Within the Air Force, as we are achieving our goal of a seamless enterprise-wide network, the threat actually becomes more significant. As we better link military systems to federal agencies, and then state and local civil agencies, we also expand our collective vulnerabilities. This is why improving our defenses becomes extremely important. As we move forward to achieve the goals for the defense of our nation, we're actually opening up a greater potential to be exploited.

EE: So there is some downside to interoperability?

JG: Right. In fact, there is a parallel issue that some have argued. For example, the former presidential advisor on cyber security, Dick Clark, used to advocate that we should have heterogeneous computer software for our systems, because that minimized the extent that somebody could attack us and exploit a common flaw that would be resident on the vast majority of our systems. He argued that we ought to move away from everything being on Microsoft, and move to Linux, and have heterogeneous software product architecture. The problem is that a more diverse set of software products complicates the task of seamless integration and efficient management. I don't believe that is the right way to go. You'll find people who will have different philosophies on how to approach this.

EE: It also seems like it goes back to Alexander Hamilton in the Federalist Papers about centralization vs. decentralization.

JG: Yes, you can get into those arguments quite easily.

EE: What is your overall sense of things right now? Do you feel like we're getting better at coping with the challenges? Are we just keeping our head above water, or what?

JG: My experience in tracking this area goes back now 30 years. I started working in computer security in graduate school, where I got involved in a multilevel security research effort that was funded by the Air Force. I also focused on computer security when I was in private industry. My conclusion is the following: the threat and the sophistication of the threat continue to increase, and it is roughly parallel to our improvements in defense measures. This is a race, and it is not one that we will ever say that we've won, because as the defense protection approaches get more capable, the inherent systems become more powerful. When we finally figured out how we could secure a single computer, we connected them all. All of the sudden, we had networks that brought a whole new dimension and complexity to security. As we made additional progress on networks, then we expanded the scope to an enterprise of interconnected networks. It used to be that you would have small enclaves that were closely interconnected, and now we've embraced the concept that we want seamless connectivity across the globe. And the body of code that must perform correctly grows larger and larger. Back in graduate school, I was doing mathematical proofs of code. We were going to mathematically prove that the software correctly implemented the design. We eventually gave up on that approach to security because, as you get millions and millions of lines of code, it became impractical.

EE: It almost sounds like the way our bodies fight bacteria and viruses. We keep adapting, they keep adapting, and life happens.

JG: Right. Our intent is that we run as fast as we can in improving our security defenses; we continue to get better, realizing that there will be new attacks for which our defenses are not effective and so we adapt. I do not foresee a time when the security folks are going to be out of business.

EE: Does the immune situation analogy hold very well?

JG: It does. In fact, increasingly, those who are doing research in this area are looking to biological analogies in trying to develop the protection measures. They're looking for software that will recognize a threat, be able to adapt itself to the nature of the threat, learn, counter the threat, and then be able to better recognize the next threat. Building on the human analogy, this area of research might be the most promising for the future.

EE: Is that research being done by the Air Force and Department of Defense, or is it all over the place?

JG: I think it's all over the place. I don't know that it is limited to defense applications, but I'm sure the Department of Defense is sponsoring some of the research. You're probably doing some of it down there at Georgia Tech.

EE: Any other observations?

JG: What I highlighted was the biggest vulnerability, the quality of software. Let me quickly mention two other areas of security concern, and they both deal with our humans who operate and use our systems. The first observation is that statistically the most significant and severe security threat is an insider—an employee of the organization who has authorized access to systems. In many cases the insider is not somebody malicious, but they are poorly trained or poorly motivated individuals who make a mistake and bring down your network. One may not consider it a security problem, but from our standpoint it is. When you don't have availability of your networks and systems that is a security problem.

You also often find that people don't use the mechanisms that are enabled within the systems, like passwords. One of the things you can do to help assess the strength of the security in an organization is to take an automated tool and run it against the password file. Even if the password file is encrypted, you will find that you can break a fairly high percentage of the passwords, because they are generated based on common words. There are a lot of things that individuals can and should be doing to ensure security. This is a constant training challenge. In some cases, your well-intended end user becomes a vulnerability. In reality, most of them say that "it won't happen to me."

What we are doing with our enterprise Air Force Portal and the surrounding infrastructure is implementing a single sign-on capability that will initially use passwords but eventually will be public key encryption-based, where we will pass the security credentials from your ID card into the computer and then to all the applications so that you don't have to remember all the separate passwords used for different applications and write them all down, which becomes another vulnerability. Password security can work well, except when you have to remember 50 of them.

There is also a long-standing recognition that an insider who has administrator-type privileges can do an awful lot of damage from a security standpoint and also be fairly effective in covering their tracks. We expect that the individuals we hire to do systems and network administration be highly trained, but we also want to have a high degree of assurance of their personal integrity. It is likely that in the future we will certify these people and put them under what we in the government call the "Personal Assurity Program," which in some cases means polygraph administration. We say, "you are so critical to the operations of this system that not only will we do extensive background investigations, we might also do periodic polygraphs."

EE: Thank you for sharing your rich experiences and insights. Our readers will certainly gain a much deeper appreciation of the nature of the security threats you have outlined.



• Fall 2003 Engineering Enterprise Table of Contents
• Engineering Enterprise Home Page



Web Site © Copyright 2020 by Lionheart Publishing, Inc. and ISyE, Georgia Institute of Technology. All rights reserved. No portion of this publication may be reproduced in any form without the written permission of the publisher.


Lionheart Publishing, Inc.
34 Hillside Ave
Phone: +44 23 8110 3411 |
E-mail:
Web: www.lionheartpub.com

ISyE / Georgia Institute of Technology
Atlanta, GA 30332-0205
|
Web: www.isye.gatech.edu