Government vs. Commerce: The Cyber Security Industry and You (Part One)

As the recent Chatham House report on the UK’s reliance on – and failings of – the private sector to safeguard our national infrastructure made clear, it is now more pertinent than ever to assess the data security industry and its progressive capabilities.

 

In this two-part special, Defence IQ goes through the looking glass to discover not only the platforms and services of the most influential gardeners of the UK cyber security landscape, but also the real threats, trends and challenges that keep them up at night.

The Upper Layer

Thales UK, the nation’s second largest defence firm, is currently on a large cryptography contract with the MoD called CIPHER, which is due to be let very soon. After observing a live demonstration of the company’s secure video teleconferencing system, using two different versions of its Datacrypt product, we asked Edward Wolton, head of practice for information and cyber security, whether its cryptography platforms were Thales’s answer to what is, at the risk of understating things, society’s gaping vulnerability when it comes to data protection.

“We have some amazing statistics on cryptography and how it’s used across the commercial and public sector in the UK, but crypto is not the be all and end all of cyber security. It’s very important, but it’s not everything,” he said.

“What Thales does is offer a very broad history of bringing solutions to the commercial market place, rather than just doing the military side of things. We of course do lots with the MoD, but a lot of our cyber security is around, for example, transactions for banks, working with nuclear power stations, and other power generators in the UK, utility companies – water, telecoms, much else besides – and all the way through to providing scaleable cyber security solutions to regular commercial organisations."

Wolton referred to comments made by Iain Lobban, Director of GCHQ, who said last year that 80% of good cyber security is information assurance, which to industry translates into CIA – not the US intelligence agency that enacts its own battles in cyber defence, but the old mantra of the security sector: Confidence, Integrity, and Availability – referring specifically, in this case, to information.

“Confidence in that you are happy that it’s the right information being seen by the right people in a confidential sense. Integrity that it is accurate or it is the information that you believe it to be, and that it hasn’t been tampered with…and there are other areas such as non-repudiation – you can’t say you didn’t send me the information because I know that you did and I can prove it – and all the way through to authentication, such as the remnants of the national identity card scheme.”

Wolton stressed the difference between the national identity scheme currently running for foreign workers, which is essentially a work-permit scheme, run by the UK Border Agency in conjunction with Thales, and the now defunct identity card scheme introduced several years ago under the Labour government, of which, like most of the people in the country, he declined to comment on any further.

“The key point about Thales’s involvement here is that we do a lot in the military space; the MoD is our biggest UK customer. We bring to the party an awful lot of commercial best practice that we use to inform our military and customers both here and abroad, and of course vice-versa, and that’s good for both parties, military and non-military, commercial and public sector.”

Even with that pedigree behind them, Thales still faces competition from the UK’s largest defence and security supplier, BAE Systems. In 2008, the global giant acquired long-serving data security company Detica, a division founded on system-engineering techniques for the NASA Apollo space programme.

Account director Tom Burton explained how the organisation’s ‘DNA’ has helped to give it a firm footing in the marketplace.  

“We have a variety of products and a variety of services that are characterised by the complexity of the threats that are present through cyber space. They range from consulting-type propositions that help our customers with enterprise level risk management because the threats are risks to business and they need to be treated as such – they’re not something that can be delegated down to the back office – and through to manual services that help to provide a level of protection to our customers, and right the way down to product ties, boxes and software IPR (intellectual property rights) that helps to defend, but also monitor activity on networks, so that our customers can understand the attacks and the threats and the vulnerabilities that are present."

While Burton could not go into any details about the needs of specific customers, due to the natural degree of sensitivity around the subject, BAE has customers that cover almost all markets, ranging from elements of government, through to areas of the commercial sector that are under the greatest threat.

“Those tend to be those companies whose shareholder value is underpinned by intellectual property, and therefore their shareholder value us vulnerable to the theft of that property, or the attack on that property by opposition – whether that’s commercial or nation state.”

Between Desktop and Cockpit

Yet in the interests of national security, according to all of those involved in the circles of cyber analysis and influence, is that as much as the cyber domain has no boundaries between national borders, there really is no boundary between the private and public sector in terms of the targets that potential cyber assailants will have pinned to their maps.  

Likewise, from highly secure military networks to neighbourhood internet hotspots, the overlap between digital information sharing is something that is difficult to keep under control. Indeed, for the military user, many data leaks have occurred when private and public networks have inadvertently overlapped.

Christopher Smith, Vice President of Marketing for Green Hills Software, laid out the problem in plain language.

“A lot of computers in use are based on Linux, on Windows, on real time operating systems in devices or sub systems that have no proven track record of security. And what’s even worse, in the case of the desktop arena, is that they have already been proven many times to be unsecure.”

This is not conjecture; this is fact. Specifically, it is verified by the Common Criteria (CC) for Information Technology Security Evaluation, an officially recognised international body that has a scale against which security – based on vulnerabilities to hacking and penetration – is certified from one to seven, with seven being the most secure a product can be.

 

Common Criteria evaluation levels. [image: Defence Acquisition University]

 

When we talk about common criteria, there are two aspects to it: the platforms that are going to be tested, such as Windows, and the protection profile against which these tests are being performed. If a product passes that particular profile, on that particular platform, then it receives a certificate of that level. The Common Criteria website allows anyone to see what security certifications have been issued for different products and operating systems available today, including dedicated security products. Windows and Linux have only ever achieved a scale of ‘4+’.

“What you’ll find”, continues Smith, “is that if you pass your level 4, you’re capable of preventing against inadvertent attempts at breaking the system’s security, such as if your cat walks across the keyboard.”

“The bottom line is that it’s actually a definition for what ‘insecurity’ is, because a casual breaking of a system cannot be called a secure product by anyone’s definition."

“[Home-based operating systems] stand virtually no chance of ever getting higher than that level because there’s too much code in those operating systems – hundreds of millions of lines. At the higher levels of security, you have to get approved, be able to look at each line of code, be able to do mathematical analysis, branch analysis of every single line. It’s got to be done with great care and at great cost.”

Which brings us to Green Hills' own solution, seen as cutting itself a large slice of UK and global defence security systems since the development of a product on the back of the most expensive and complex fighter programme in the world.

“With Joint Strike Fighter, there’s a requirement there to bring up multiple levels of security, in terms of communication, onto a single computer. Now normally, when you’re dealing with different levels of military or governmental security, they’re normally totally segregated networks. You’ll be familiar with the scenario in a lot of command and control stations used by forces around the world – multiple tents on the battlefield on multiple networks, and people walk between them, carrying the information.

“Until recently, there has not been a proven, secure way of bringing it all onto one computer. But that was a requirement on the JSF, and that’s something that we went into a long evaluation with the National Security Agency and the NIAP (National Information Assurance Program) lab to get the 6+ certificate, which we have today.

“So Green Hills today is the only company with a commercial operating system (called ‘Integrity’) that has ever achieved something that is considered by the NSA, or anyone who understands CC, to be secure enough to protect at that level.”

‘Cyber Security’ as a Seduction Technique

Among the conferences and social media groups dedicated to the subject is placed on linguistics in an attempt to ensure that everyone understands the same problems in the same way. Language has been given so much focus, in fact, that some experts argue that we are talking about cyber defence more than actually implementing it.

Still, if the domain is relatively new in the scope of the battlespace, what exactly are we talking about when we use the term ‘cyber security’, and how much importance does the industry need to be placing on these semantics? Wolton was first to provide a candid outlook.

“Nobody would say that security didn’t matter, but what ‘cyber security’ has done, although the term was coined by a mathematician in 1948 – the whole cybernetics area of qualifying the man-machine interface – it has matured over the last five years with the establishment of things like US Cyber Command, the UK’s Defence Cyber Operations Group, and the Office of Cyber Security Information Assurance (OCSIA).

“So cyber is a ‘sexy’ term for this subject area that is actually, when it comes down to it, one of the least sexy subjects you can imagine! How have we made it interesting to the marketplace? We’ve used the name to give it a Hollywood edge to enable it to be understood by the customers, and that has actually helped. It’s had a very positive impact. Our industry has been at the forefront of helping that maturity to mean something to the customers, be they CNI, government, regular commercial, or so on.”

Smith urges caution when it comes to the use of such terminology in this way, indicating that there is a risk of companies throwing words around without considering the wider impact.

“Security is not just a marketing term you use on the product label. You either are secure or you’re not. You can’t have grey areas. It must be absolute”.

Wheat from the Chaff

One would think that having reached such an impressive peak of performance, Green Hills could sit back and rest easy knowing that they have delivered a demonstrable secure system for the most vital of defence platforms. Not so, says Smith.

“What we did following our 6+ certification in 2008 was form a subsidiary called Integrity Global Security. Its remit was to take that integrity technology from a box in a plane and move it to a Dell. So a standard machine, something with three network cards and three hard drives, for example, can boot Integrity when you switch it on, and you can then run within it three totally separate virtual machines and toggle between them.

“What that guarantees is the separation between those machines with the added assurance of that certified level of security. So if you’re a military type, you no longer need three separate computers on your desk (such as to run NIPRNet, SIPRNet, and internet, simultaneously).”

The product is already being used in Afghanistan. Green Hills is, however, still only a contender in this highly competitive marketplace as an innovative and unique approach has helped all of the specialists we spoke to place themselves in the frame. BAE, being no stranger to the frontline either, highlights an affiliation with the armed forces as key to its long-term grasp on the cyber threat.

“One of our unique aspects is the fact that BAE Systems, being a defence and security business, absolutely understands the global threats that are present, both in the physical domain as well as the cyber domain,” explains Burton.

“One of the other reasons why BAE Systems Detica is in a strong position is because, as a company, we have worked with the highest and more sophisticated levels of government, and those elements of government that are under the greatest threat, and that’s enabled us to build up an understanding of the means by which attackers attack networks, which in turn helps us to understand how to best detect and defend against them.”

Underscoring Detica’s involvement in behavioural analytics, Burton addressed the fact that no matter how high you build the wall, no matter how many bricks you put in place, you can never fully something from finding a way across, and therefore, in the contemporary world of cyber security, he insists we need not only those defences but also intelligent eyes looking over our networks and infrastructure that are able to spot exactly how many of those attacks will get through.  In theory, if they can be spotted soon enough, action can be taken before any significant damage is done.

“Much of Detica’s legacy is in dealing with vast quantities of data, being able to make sense of it all, being able to spot the needle in that haystack – the anomaly that is causing damage amongst all of the perfectly ordinary behaviour that’s going on. We’ve done this in identifying organised crime in the insurance industry and financial services industry, spotting deliberate tax fraud. These are the same sort of techniques in intellectual property, which enables us to gather those vast quantities of data that characterise activity within these networks and be able to make sense of that.”

While Thales works from a similar history and approach, its own focus is in championing the notion of ‘the need to build a network to secure a network’.

“One of the things that sets Thales apart from other organisations and defence primes,” says Wolton, “is that we work very actively with small medium enterprises and the small businesses that make up the innovation and ingenuity of UK PLC. We are very careful in how we do that. So we do not have an acquisition strategy for anything that looks interesting or for anyone who might compete with us, we’re instead very keen on working with these companies, providing them in-roads with the customer bases using our sales teams, for example."

In particular, Thales has a reputation for being a systems integrator. With the aforementioned CIPHER, it is acting as the magnet organisation playing host to many different third parties. In the realm of cyberspace, one of its most interesting and timely ventures is in the development of automated sentiment analysis from online open-source media tools.

“In the wake of the public disorder on UK streets a few weeks ago, we’ve been able to demonstrate to police forces in the UK how technology is there to enable what they do at a tactical level to be an improvement on the reactive nature of a lot of police tactical decisions. So for example, knowing that ‘John Smith of Acre Avenue’ is planning to do something – why? Because he’s been stupid enough to put that information on his Twitter account, so we can use that intelligence. Having automatically analysed that, we can say to a tactical police unit, this is going to happen – not that it has happened, but that it will. It’s quite a powerful way of harnessing the open-source media world.”

It is in opportunities such as this that Thales develops partnerships with small companies – employing perhaps only as many as four people – who initially lack the culture of security at the levels that Thales is famed for. It applies a similar to the National Protective Marking Scheme, which analyses the impact level of secret information, or in other words, how much a business will suffer if classified data falls into the wrong hands.

“We help these companies understand how this marketplace works, and what is required for these impact levels above and beyond the normal ‘mom and pop’ shop type transactions. That translates to forty years experience in what we now call ‘cyber security’.”

 

Continue reading Part Two of the Cyber Security Industry and You.