In the last couple of days, since I’m a Computer Engineer and Lead Auditor ISO27001 working in the Information Security field, I was asked by many friends and colleagues about the recent Wall Street Journal news that top secret details about the Lockheed F-35 JSF (Joint Strike Fighter) were stolen by hackers that were able to gain access to the Pentagon network. According to the reports, Information Leakage dealt with thousands of confidential files that were compromised over the past two years. The data related to the electronics systems and avionics of the JSF. Some sources claimed Terabytes (!) of data were stolen: design and performance statistics of the fighter, as well as the system used by the aircraft to conduct self-diagnostics during flight. The intruders were able to compromise the data by gaining access to the computers of Pentagon contractors in charge of designing and building the aircraft.
These were the facts, more or less reported the same way by many newspaper, agencies and web magazines, here in Italy too.
The first thing I thought was: “how was that possible?” If those files were so sensitive, they had to be protected by applying a series of countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised. The three attributes1 are the basis of Information Security. By evaluating the impact that the loss of any of those attributes for a particular type of asset (meaning information at the higher possible level = data, documents, personal computer, hardware, software, oral communication, people, company’s reputation, etc) you can understand which assets require particular countermeasures and which other are less critical and require “loose” security measures. For example, it is obvious that the file containing the office numbers of all the employees is less important than the file containing the detailed description of the weaknesses of the passive and active countermeasures of the F-22. So, you shouldn’t worry about the security of the group telephone and address book, but you should invest a lot (in terms of security devices, training, policies and procedures of course) to protect the survey about the weaknesses of the F-22 self-protection suite.
The entire process that goes from the evaluation of the Risk (Risk Analysis) to the ways to manage the Risk (Risk Treatment), is named Risk Management. You can’t say an asset is secure or not if you don’t put into relation the value of the asset (under the organisation’s perspective) and its peculiar threats.
Since Risk Management is paramount to address the investments on Information Security, organisations all around the world perform Risk Assessment and consequent Risk Treatment continuously. he Risk Management enables an organisation to manage the Risk’s lifecycle; after applying the countermeasures, an organisation is called to test their effectiveness and to fill the gap between the expected security level and the actual one (in accordance with the Plan Do Check Act or Deming Cycle paradigm).
Let’s get back to the presumed JSF hack. For sure, someone that was not authorized to, was able to gain access to particular file –> Confidentiality break. Even if I have no idea how the Pentagon network is protected I’m sure there are plenty of Firewalls, Authentication Servers, Intrusion Prevention Systems, Document Right Management and many other technical and procedural countermeasures to protect the sensitive information. If the stolen files were so critical, it is hard to believe they were so simply available on contractor’s computers.
So, there are three possibilities:
1) the information were not secured as they were not so critical
2) since the risk can’t be avoided but just reduced (you can’t ever be 100% secure), there were a series of breaches that enabled the information to be leaked despite data was protected in a (most probably) heavily defended network architecture.
3) Pentagon has no basic idea on how to deal with Information Security
I pick the first one, since the second one is simply less probable (but still possible) and I believe the third is just impossible for a nation where Network-Centric Warfare was pioneered. The second option is also possible but the more the information was critical, the less the possibilities that a security breach could remain undetected for 2 years (enabling leakeage of TB of data…).
1 Let’s quickly explain the meaning of the attributes:
Confidentiality: Assurance that information is shared only among authorised persons. Breaches of Confidentiality can occur when data is disclosed in any way (for example, watching the content of a document, eavesdropping a conference call, accessing private records, and so on).
Integrity: Assurance that the information is authentic and complete. Therefore, this attribute refers to the need to keep the data as it is, without any change. Information must be trusted.
Availability: Assurance that the data is available when needed. Leak of availability occurs if any network failure prevent an authorized user to gain access to a file stored in a Server.