Lesson 15 – Cyberspace

Lesson 15 – Cyberspace#

Learning Outcomes#

Understand the definitions of Cyberspace and Cyberspace Operations.
Know the differences between Cyber Warfare and Traditional Physical Warfare.
Understand common cyber threats to our country’s infrastructure.
Understand the Risk Management Framework (RMF) and how it is used to identify and mitigate cyber threats.
Understand the role of cybersecurity in everyday life.

Cyber and ECE#

“The mission of the United States Air Force is to fly, fight, and win… in air, space and cyberspace.” – United States Air Force Official Website, 2011.

Cyberspace is the only realm referenced in the Air Force’s mission statement that may be considered ill-defined. Therefore, it is critically important that our future military leaders gain an acceptable understanding of this realm. In 2008, President George W. Bush launched the Comprehensive National Cybersecurity Initiative (CNIC). The CNIC evolved under President Obama and, among its 12 initiatives, is “expanding cyber education.”[1]

Many people will automatically think of the internet and computer hacking when trying to define cyberspace, but this is just one (albeit, very important) part of cyberspace. Cyber not only covers the software of internet networks, but also the hardware we have been discussing. Even more, the term Cyberspace applies broadly to much more than just the Internet.

There are many definitions of cyberspace. It has become the forefront of consideration when it comes to military operations. Cyberspace is defined as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.” – National Military Strategy for Cyberspace Operations, 2006.

So what do networked systems and physical infrastructures mean? Do they just mean using the Internet? What happens when an outside entity can access our data and manipulate it? As a future Air or Space Force officer, it is essential to have a basic understanding of what encompasses cyberspace and cyberspace operations and to know the answers to these questions. It would be impossible to provide an in-depth treatment of Cyberspace, so this lesson offers a brief, high-level overview of Cybersecurity, discusses some common vulnerabilities, and shows how it applies to both the Air Force’s mission and our everyday lives.

For example, much of our nation’s infrastructure is monitored and controlled electronically. Modern-day electrical grids (coal and nuclear power plants, hydro-electric dams, etc.), water treatment facilities, and major manufacturing factories are virtually all “networked” in one way or another. Therefore, all of these places are also vulnerable to a cyber-attack. The results of these attacks could be extremely devastating. Mass blackouts, factory and power plant explosions, and contaminated water sources are just a few examples of what could happen if an enemy was able to manipulate our cyber networks. While there is no current need to panic, we need to be educated as to how cyber permeates the modern world so that we can protect our nation from future cyber-attacks.

Elements of the Cyberspace Domain#

When we typically think about Cyberspace, most of us instantly picture a network of computers and likely some kind of “black magic” associated with how they work. However, while networked computers are one of the most visible and recognizable components of the Cyber domain, the Air and Space Force also conduct operations in other parts of the Cyber domain.

Electronic Attack (EA) is considered a cyber-attack and requires consideration in the Cybersecurity arena. Many adversaries have sophisticated EA capabilities that require us to carefully consider how we conduct operations. For example, an enemy attacker may use a jammer to degrade the communications link between tactical assets, thus impairing blue forces mission accomplishment. Or, an adversary may employ a RADAR jammer to degrade our ability to effectively manage a tactical battlespace. In fact, RADAR jammers can be quite effective in not only preventing something from being seen but also forcing the RADAR to see something entirely different. Digital Radio Frequency Memory (DRFM) devices can intercept a RADAR signal, inject false targets, shift the actual location of a real target, or change a target’s characteristics – and do so quickly, often without even being detected. Naturally, any countermeasures are also considered Cyber weapons.

An Electromagnetic Pulse (EMP) could also be considered a cyber-attack as it is a brute-force method of destroying computers, their associated infrastructure, and potentially erasing a large amount of crucial data. Therefore, many military systems are hardened against EMP attacks. Air Force Research Lab (AFRL) has developed a system, called Counter-electronics High-powered microwave Advanced Missile Project (CHAMP), that can target facilities and completely disable computers and networking equipment[2].

While there are myriad examples of these types of Cyber applications, the point is to understand that Cyberspace, as a warfighting domain, goes beyond the keyboard and computer. We will explore some of these concepts in the upcoming block.

Cyber Warfare versus Traditional Warfare#

When talking about “Cyber” and the ability to “fight” in this domain, it may be good to start by exploring how the characteristics of the cyberspace realm can create a new and different type of “warfare.”

While different than fielding a traditional fighting force of soldiers, guns, tanks, and airplanes, cyber-attacks still have the capability to create havoc and physical destruction through the use of computers and other electronic devices. However, it is the differences that make cyber warfare a very challenging threat. Let’s take a look at a few of the main differences between cyber warfare and traditional warfare.

Cost

While it would take many billions of dollars in the modern world to form and maintain a traditional fighting force, a very effective cyber-attack could be purchased for just a few million dollars. This is because all one needs for a cyber-attack is some good electronic equipment (computers and networking devices) and people with the knowledge to use it. There is no shortage of hackers for hire either, and they can be found right on the internet.

Boundaries

In traditional physical warfare, boundaries are rather clear. If you enter across another nation’s borders with a tank, they will likely have a problem with that and react appropriately. With cyber warfare however, there are no physical borders. A cyber attacker could potentially attack a target from anywhere on the Earth (or even space) if they have the resources to hack into the network they are trying to affect.

Anonymity

As in the example above, if you physically drive a tank across a nation’s border, they can very easily tell where you came from and, very likely, will know who you are or who you are working for. However, a cyber-attack is very hard to track. The attacker can use multiple methods to cover their tracks and stay anonymous. If the attacker is skilled and careful, the victim may never be able to track them down.

Attribution

In a traditional war, attributing actions to a particular party is fairly straightforward. However, in the cyber domain, IP addresses or computer names and locations may be spoofed, leading to incorrect conclusions about a particular action. It becomes very difficult to trace an attack to the true origin.

Sovereignty

This is another extension of the boundaries discussion. Think of it this way: “We as a country own our land, and if you attack us, we can attack you back.” It is a pretty simple concept. Unfortunately, that simple concept becomes cloudy when talking about a cyber-attack. Can we really own part of cyberspace? We do own devices that are networked to cyber networks though, and those could be attacked. Even then, if one of our devices is attacked, and we do manage to figure out who attacked us, what would be the appropriate retaliation? At what point is a cyber-attack an act of war? Is it appropriate to bomb another country because they shut down one of our banks’ computer systems? There really is no definite answer to questions like those.

Key Cybersecurity Concepts#

Many people use the terms information and data interchangeably. So, is there a difference between them? There is, but the difference is slight. Data refers “to the low-level digital signals that tend to be time-sensitive but disorganized.”[3] When we organize the data in a logical way, it becomes information.

The DoD Information Network (DoDIN) is a set of hardware, software, and capabilities the DoD uses to ensure the right information gets to the right people at the right time. As such, data containing information is transferred/stored on the Global Information Grid (GIG) to allow the military to access and process information in accomplishing its mission. Obviously, this data needs to be protected. In devising a cybersecurity posture, or a strategy for protecting key information, the DoD focuses on ensuring confidentiality, integrity, and availability – often known as the “CIA triad”.

Confidentiality means only allowing individuals access to information which they are authorized to view or possess. In many cases, data may be classified, requiring it to be protected by more stringent controls. In order to ensure confidentiality, the data may be stored on physically or logically separate networks, protected by multi-factor authentication (biometric, two-factor, etc.), or encrypted. All data is not created equal; therefore, it is appropriate to have varying levels of protection.

Ensuring the integrity of data means preventing unauthorized modification of that data. This prevents adversaries from planting misleading information without being detected. One method of doing so is implementing a role-based or permission-based operating system. In that case, a user could be given permissions to access and view data but not to modify it. Furthermore, encrypting data and safeguarding the key also helps to ensure integrity.

Data is useless unless it can be converted to information and disseminated to the right person at the right time. In most cases, availability refers to hardware; it should be reliable, well-maintained, and kept up and running as often as possible (ideally all the time). Designing hardware redundancy into a system is crucial for maximizing system availability. Additionally, backup copies of data can ensure a rapid recovery in case of a catastrophic loss. Since data is often stored in a separate location from the users, adequate communication bandwidth is required to ensure availability. Lastly, protecting hardware from nefarious actions is crucial in today’s world. The most common controls are firewalls, secure routers, encrypted data lines, and network monitoring software.

A final factor that must always be considered is cost. Some systems require high levels of confidentiality, integrity, and availability. An example would be Advanced Metering Infrastructure (AMI) used by utility companies to report energy usage. Users can reasonably expect that their energy use and related billing are not publicly available (high confidentiality). Utilities and consumers must be certain that metering and billing information is accurate (high integrity). Some users, such as large industrial plants, may require billing information that is accurate up to the minute in order to minimize their energy costs (high availability). In this case, the utility company will need to implement an expensive system incorporating encrypted high speed data lines, secure data centers, and robust data backups to ensure that the high level of service is provided. In many cases, there will be a tradeoff between confidentiality, integrity, and availability that requires at least one of them to be low in order to reduce cost.

Encryption, authentication, and authorization are the most common methods of protecting the confidentiality and integrity of data. Encryption is a means of scrambling data to mask its information content. Encryption uses a mathematical algorithm and a key to make the data unreadable to anyone except those who have the key. In this case, even if the data is compromised to an adversary, they cannot turn it into information or knowledge as it is simply an apparently random sequence of bits. Authentication is the process of verifying that you are who you say you are. This occurs every time you log on to your computer with your CAC. Providing your CAC and pin to the computer allows the system to verify that you are the person listed in the system with the credentials shown on your CAC. Once you have successfully logged in with your CAC, authentication is complete, and authorization may occur. Authorization is the process of giving the user the correct permissions for his or her role. Be sure not to confuse authentication and authorization; they provide similar protections but are different processes. Together, authentication and authorization ensure that you are given the correct permissions and are held accountable for any actions undertaken from your computer while you are logged in.

When it comes to cybersecurity, engineers must balance the trade-offs associated with increasing one of the factors in the CIA triad. For example, the most secure system is a stand-alone system locked in a vault. It would certainly have high confidentiality and integrity but would likely be of little value due to its low availability. Most applications, however, allow for one or more of those criteria to be degraded in favor of the other(s). The interfaces between control systems (e.g. relays) are a good example. The information that those interfaces convey must be accurate in order for the operator to make the correct decision (high integrity), and operators may need to respond to changes within minutes or seconds (high availability). The operator may not be concerned with anyone else seeing that same data (low confidentiality) as long as standards for integrity and availability are met. In this case, the utility may not need to use encrypted, secure, communication lines as long as the lines and sensors are reliable.

Each system has unique CIA requirements. The above examples used a potentially over-simplified assessment process in order to demonstrate the concept. A more formal method would be to examine the level of impact that a failure of that attribute will have on the overall system, the utility, and the customer. A standard way of viewing these levels is to categorize them as Low, Moderate, or High.

The purpose of cybersecurity is to continuously ensure that the required levels of confidentiality, integrity, and availability are provided by the system. Typically, risk assessments are used to verify that the system is meeting the CIA requirements. The AF uses a framework called the Risk Management Framework (RMF) to assess the vulnerabilities of given systems, select the appropriate mitigation actions (called “controls”), and implement those controls. A visualization of the RMF process can be found in Figure 1. One noteworthy nuance of RMF is that it begins with the assumption that any system can and will be compromised; therefore, it seeks to implement controls to mitigate the compromise and protect the most important information. This is a considerable shift when compared with historical approaches, which sought to prevent compromise altogether. RMF consists of six steps, which are described in Table 1.

Figure 1: Risk Management Framework Cycle

Table 1: Risk Management Framework

Term	Definition
Categorize	Categorize the system. The category assigns high, moderate or low impact ratings based on the impact of loss of the information contained in and processed by the system.
Select	Select security controls based on system categorization and security control overlays, which identify controls specific to certain systems (i.e., classified information, aircraft, etc.). This step includes tailoring of security controls, which are the specific actions taken to secure key information.
Implement	Implement security controls. Incorporate technical security controls into the system design. Non-technical (administrative, personnel, physical, etc.) controls can be identified and implemented by the AF and related stakeholders.
Assess	Assess security controls. Security Control Assessors (SCAs) for each respective Authorizing Official (AO) will assess each security control and the overall system in order to determine if the risk associated with each security control is acceptable.
Authorize	An Authority to Operate (ATO) is granted by an Authorizing Official, which allows an information system to participate in military operations.
Monitor	The system will need to be monitored continuously to identify any changes to system security posture over time. This includes review and assessment of RMF security controls, identification of security impacts due to ongoing operations, and documentation of any changes introduced by operations. Continuous monitoring is performed to facilitate ongoing authorization of the system. Monitoring also provides a feedback mechanism by which we can begin the RMF cycle over again, further mitigating risk.

In step 2 of the RMF, the security controls must be selected based upon the system categorization. Examples of controls include the following[4]: (The Critical Security Controls for Effective Cyber Defense, Version 5.0, 2014)

Inventory of authorized and unauthorized devices
Inventory of authorized and unauthorized software
Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
Continuous vulnerability assessment and remediation
Malware defenses
Application software security
Wireless access control
Data recovery capability (i.e., backups)
Security skills assessment and appropriate training
Secure configurations for network devices such as firewalls, routers, and switches
Limitation and control of network ports, protocols, and services
Controlled use of administrator privileges
Boundary defense (i.e., firewalls, proxy servers, etc.)
Maintenance, monitoring, and analysis of audit logs
Controlled access based on need to know
Account monitoring and control
Incident response and management plans
Penetration tests and red team exercises

A detailed attack path analysis, where attack vectors are identified, supports the RMF process. An attack vector is simply the route by which an adversary can access a system. Physical vectors include doors, windows, and physical hardware such as laptops. A technical vector may be a flaw in computer code, a weak password, or an open port on a firewall. An administrative vector may be allowing an excessive number of users with administrator privileges or having poor data backup procedures.

Adversaries fall into certain categories; those categories help us assess their ability to penetrate a system and extract information. For example, a lone wolf hacker won’t have a large infrastructure available, and he or she may not be able to inflict as much damage as a hacking group sponsored by a Nation State. An explanation of various adversaries is found in Table 2.

Table 2: Adversaries[^5]

Adversary	Description
Nation States	“State-run, well-organized and financed. Use foreign service agents to gather classified or critical information from countries viewed as hostile or as having an economic, military or a political advantage.”
Hackers	“A group of individuals (e.g., hackers, phreakers, crackers, trashers, and pirates) who attack networks and systems seeking to exploit the vulnerabilities in operating systems or other flaws.”
Terrorists	“Individuals or groups operating domestically or internationally who represent various terrorist or
Cyber terrorists	extremist groups that use violence or the threat of violence to incite fear with the intention of coercing or intimidating governments or societies into succumbing to their demands.”
Organized Crime	“Coordinated criminal activities including gambling, racketeering, narcotics trafficking, and many others. An organized and well-financed criminal organization.”
Other Criminal Elements	“Another facet of the criminal community, which is normally not well-organized or financed. Normally consists of a few individuals or one individual acting alone.”
Industrial Competitors	“Foreign or domestic corporations operating in a competitive market and engaged in illegal information gathering from competitors or foreign governments in the form of corporate espionage.”
Disgruntled Employees	“Angry, dissatisfied individuals with the potential to inflict harm on the Smart Grid network or related systems. This can represent an insider threat depending on the current state of the individual’s employment and access to the systems.”
Careless/Poorly Trained Employees	“Those users who, either through lack of training, lack of concern, or lack of attentiveness, pose a threat to Smart Grid systems. This is another example of an insider threat or adversary.”

Network Vulnerabilities#

When most people think of cybersecurity, they think of cyber-attacks on a network. To be sure, this is a very large part of cybersecurity, on which the US Government and, to a much larger degree, the DoD, place a strong emphasis. There are a number of primary vulnerabilities to networked systems:

Physical Access
Network Hacking
Supply Chain Threats

Physical Access

Most cybersecurity experts live by the axiom “Physical access is ultimate access.” Indeed, if an individual or group with malicious intent have physical access to a system, they likely have access to all the information and capabilities of that system. One might think of James Bond or Jason Bourne at this point: a secret agent or spy that can sneak into tight spaces unnoticed and crack door locks to get access to a mainframe computer. While this example is definitely a cool way to do it and makes for some really good movies, getting someone on the inside is not the only way to physically gain access to a networked system.

Instead, something as simple as a thumb-drive (flash memory device) getting plugged into the system can give an unauthorized user access. Such flash memory devices can be easily programmed with malicious code or malware and can be set up to spread this code quickly and efficiently. Once a flash drive is plugged into a computer, it can automatically download its code onto that computer, which can in turn detect the next thumb drive to be plugged in and upload to that drive as well. And so it spreads. Such malicious coding could be programed to spread a virus to shut down a computer, spy on a system to steal important information such as passwords and credit card numbers, or infect a system to cause it to do unintended things.

This is exactly how the Stuxnet virus was able to make it into an Iranian nuclear plant. Even though the critical infrastructure was not hooked up to an online network and had a physical barrier preventing wireless signal transfer, they still used flash drives. It was one of these flash drives that infected the nuclear plant with the Stuxnet virus which then got into the nuclear plant’s control system and destroyed over 1,000 centrifuges. This is also why we no longer allow normal flash-based thumb drives to be used on our military and Department of Defense computers.

Network Hacking

Networking hacking is probably the most well-known network vulnerability. Most modern systems are in some way hooked up to the internet. Additionally, these systems were designed to have high availability/accessibility, which can make them less secure. Any network connected system has to balance availability and security. A skilled computer hacker may be able to gain access through these internet connections to just about any system. Once inside, they would be able to spy on the system make-up and settings and, possibly, adjust things as they see fit.

In recent years, network protection has become a big business. There are a lot of skilled security companies and contractors that can help secure a network from online threats. Advanced network firewalls and passwords can keep most hackers out, and having a security firm monitoring a network allows quicker response times to hacking attempts.

One possible defense strategy for network defense is to use a honeypot. Honeypots are decoy systems that imitate real systems but are more accessible to the internet. The goal is that a hacker would reach the honeypot unknowingly, while thinking he had hacked the real system. Honeypots can gather information on attacks to help strengthen the system security going forward. Other network defense strategies may employ Canary Traps, Network Telescopes, or Honeytokens. Although they vary in implementation, the basic premise is to allow a certain amount of data to be leaked in order to aid in mitigation of the vulnerability.

Supply Chain Threats

A third way to gain access to a technology or system is to do it before it ever gets to the customer. Today, it is very rare for a product (especially a high-tech one) to be produced in one location. There is often a supply chain involved. A supply chain consists of all of the locations and processes that are involved in a product going from being a raw material to being a device in your hand or workplace. This can include locations that build the parts, put the parts together, transport the product, or sell the product. An example of a basic supply chain is shown in Figure 2: Basic supply chain.

Figure 2: Basic supply chain

There are numerous points during the supply chain of a product where it could be compromised. For modern electronic technologies, malicious code, flawed software or hardware, or back-doors can be added in many places along the line.

Today’s technologies often involve many high-tech parts, and oftentimes, those parts can come from numerous companies in several different countries. To demonstrate this, Figure 3 shows how the components installed in a laptop computer can come from many different countries. Sometimes, domestic companies will sub-contract some of their parts and work to foreign countries. These global supply chains are so prevalent, in fact, that many times it is difficult to even know where some parts came from.

What this means for us in the cyber domain is that our computers, phones, and control systems could be infected with viruses or spying software before they even get to us. Foreign cyber espionage is a real threat.

Figure 3: Potential countries of origin of the common suppliers for various components within a commercially available computer (source: http://d3e11nsse60sj1.cloudfront.net/wpcontent/uploads/2013/04/130402-Iasiello-IT.pdf )

There are many opportunities for a computer, such as the computer shown in Figure 3, to be compromised by a supply chain threat. A hard-drive or flash memory could be made in China, where malicious code could be installed before sending it to the computer manufacturer. Someone could install code on that hard-drive or memory while it is being transported to the manufacturer. Lastly, the computer itself could have malicious software installed on it while being assembled by the manufacturer.

These are just a few places where cyber threats could be introduced into the supply chain. In addition to malicious code and viruses, suppliers could also be using substandard or counterfeit goods without knowing it. All of these things contribute to the cyber threat here in the United States.

One might think, “Why don’t we just make everything here at home so that we know it is secure?” While a well-intentioned thought, it is not logistically or financially possible in today’s global economy. The supply chains are just too big for many technologies, and we do not have the financial or industrial means here in the United States to make many of the components that go into our technologies without spending excessive amounts of money. Additionally, there has been no large commercial or political push to act on this problem.

Infrastructure: Industrial Control Systems#

An Industrial Control System (ICS) is a very general term that refers to control systems used in industry and infrastructure applications. Common places that ICSs exist are utilities, traffic lights, air traffic control, and manufacturing. A particular type of ICS is the Supervisory Control and Data Acquisition (SCADA) system. SCADA systems are used in commercial power production and distribution, and we will walk through what a SCADA system might look like. Figure 4 shows a generic SCADA system; we have broken this system into 4 levels:

Supervisory Level: This level contains the overarching control and human-machine interfaces (HMIs).
Control Level: This level is made up of devices like programmable logic controllers (PLCs) and Remote Terminal Units (RTUs) that perform lower level control, and data acquisition and aggregation.
Data Acquisition Level: This level contains sensors and actuators that actually monitor and adjust the controlled process
Controlled Process: This is the actual process that we are trying to control, to include process inputs and outputs as well as random disturbances

Figure 4 clearly shows communication between each level, but what is not shown is the connection to the internet. Most ICS systems touch the internet and may rely on it for communications. One attribute of many ICS systems is that they are distributed over large areas.

One characteristic of SCADA systems, such as the one shown in Figure 4, is that they are very distributed. For example, if the SCADA system in Figure 4 were a power grid, the control center and Field Site 1 could exist at the power plant, while Field Sites 2 and 3 could be substations located far away from the control center.

Figure 4: A typical SCADA system

Some of the processes in our above system could be automated; for example, a Programmable Logic Controller (PLC) could be used to maintain a set temperature in a coal power plant. Once the temperature is lowered to a certain level, the PLC will recognize the drop and automatically drop more coal into the burner. This is very similar to how your home thermostat works.

It is these automated processes, such as the one described above, that make ICSs, and SCADA systems in particular, extremely useful to us. Unfortunately, these processes also make them very susceptible to cyber-attacks. Given access to an ICS system, a bad actor could spy on the system, learn about it, and then manipulate the system to do what they want it to, possibly resulting in degraded performance or even physical damage.

Smart Grids#

The North American electric power grid is becoming ever more reliant on the backbone of communications systems commonly called the Smart Grid. Title XIII of the Energy Independence and Security Act of 2007 (EISA) specifies the characteristics of Smart Grid. The power grid faces a variety of evolving and expanding threats, requiring a proactive response to develop robust, resilient networks. Much of the efforts to investigate the cyber threat and cyber defenses have been hampered by an absence of standardized terminology and coordinated research efforts. To that effect, increased collaboration and interconnection between academia, national labs, and (most critically) the utility industry is required. Inherently, the power grid uses equipment and architectures that distinguish it from more traditional communications networks. This has a number of impacts.

First, the power grid has unique vulnerabilities. Almost by definition, the unique equipment in the grid provides unique opportunities for an attacker. An example would be protective relays, which are devices that are not routinely used outside of the power industry. As with any other electronic device connected to a network and running software, protective relays are vulnerable to unauthorized access and control. The unique devices and software used in protective relaying warrant specific testing for cybersecurity vulnerabilities.

While the power grid has unique vulnerabilities, it also has tools that augment its defensibility. The power grid has unique monitoring capabilities and physical characteristics that can enable improved detection and response. For example, a poorly designed false data injection attack on a bus could be easily identified if it does not solve the power flow equations. However, further research into the capabilities and limitations of SCADA devices and other power grid-specific traits is required to take full advantage of these tools.

As shown in Figure 5, the Smart Grid is a network of networks. These networks include connections between various infrastructure components. Each network is a unique security case. For example, if the Transportation network is compromised, it may be possible to vector into the power grid and cause a blackout. Care must be taken in how these networks interact. If there is a compelling need to connect two utilities, that link must be carefully designed as the interconnection of these networks may lead to vulnerabilities and additional attack vectors.

Figure 5: The Smart Grid

Consumer Electronics#

The decreasing cost and increasing capabilities of consumer electronics are leading to a proliferation of electronic devices. According to the website Statista, the number of mobile phone users in the world is near 5 billion. In many ways, these devices enrich our lives – providing convenience, entertainment, and increasing productivity. However, the increased convenience comes with a cost. For example, it is nice for Google to suggest nearby restaurants during lunchtime or to ask users to submit reviews/photos of a place they’ve visited; however, that service requires the device to continually collect data about location and users’ habits. From this data, Google could discover how often you frequent your favorite kind of restaurant. If this information is not protected, a nefarious actor could use this information to predict someone’s behavior and cause real harm.

The Internet of Things#

According to Statistica, it is expected that 50 billion devices will be part of the “Internet of Things” (IoT) by 2030. We live in a world that is very connected, and sometimes, we are more connected than we realize. Whether you are approving an iPhone app to use your location, asking Siri to tell you a joke, and letting your car send information over the internet, you are connected to the IoT. Electrical power grids, home security systems, and even washing machines can be logged into remotely.

We all understand our phones, computers, and tablets are connected to the internet, but how many people know that your car, your power meter, or your appliances could also be connected to the internet? This is the idea behind the IoT. I can arm or disarm my security system from my cell phone. This is really convenient, but this also means a savvy hacker could arm or disarm my security system as well.

Furthermore, the advent of devices such as the Amazon Echo and Google Home combine an always-on microphone with a high speed connection to cloud-based AI algorithms. Therefore, aside from the obvious hijacking of the microphone, it is not clear whether all data sent to the cloud are protected (or even how they might be protected). Have you ever been having a conversation and said something like “Hey Siri” or “Ok Google” or “Alexa”, and after some time, the device responds with “I didn’t quite understand”. In this case, what if you were having a sensitive financial or work-related discussion? Would that information still be considered “safe”?

The take-away from this short section is that all the conveniences that come with a connected world also come with risks. Cyber threats are everywhere.

Portable Electronic Devices#

Cell phones are ubiquitous, but they are vulnerable to supply chain threats. As shown in Figure 3, many devices, though designed in America, use components produced in foreign countries. As consumers, we have very little insight as to the security or authenticity of the hardware and software contained on our devices. Yet, we are storing more and more of our personal data, communications, and other information on these devices. Authorities are starting to take notice, though. The 2018 National Defense Authorization Act contained a section banning the use of Huawei cell phones and components (the #2 cell phone maker in the world) in US Government systems. This ban was based on the recommendation of the FBI, CIA, and NSA[6].

In addition to the supply chain threat, vulnerabilities such as Bluesnarfing exist. In this case, an attacker can gain unauthorized access to the device through its Bluetooth connection. Although this type of attack requires a software vulnerability, many attacks of personal devices come through connections to untrustworthy WiFi networks, which do not require software vulnerabilities. In this case, it is relatively straightforward to intercept data packets and/or gain access to the device in question. Finally, third party application stores can provide an attack path for gaining unauthorized access to a device. For example, an app may contain malware that can overlay innocuous appearing dialog boxes on top of system generated dialog boxes that can grant higher level permissions to the app. Most recently, a third party battery monitoring app contained malware that could trick users into logging into their PayPal account and automatically send $1000 to the attacker’s account[7].

What Can I Do?#

As we learn about the foundations and technology behind many of the networks and electronic devices, take a few moments every lesson to consider potential vulnerabilities. Some good questions to start with are:

If I were a bad guy, how would I gain access to this system?
What information is critical within this system?
What is the best way to protect my system/information?
Are my protection methods robust enough?
Do I have the resources to implement these protection methods?
Are there simple things I can do every day (OPSEC) that can add some small measure of protection?

Cyberspace and ECE#

Hopefully this lesson has been informative, but you may be wondering how it fits into this particular class. In short, understanding the broadness of the Cyberspace domain is crucial to your future as an officer in the world’s most technologically advanced military branch. In the very near future, much of our energy will be dedicated towards controlling Cyberspace. Just as air superiority has set the tone for our dominance of modern conflict, superiority in the Cyberspace domain will set the tone for future conflicts. Therefore, the topics of this course are carefully sequenced to expose you to some of the technical aspects of systems fundamental to the Cyberspace domain.