Jumping the fence
For cybersecurity tech, a short leap between military and commercial use
The military had an IT problem that was making missions more dangerous. The solution came from the cubicles of corporate America.
Combat troops were relying on social media to check in with family and see what was happening back home. But even one innocent post – think "I'll be away for a few days" or "Look at these cool rocks I found" – could tell an enemy when and where a mission was about to happen. There had to be some way to give troops what they wanted without jeopardizing their safety.
There was. And it came in the form of URL-blocking software – the same programs that companies rely on to keep employees from using inappropriate websites at work. With a few military modifications, the software made it so that once troops got a mission briefing, they could still see social media – they just couldn't post.
"They were still able to check up on grandma after her surgery. They still had all that family visibility, but it closed the specific avenue of potential leaks," said Bob Hansmann, director of security technologies at Forcepoint, a commercial cybersecurity company jointly owned by Raytheon. "The military demand was one of the primary drivers of that change."
The evolution of the software, part of a much-expanded system called Forcepoint Web Security, illustrates how businesses and military agencies have similar needs when it comes to cybersecurity, especially in an era when both are battling attacks from spies, organized crime rings and other bad actors. It also shows how seamlessly technology can bounce back and forth between the two sectors – and how companies like Raytheon, which has extensive experience in both, offer a distinct advantage in providing what is now known as "defense-grade cybersecurity."
"It’s the epitome of how government and commerce can produce something better together than they can on their own," Hansmann said. "They have a lot of similar needs. It’s not that the needs are different – it’s the nuances."
divide or be conquered
When hackers targeted Target in 2013, they didn't go straight for the retailer's cash registers and card readers. Instead, they infiltrated the company's computer networks by stealing the credentials of a heating and air conditioning contractor. Once inside, they found their way to the credit-card data of about 40 million customers.
One way to thwart that kind of attack is a military-style strategy known as "cross-domain protection," which rests on the idea that one computer network communicating with another puts both at risk – along with anything else that's connected to either one.
In the military, cross-domain protection means making sure a breach of a ship’s fire-detection system, for example, doesn’t also allow hackers to drop anchor, crank up the heat in the sleeping quarters or launch weapons. In the commercial world, it means protecting a power company’s computer infrastructure so that a breach of the online outage-reporting system doesn’t also allow hackers to shut down a substation.
"What cross-domain brings is this concept of understanding which systems need to communicate with other systems, and helping to compartmentalize them," said Michael K. Daly, chief technology officer at Raytheon Cybersecurity and Special Missions. "In the military context, this idea of separation is a very strong concept. In the commercial sector, most folks do not apply that level of rigor, and instead have their financial systems, their engineering environment, everything, on one big network without firewalls or controls."
A welcome invasion
Preventing intrusions is a big part of cybersecurity. But in some cases, a break-in is exactly what a military commander or a corporate CEO wants.
Take the case of a major manufacturer that wanted to harden its network, or make it more resilient to attack. To do that, it hired a team of Raytheon cybersecurity experts, including some with experience on military systems, to break into the network, do what attackers would do, then report back on how to fix the security flaws.
"Red teaming," also known as penetration testing, is one way Raytheon's cyber experts help protect businesses and government agencies; others include virtual security operations centers, where automated technology roots out common, low-level risks in a network while human analysts focus on more sophisticated threats. Raytheon even manages the cyber protection of the North American Aerospace Defense Command, or NORAD.
A few weeks after the manufacturer had Raytheon hack its systems, the client noticed some odd activity on its network and assumed it was the red team running another test. Only it wasn’t. This time, the hack was for real, and the company learned the hard way that it had been too slow to adopt the team's recommendations.
That tale is typical in modern business, said Joshua Douglas, chief strategy officer for Raytheon's managed security services business, a consultant for many commercial companies. He said his red teams have 100 percent success breaking into a client’s network on the first try. And on the second try. By the third, he said, they’re still getting in half the time.
"That’s a pretty alarming figure," he said. "It just tells me they’re going with out-of-the-box solutions, and not formulating that holistic approach."
By contrast, he said, a military mindset assumes that if hackers can find one way in, they will find others as well. To that end, a Raytheon team of cybersecurity experts has even built an artificially intelligent "bot" that acts like an immune system for computers, finding flaws and patching them, rather than requiring a human coder to do so manually.
Commercial companies would be wise to start thinking that way, as they’re often attacked by the same groups that are going after high-value government targets.
"This is an actual area of warfare that extends past one element or domain," Douglas said. "It means putting a holistic plan in place, with an understanding that you may end up losing a battle but you will win the war."
It started as a way for parents to watch what their kids did online, but today, it's one of the most important tools in a cybersecurity professional's collection.
"Insider threat" technology monitors and analyzes what a person does at a computer, seeking to prevent attacks by flagging any unusual or unauthorized activity. The earliest versions came from the consumer world, Hansmann said, with software for parents to monitor their children’s Internet use. While companies at first were reluctant to adopt those systems, government agencies including the military were not, he said.
"They wanted to find out who the bad eggs were," Hansmann said. "These tools were to find the ones who were actually doing harm."
Private companies warmed to the technology eventually, Hansmann said, and in particular have used it to lessen the blame on employees who caused cybersecurity breaches through good-faith mistakes.
"The value here is that, in the commercial sector, everything comes down to intent," Hansmann said.
A key element of insider-threat detection is called behavioral analytics, or using data to assess the risk of something an employee is doing with a computer or mobile device on a company network. For example, if an employee makes repeated attempts to access restricted information, or logs on outside normal working hours, IT security would get an alert and follow-up.
"Insider threat is about watching the behaviors to see if they’re in line with the behavior that should be expected of a person conducting that role,” Daly said. “Not just a generic person, but a specific person – what time they come to work, when they leave, whether they use USB sticks. Is that part of their regular routine?"
Modern insider-threat systems use automation and machine learning to spot unusual behavior in a network, Daly said; the system will observe a human analyst monitoring a sample of the network, then will go patrol the rest – doing the work much faster and freeing the human analyst to determine what users were trying to do.
That human element is crucial to any good cybersecurity system, Hansmann said. By thinking about what people needed – like far-flung troops who wanted to check in on family over Facebook – the military helped improve the all-or-nothing website blockers that were causing complaints in corporate offices everywhere.
That progression is common in cybersecurity technology, Hansmann said.
"These things jump the fence both ways. They go back and forth quite a bit," Hansmann said. "These sides, they both feed each other. And that’s the sweet spot."