“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
C'mon. You're the military. "It just keeps coming back?" So you decide to do a press release about it? Please.
I wouldn't have whined like that when I was de-malwareing neighbourhood PCs at age 13, I would have fixed it. If I can successfully keep malware off the PCs of middle aged parents with teenaged children, then the government capable of developing and operating fleets of unmanned military drones can certainly isolate a network and disable the USB bus.
There is definitely some high level shit going on right here. I doubt we'll know about it for many years, if ever.
If they are not smart enough to keep malware off of what should be the most secure systems around, perhaps they shouldn't be building the fricking FLYING REMOTE-CONTROL DEATH MACHINES for a while, until they can figure out the basics.
I am totally with you. If software is going to operate deadly weapons, it sure as hell better be secure.
But you are glossing over a LOT of detail here. The military doesn't work like Apple: they don't design, oversee, or directly control the construction of the hardware they use. And they shouldn't - the government is woefully inefficient at building products, that's what corporations are good at.
Here's the situation:
- The Air Force contracts General Atomics Aeronautical Systems to build UAVs. You can bet your ass the contract covers things like "protected from malware"
- General Atomics contracts out the different components of the UAV. No device worth $150M gets built by one company alone. The radar, the metal shell, the inside components, and each component of the software are all made by different companies.
- Each component is meticulously specified and rigorously tested. The makers of a component is contractually liable if they fuck up, giving them an incentive to do it slow & right. That's why it's so damn expensive.
- General Atomics puts the pieces together into the final product and delivers it to the Air Force after another round of rigorous testing.
- A team of guys in the Air Force are trained on operating the UAVs to deploy on missions.
=====================
So to say something like "Ugh, military, don't deploy UAVs if you can't keep it virus free!" is an oversimplification. These are extremely complex machines, with highly specialized embedded software, meant to deliver explodey things with extreme precision, while being operated from very far away. You can't just slap Norton on these things and call it a day.
teej, I assure you, I am under no illusion that they can "slap Norton on these things and call it a day". I am at least somewhat conversant with the realities of designing complex military systems. But if the systems really are so highly specialized, and I assume they are, that's still no excuse. At all. If they can't keep malware off them, they have no business flying them, at least for the time being. Which is all I was saying. I know it's not easy.
The systems are less specialized than we all would hope. Even with our massive budget the military is still 'forced' to use existing tech, which opens them up to situations like this.
And if you think this little press release means anything to actual national security, you have much to learn about our secret war against terrorism.
>they are just wined and dined by the contractor when they should be directly overseeing and controlling.
There are actually very strict controls on how much government personnel are allowed to accept from contractors. IIRC, the limit is something like $20-$50 per year in gifts. When contractors host large events with catered lunches, they put out bowls or some other sort of receptacle so that government personnel can pay for their lunch, otherwise it would count towards that annual limit.
Enforcement at the level of "you didn't pay for that six-inch sub and can of coke" is not really practical, but quite a few government personnel have gone to jail in recent memory for accepting more lavish gifts from contractors.
Now, if you send your lobbyists to buy expensive meals for legislators (you know, the ones who actually decide how the money gets spent) and write them big checks, that's generally perfectly legal.
But the computers controlling the Drones seem to be running some sort of Windows variant. There's no real need to control the drones directly if you can control the computer that controls the drones.
The UAV itself will have a computer running a commercial RTOS. The computer on the ground which the operator sits and and uses to interact with the UAV is almost certainly a Windows box. And as someone else said, the military's way of securing Windows machines like those has traditionally been not to hook them up to a network in the first place, instead of installing anti-virus software. That actually worked really well until portable USB devices came along. The result is that the military is only now getting up to speed on securing these types of computers; it's not that they're dumb about computers, it's that in the past they dealt with the threat operationally rather than technically.
Unless policy has changed dramatically since I was in USB drives can be used after they have been classified, properly marked, and scanned. That being said policy and reality are very different beasts. While deployed we had exactly 0 instances of malware/virus on our unclassified NIPRNet devices and at least 2 dozen malware/virus outbreaks on our SIPRNet machines. Usually these came about from the fact that those on SIPRNet tend to be of higher ranks and "above the rules" just like in a corporate structure. The other common offenders where MI and Signal geeks who "knew" better and assumed that their stuff couldn't possibly be infected.
I was told recently by someone working with DoD equipment that although USB flash drives were banned, certain USB hard drives were still OK. He was telling me this because it was so hilarious and alarming.
I was talking to a guy who makes "encrypted" USB drives at the NSA TCC recently. It sounded scarily hand wavy to me. I was asking, "but where is the key stored" and he tells me with a straight face, "right on the drive".
My experience with these is that you must either use your PKI certificate or a password as the key to decrypt the drive. The default configuration is generally to use the PKI certificate on the chip embedded in your ID card. Since you have to have that card in your computer to be logged in to begin with, using it to access other stuff is essentially effortless.
The hard drive has to be scanned by an administrator before you're allowed to use it (not sure what this process entails). It also has to be encrypted, and won't mount unless it is encrypted with the proper DOD-approved software.
As far as I know, SSDs are not allowed, only magnetic drives.
I'm pretty sure it won't mount that, either. The only external storage they'll mount are external hard drives that have been encrypted with their approved software.
And, have you seen all the computers necessary to carry out a drone operation? I guarantee you not all of them are running an RTOS. Probably not even all of them onboard the drone.
Military acquisitions take a long time. To give one example, I know for a fact that there are airplanes flying right now that use DEC Alphas to control their weapons systems. Those planes first came into use in the early 2000's. An older version of that plane is still in use, and will be for several more years; you don't even want to know what it's using.
Soft real-time systems aren't used for things like drones. Look at things like INTEGRITY from Green Hills for that sort of task: http://www.ghs.com/customers/bae_herti.html
It really shouldn't be so hard to put a TPM in autonomous killer robots and only let digitally signed code run. That should make it much harder for hackers.
There are hundreds of thousands of machines and millions of removable drives. Tracking down every last instance of a piece of malware and then dealing with it is quite hard at that scale. Usually they fall back on policy ("no usb/removable drives")
They're handicapped by a need AND compulsion to use contractors for everything. Actual government employees didn't build drones; they were all developed and in many cases largely maintained and even operated by private contractors, working to government requirements (which themselves are structured to make the contractors inefficient, compared to normal commercial companies). Same thing with networks.
If I'm ever in charge of a PC capable of firing guns at people, then at a bare minimum I would disable the USB bus entirely, I probably wouldn't fit a NIC either. I'd also definitely install some of that software that makes the HDD read only and transparently passes through all writes to RAM. Fuckit, if I'm the US military I'd develop such a device in hardware. Send the recorded video/telemetry data to a write-only volume.
It's not that hard.
But anyway, my point was that I don't for a second believe that they're this incompetent, there must be other factors at play.
"I would disable the USB bus entirely"
So how would you support Mice, Keyboards and Joysticks? And how long would it take you to retrofit all of the some 100K+ PCs rated "secret" or above in the Government?
It does not have a potentially unlimited budget. As was mentioned above, these are often contracted third parties who develop the systems. They put in bids on government jobs and undoubtedly have their own margins to look after. Once the job is awarded, my understanding is that you can't change the price-tag it was awarded at. (At least, not easily)
The individual contracts have limited budgets, but if there were a DoD or Government-wide instruction that all systems meet a specific security standard, all contracts would be amended (cost increased along with scope) to comply with that standard. There's very little external pressure to constrain the maximum possible IT and IT security spending within government, especially the military.
The costs of good vs. bad IT security are actually not terribly significant in the context of the overall defense budget, either.
It's really a failure of process and vision, not resource constraint. Government IT and IT security used to lead industry; now consumers especially and even enterprises are more advanced than government.
you can disable any removable device, except the drone itself which seems talking back to the base using [non-encrypted] regular TCP/Ethernet and thus is a very plausible vector of continuous re-infection. The problem is well known and dates several years back:
Seriously? Have you ever worked on a PCIe bus device? They are hard to design, hard to test, and in general quite expensive. You're not going to build PCIe keyboards and mice that cost 10,000x COTS. That would at the very least cost someone their political career. (And the people who are making the decisions think about it that way, whether you want them to or not.)
It's hard (in an engineering sense) at that scale, but certainly not impossible, and easier than a lot of engineering problems the world has solved. It's harder because DoD is actively being attacked, but easier because they have a near-infinite budget.
The thing which makes it hard is humans, politics, and economics -- there is a huge amount of CYA with respect to vendor choice (hence, they're a huge Microsoft/Cisco shop), lots of little fiefdoms, an "up or out" promotion policy combined with people being in leadership roles for short periods (with minimal prior background), and lack of real accountability.
The Microsoft-ness isn't enough to kill them on its own; look at the Israeli military, which is also heavily Microsoft based, and has world-class computer security.
Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7
"Microsoft thanks the following companies for working with us and for providing details of limited, targeted attacks against customers of Internet Explorer 6:
Google Inc. and MANDIANT;
Adobe;
McAfee;
French government CSIRT (CERTA)"
I think for single-purpose machines (like "control a UAV"), custom hardware makes a lot of sense, even for commercial operations. Unfortunately custom hardware usually ends up being a Windows box in a weird case, with some buttons connected over...USB.
A requirement that all components of the TCB be FIPS 140-2 level 3+ for anything which is routinely used in combat operations would please me, I think. Right now that's just for the crypto modules themselves.
I'd phone up the people who'd designed me my multimillion dollar bespoke unmanned laser-accurate weapons delivery platform, and ask them if they fancied whipping me up a quick encrypted serial protocol for a couple of extra million dollars on top.
The difference between the military and the neighborhood computers you used to assist with are the military has to deal with a plethora of entry points for viruses, and can't scrub every USB thumb drive that is at home rather than at the office. I get the feeling that you've not been doing this for 10-12 years yet. Am I right?
The hospital my dad works at, and all other hospitals in this area of the UK, all the machines have the USB ports disabled. All laptops issued by the local Health Authority have the USB ports/bus disabled. They had issues with worms, twice back in the early 00s, and after that all removable storage was banned.
If it's good enough for the NHS, it's good enough for uncle sam.
It seems pretty trivial to me just to string the cabling into a lockbox with the computer inside to prevent people from screwing around with your ports.
That said, i'm not in charge of physical security of anything. I'm sure the guys with missile launching computers figure anybody that can get to the secure terminal is trustworthy.
then the general will tell you "y'know the boys tell me that their job would be easier if they could listen to pandora on this puppy. i order you to connect it to the internet. if you don't comply, i'll have you arrested."
There is definitely some high level shit going on right here.
Such as: they discovered and disabled the virus but are still sending fake info over the virus's communication channel and want the Chinese/Iran/whoever to think it is still working?
That sounds much better than a technically incompetent military with dangerous toys.
Are you so surprised? Have you worked with the military security and computer specialists? There are some good people but there lots of HBGary types...
The "problem" is that people want to actually get stuff done. Security vs. availability is always the conflict. Perhaps the USB is being used to bring in the latest maps, perhaps it's being used to bring in mission orders, who knows. Unless you understand the system, it's absurd to say the equivalent of a military 13 year old can fix it.
“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
C'mon. You're the military. "It just keeps coming back?" So you decide to do a press release about it? Please.
I wouldn't have whined like that when I was de-malwareing neighbourhood PCs at age 13, I would have fixed it. If I can successfully keep malware off the PCs of middle aged parents with teenaged children, then the government capable of developing and operating fleets of unmanned military drones can certainly isolate a network and disable the USB bus.
There is definitely some high level shit going on right here. I doubt we'll know about it for many years, if ever.