Navy Adm. Michael S. Rogers recently testified before the House Armed Services Committee on cyber operations and improving the military’s cybersecurity posture.
Rogers, who serves as U.S. CyberCom chief, confirmed that the global movement of threat activity in cyberspace has effectively blurred roles and relationships among government agencies – as well as between the public and private sectors and the real and virtual worlds.
“There is no Department of Defense solution to our cyber-security dilemmas,” Roger acknowledged.
“The global movement of threat activity in and through cyberspace blurs the U.S. government’s traditional understanding of how to address domestic and foreign military, criminal and intelligence activities.”
Rogers also confirmed that the U.S. government, the states and the private sector are incapable of defending their information systems – on their own – against the most powerful cyber forces.
“The nation’s government and critical infrastructure networks are at risk as well and we are finding that computer security is really an enterprise-wide project,” he continued.
“We in the U.S. government and DoD must continue learning and developing new skills and techniques … [and] the nation must continue to commit time, effort and resources to building cyber military capabilities.”
Indeed, said Rogers, the DoD finds cyberspace to be more than a challenging environment.
“It is now part of virtually everything we in the U.S. military do in all domains of the battle space and each of our lines of effort,” he added. “There is hardly any meaningful distinction to be made now between events in cyberspace and events in the physical world, as they are so tightly linked.”
Michael Mehlberg, Senior Director of Business Development for Government Solutions at the Cryptography Research division of Rambus concurred with Rogers’ stark assessment during a recent interview in Sunnyvale.
“The threat landscape is quite bleak right now. While there may be some light at the end of the proverbial tunnel, the situation will only grow worse unless the government and private sector increase their collaboration to protect critical SCADA-based infrastructure such as electrical power plants and pumping stations. Those are obvious targets with obvious consequences that we have previously discussed in detail, ” he told Rambus Press.
“However, another complex battle is being waged simultaneously, with cyber attackers targeting vital intellectual property (IP) and classified military data on a daily basis. This digital offensive is massive and far more nefarious than a few isolated forays that stray past our digital perimeter. If continued unchecked, these attacks have the potential to seriously erode our nation’s technological edge.”
Developers and systems integrators, says Mehlberg, must therefore step up their efforts to protect sensitive equipment against unauthorized access.
“No single countermeasure is capable of securing a system against all threats. However, equipment that uses cryptography to protect the collection, storage and transmission of sensitive data should be able to resist various forms of side-channel attacks, including Simple Power Analysis (SPA) and Differential Power Analysis (DPA),” he explained. “These powerful, non-invasive attacks can be quietly exploited by hostile elements to allow the unauthorized extraction of secret cryptographic keys, potentially revealing classified or sensitive data.”
As Mehlberg points out, the most effective approach to securing critical systems is to start at the silicon core. This paradigm ensures the processing components for critical civilian and military systems are immune to hostile eavesdropping from the moment they roll off the production line.
“Properly securing data from the threats of tampering, reverse engineering and cryptanalysis requires that security be designed into the equipment itself,” Mehlberg added.
It should be noted that Rambus offers both AES-128 and AES-256 cryptographic cores, both of which are fully capable of resisting both first– and second– order DPA attacks up to 10 million traces. The cores can also be optimized based on size, speed and security level requirements.