Securing the defence ecosystem in the modern battlespace

In the contemporary battlespace, cyberspace is key terrain. Today, almost all aspects of our national defence are connected, whether it’s the desktop computers managing military logistics, or military weapons and platforms – such as tanks, ships and planes.

All of these systems are connected and vulnerable to security threats. Even most “air-gapped” environments will have products or applications running on them that were once internet facing, potentially making them vulnerable to cyber threats and supply chain vulnerabilities.

Defence’s rapid adoption of force multiplier technologies – such as internet of things (IoT), artificial intelligence (AI) and 5G – has accelerated this interconnectivity and exponentially increased the cyber attack surface.

A growing array of sensors acquiring data will feed more algorithms operating at the tactical edge, where low-latency decisions will need to be made in an increasingly contested and congested communications environment.

As the volume of acquired data grows, a growing backbone of intelligent edge devices will present an increasingly attractive target to a range of cyber adversaries.

To secure Australia’s tactical advantage, Defence must be in a position where it can rapidly acquire and deliver emerging and mission critical technologies, while ensuring its cyber resilience.

However, Defence faces a number of challenges including a reliance on an increasingly complex supply chain to deliver mission-critical systems and platforms, as well as its dependency on legacy IoT devices found in many older – but also mission-critical – defence platforms.

VIEW ALL

To ensure it can defend Australia and its national interest, Defence should consider modernising its policies in the following three key actions: 

1. Update Defence procurement policies to acknowledge and manage cyber and supply chain security risks earlier in the acquisition process

Defence should review its procurement policies to increase awareness of cyber security and supply chain risks and ensure that these risks are identified and managed early in the acquisition process.

As an example, the Australian Standard for Defence Contracting (ASDEFCON) suite of tendering and contracting templates, contains very few references to “cyber security” and most references to “security” refer to either physical security controls or the security classification of data.

Defence should consider a review of key procurement policies – such as ASDEFCON – to strengthen the reference to the importance of cyber and supply chain security and resiliency. In particular, Defence procurement policies should:

1. Enquire about company ICT product integrity measures - Governments around the world are increasingly focused on identifying and mitigating risks to the information and communications technology (ICT) supply chain. In fact, efforts to disrupt or exploit supply chains have become a “principal attack vector” for adversarial nations seeking to take advantage of vulnerabilities for espionage, sabotage or other malicious activities. It is therefore critical that Defence, as part of its procurement, ask key questions of their suppliers. These could include:

1. What internal processes and oversight mechanisms does the company have in place to mitigate the risk of modification to the ICT systems during the development lifecycle?
2. Where is the hardware manufactured and how does the company ensure the security of this process?
3. How does the company ensure tamper-proof secure delivery of hardware products? 
4. Does the company undertake third-party testing to ensure that security vulnerabilities are identified earlier in the process?
5. Does the company have vulnerability remediation and disclosure practices? 
6. Does the company have executive management buy-in to the importance of secure supply chains?

The Australian Cyber Security Centre has also released some guidance on securing the supply chain that could be further integrated into defence procurement policies.

1. Create a register of company source code disclosure practices - Increasingly, we have seen instances of countries implementing new requirements – most notably mandates to review or even hold source code – as a condition to sell technology to certain parts of their market. Widespread source code disclosure, however, could actually weaken security – as source code can be leveraged to detect and exploit vulnerabilities in software used by organisations globally.

Currently, Defence has a limited view of whether companies they deal with have shared their source code with foreign governments – posing a potential security risk. Defence should amend its procurement policies to identify the companies who have shared the source code of their unique intellectual property (IP) with governments as a condition of access to certain markets. A similar approach has been taken by the United States government. 

Defence must make sure that it has adequate mechanisms to assess cyber security and supply chain risks early in the acquisition process.

At the later stages of the acquisition process, which in some cases can be years later, a cyber security or supply chain risk may be realised and Defence may be too “pot committed” to the solution of choice – forcing them either to pay significant costs to either remove the risk or attempt to manage the risk.

Strengthening references to the importance of cyber and supply chain risks in key procurement policies would support Defence to make more informed purchasing decisions and embedded risk management practices at the early stages of the acquisition process.

2. Adopt secure software supply chain practices

As the 2020 SolarWinds attack demonstrates, our adversaries have learned that traditional and non-traditional suppliers in our software supply chain are often “weak links” for cyber attacks.

The SolarWinds attack, conducted by suspected nation-state operators, involved malicious code being embedded within legitimate IT performance and statistics monitoring software.

This enabled the attacker to gain widespread, persistent access to a number of critical networks.

This attack underscored how software supply chains can present a significant risk to mission success, and that they must be well-defined, secured and monitored.

Current data sharing processes and tools are not designed to manage and identify distributed supply chain risks to Defence programs and platforms. However, there are two key security initiatives that Defence could adopt to significantly improve its security posture and speed up delivery of capability:

• DevSecOps - DevSecOps integrates security into all stages of the software delivery process. This ensures that developers think about security when they write code, that software is tested for security problems before it is deployed, and that the project teams have plans for addressing the security issues quickly if they appear after deployment. The security value of DevSecOps is realised when security is continuously “shifted left” and integrated throughout the fabric of the software artifacts from day one.
• Zero Trust - Securing the modern software supply chain through the full lifecycle of an application is a complex undertaking, and that complexity cannot be sufficiently addressed with legacy security tool sets and approaches, such as bolt-on security and perimeter-focused defences. Zero trust is a security model developed specifically to address the security of sensitive data and critical applications. Zero trust remedies the deficiencies of perimeter-centric strategies and the legacy devices and technologies used to implement them.

The security posture and integrity of the software supply chain in an agile environment will benefit greatly by the adoption of a mature DevSecOps practice and tool sets and the adoption of a zero-trust philosophy.

Security capability should always be “baked in” rather than “bolted on” and should be focused on securing data and services wherever they are rather than an ever-expanding perimeter. 

3. Promote network-level IoT security at scale

Defence, like many other sectors, has numerous already-deployed (legacy) IoT devices that cannot be retrospectively secured or designed for security.

Some of these devices are continuously operating, mission-critical devices that may receive security updates infrequently as they cannot have downtime. On top of this, IoT device manufacturers – particularly those contracting to defence – face threats to their supply chains which can see weaknesses inserted into devices via a manufacturer’s supply chain that might not be visible when the device is shipped.

Given the dynamic nature of IoT and the environment in which devices are deployed, it is critical that Defence adopt policies that go beyond embedded device security and have the capability to dynamically secure the entire network, extending from deployed IoT devices to corporate settings, in real time and at any time.

Networks can and should be a priority detection and enforcement point for IoT security, and technologies exist today, grounded in machine learning, which are appropriate to realise this goal.

As the speed of warfare increases and as emerging technologies further underpin the warfighter's capabilities, the requirement to evolve both rapidly and securely will be key to maintaining a capability edge.

Securing defence networks and platforms is increasingly challenging, as a range of adversaries seek to exploit vulnerabilities across cyber security and the supply chain.

Defence must keep pace with technology and acknowledge the threat landscape – encouraging the adoption of best practices to create resilient platforms and networks. In future operations, securing the infrastructure, systems, and data that underpin military decision-making and power projection will be key. 

Sarah Sloan is the head of government affairs and public policy, ANZ at Palo Alto Networks.