Instructor: Aleksi Aaltonen, Section 002

Nicholas Charles Napolitan

Lockheed Martin Develops “Intelligence Driven” Cyber Security

Lockheed Martin, the world’s largest defense contractor, has steadily been targeted with cyber attacks by malevolent parties (particularly nation-state actors from Russia, China, and North Korea) since 2003. As an enterprise that “interacts with the internet 20 billion times a day” in carrying out its roughly 8,500 programs, there is vast opportunity for attackers to exploit weaknesses in Lockheed Martin’s systems and extract classified information. In an effort to combat these threats, the company has combined its intelligence function with its ability to track big data and invested in creating its Threat Intelligence Platform (TIP) called “Palisade”: a “centralized platform” which integrates their Security Information & Event Management (SIEM) systems “to provide enterprise wide alerting capability and manage all threat
intelligence.” Palisade is aligned with Lockheed’s trademarked “Cyber Kill Chain” framework of threat analysis; this framework applies the military terminology of “kill chain” – an outline of all events from reconnaissance activities to battle damage assessments that need to take place in order to execute a mission – to the analysis of attempted cyber attacks.

Understanding that cyber attacks are constantly evolving to better breach targeted entities, Lockheed Martin reasons that the “seven distinct steps” to a cyber attack’s kill chain are an excellent way to determine patterns in attacks and mitigate future ones. This is because adversaries, while likely aware of the need to change their techniques, are unlikely to change all seven of these techniques at once simply due to time/cost constraints. What this means is that even minor elements of past attacks, such as “a scrap of code”, can be tracked and stored into a database that Palisade can then assess in terms of the Cyber Kill Chain framework. Lockheed’s intent here is for Palisade to improve its overall network defense posture, incorporate big data into cyber security (a field that is still largely reliant on human driven analysis), empower analysts with a more comprehensive view of threats using historical data, and identify and respond to threats in a proactive, rather than reactive, manner.

I find this incredibly intriguing as it is the combination of my top two professional interests: big data and intelligence analysis. This initiative certainly innovates the company’s cyber security operations, placing less of a burden on analysts and providing new tools for Lockheed’s defense teams, but I have concerns about its efficacy. What happens if the platform inappropriately raises a red flag on an interaction between internal and external actors because it matched one element of that interaction to a previous attack’s kill chain? What happens when an attack is attempted and Lockheed’s framework fails to identify that breach because of Palisade’s algorithm? Obviously the need for human-level analysis is still very much needed even with this platform, so how much business value is Lockheed Martin actually enjoying from this development? Could this platform be marketed to outside clients to transform Palisade from being a cost center to a profit center? If they could market it as a solution, what impact would it have on the project’s Net Present Value – negative or positive? There is much to consider here for the company, but this development of “Intelligence Driven” cyber security is nonetheless thought-provoking and offers new potential to organizations in protecting their information.

Supply Chain Threats to Cyber Security

Earlier today, Bloomberg came forward with a report alleging that organizations with major data breaches (including Apple, Amazon, and even U.S. government agencies) were targeted well before their machines were up and running. In the report, Bloomberg asserts that data breaches in recent history were executed using tiny chips “no bigger than a pencil point” which were installed into circuit boards during the manufacturing process. These supposed chips, which are designed to “siphon off” sensitive information, are made by U.S. based Super Micro Computer – a company who produces hardware for many U.S. entities and who has subcontractors in China. The report has since been vehemently refuted by Apple, Amazon, Super Micro Computer, and the Chinese government – all of which suggest that Bloomberg’s investigation is unfounded and without merit. However, according to Bloomberg, their report has been corroborated by “testimony from ‘six current and former national security officials’ as well as insiders at Apple and Amazon”.

Regardless of the immediate merit of the report, the allegations raise huge concerns about the state of our cyber security as consumers, professionals, and ultimately as a nation. A former NSA analyst explains the severity of supply-chain hacking, saying that detecting anomalies on networks is feasible but that “most organizations simply can’t find a malicious chip on a motherboard” and that it “undermines every security control we have in place”. Detection of hardware manipulation is extremely difficult and is “an expense that’s hard for companies to justify”. Fixing the issue after the fact, if legitimate, would cost an exorbitant amount on remediation of equipment and/or finding reliable, secure replacements; this is only after organizations “look at their whole value chain”, make appropriate changes, and “carefully monitor every step”. Such changes may adversely affect a large organization’s overall enterprise architecture, necessitating major (and unanticipated) structural changes to manufacturing locations, when/where items are shipped, how business units interact, and even how products are designed. Moving forward, it is still excruciatingly time-consuming to check for these types of breaches ahead of time and incredibly expensive to adjust system architectures to satisfy such security protocols.

The question is then raised: how does one tackle this very distinct possibility of supply chain hacking in the future (especially considering that most of the world’s computers are produced in China)? Already, the U.S. has banned the use of Chinese mobile phone brands ZTE and Huawei in government work. Should there be mandates directing large U.S. corporations to take similar steps? Should regulations be put in place that direct these corporations to routinely audit their hardware? Should specific manufacturing companies be vetted and approved by a government entity for eligibility to import into the United States? There are many potential answers to this issue, yet none of them appear to be easy or cheap to any participant in the industry.

Enterprise Resource Planning and the DoD

Business information technology is a perennially evolving field, constantly developing new solution-oriented software and finding ways to further refine business processes spanning all departments. But is it possible for these solutions to be applied to large organizations that are neither “in business” or even part of the private sector?

As private entities continue to implement IT management systems, members of the public sector are increasingly motivated to incorporate similar systems into their organizations. The U.S. Department of Defense, specifically, has taken steps in recent years to make use of such software originally intended for business use. In 2017, the Army announced its intent to simplify its many disjointed processes/systems meant to manage personnel and equipment; based on an analysis performed by Gartner, the Army came forward with a plan to reduce the number of systems in use from 800 to 400 through the consolidation of existing legacy systems into centralized Enterprise Resource Planning (ERP) systems.

SAP, the primary contractor working with the Army in the years-long transition toward the integration of ERPs, is helping to develop defense-specific systems such as the Logistics Modernization Program (LMP) and the Global Combat Support System – Army (GCCS-A) – both of which are “integrated, web-based systems” that combine a myriad of different systems into a single software. As opposed to exclusively managing business activity and processes, the LMP and GCCS-A will streamline the management of troop movement, maintenance operations, financial activity, unit supply functions, and personnel issues while simultaneously improving access to information, accuracy of reported cross-unit exchanges, and overall command visibility. In addition to these systems, the Army is also developing a solution for its Human Resource Management needs; by the program’s completion, it will be “the largest HR ERP system in the world”.

The military is certainly demonstrating that government institutions can find great value in implementing business-specific technology, and it begs the question: what other public entities can adopt similar technologies in order to streamline/simplify their operations?