Northrop Grumman has grown to a $30-billion-a-year company by designing and building some of the world’s most sophisticated war-fighting tools, be it stealth bombers, airborne surveillance systems or nuclear-powered aircraft carriers and submarines.
So it certainly draws one’s attention when the director of enterprise security and identity management at the Los Angeles-based defense and technology fixture describes a new type of war, at least here in America. It is the type of fight that cannot be won in the skies or on the sea, with B-2 Spirit bombers or Nimitz-class supercarriers.
“It’s now a digital war,” Northrop Grumman’s Keith Ward says. “It’s a paradigm shift. The main emphasis after 9/11 was protection of facilities. But are there other, electronic ways attackers can do it rather than going through the front door?”
Given his employer is Northrop, the third largest U.S. defense contractor and clearly in the business of developing combat solutions (although it does run an IT services division), his climb atop this digital security soapbox is unsurprising.
Ward has good reason to be thinking this way. He knows cyberattackers are after sensitive information and intellectual property. And the 120,000-employee Northrop regularly handles the type of data that can prove extremely valuable to the competition or, worse, foreign governments and enemy militaries.
Until now, with no reliable and trusted framework by which to communicate with the U.S. Department of Defense (DoD) or its contractor partners through email, Northrop, like others, was forced to channel its correspondence through dedicated networks or couriers, such as UPS and FedEx, a clearly inefficient, expensive and time-consuming practice.
But a recently announced, publicly available secure email standard, to protect sensitive but unclassified information, seeks to change all of that. And, depending on the momentum it builds, the new specification could have implications well beyond the defense and aerospace industries.
The framework was unveiled in January by the nonprofit Transglobal Secure Collaboration Program (TSCP), a government-industry partnership focused on developing policies and mechanisms for secure collaboration.
“There’s a lot of espionage going on with hackers that can send emails that may look like KeithWard@NorthropGrumman.com,” Ward says. “This gives us a higher level of assurance. It’s really trusting and identifying that the person who sent that to you is the right person.”
The secure email standard was the result of several years of collaboration among 10 TSCP members: DoD, U.K. Ministry of Defense (MOD), Netherlands MOD, U.K.-based BAE Systems and Rolls-Royce Group, France-based EADS, and U.S.-based Boeing, Lockheed Martin, Raytheon and Northrop.
The new architecture serves as a by-product of the Homeland Security Presidential Directive 12 (HSPD-12), which, in 2004, created a common identification standard for federal employees and contractors accessing physical facilities and computer networks. The subsequently issued Federal Information Processing Standard 201 (FIPS 201) was created to satisfy the technical requirements of HSPD-12.
Both HSPD-12 and FIPS 201 speak to creating a layer of assurance among hundreds of thousands of government workers and their partners. Similarly, the TSCP secure email guidelines seek to develop an identity assurance model between senders and recipients.
But, until now, email was flawed by identity and data transmission vulnerabilities, says Wayne Grundy, TSCP’s director, who formerly worked at BAE, a British defense and aerospace provider.
“There is no mechanism today that simply and universally lets you know you can trust individuals from other countries and other companies,” he says. “You’d think it’s a simple problem, but when you actually look into it, you realize how difficult it is [to solve].”
In fact, Grundy says, email has long been considered such a dangerous option for the government and aerospace and defense firms that unless two parties communicated over a dedicated network not connected to the public internet, policy has demanded that any communication of a sensitive nature — defined as “controlled unclassified information” — be sent through couriers. It has never been possible for that data to be exchanged via email.
“You can’t set up a dedicated network for the entire world,” Grundy says. “That’s ridiculous. So what this [standard] is trying to do is [allow you to] use the internet. You encrypt the data. That’s the trivial task. The problem is getting the U.K. MOD saying they trust that company X in India has gone through a vetting process for their employees and they’re allowed to see that data.”
For years, certificate validity has served as a major obstacle to public key infrastructure (PKI) rollouts. In the case of government-defense contractor dealings, there was no agreed-on standard for delivering encrypted email.
Experts say PKI deployment has been significantly deterred by concerns over locating and exchanging public encryption keys and certificates. Implementations of cryptography and digital certificates for intra-organization communication have proven simple enough. But attempts to communicate with partners and customers, when two-way trust is required, have turned out to be risky and costly propositions at best.
“Typically you would have to do key exchange ahead of time, which is a difficult and vulnerable process, and then implement and send the encrypted message,” says Amit Yoran, former U.S. cybersecurity chief under the current Bush administration.
“Unless you’re familiar with that organization and what their policies are for credentialing and issuing certificates and how they protect certificates… there’s a lot of trust issues that creep up if you don’t have a standard in this area,” says Yoran, who now serves as chief executive officer of NetWitness, a network-based forensics provider.
Ward agrees, saying that given today’s tumultuous threat landscape, there was just no way to guarantee the validity of an outside email.
“PKI is no mystery,” Ward says. “Many companies have it. The challenge is when you extend that and get to a more federated model, how do you trust an email that has an attachment?”
Creating the trust fabric
That is where a Herndon, Va.-based third-party named CertiPath comes in. The certificate authority, jointly owned by three IT communications firms, provides a commercial PKI bridge.
For the company’s president and chief operating officer, Jeff Nigriny, the key to the standard is that if everyone is securing email in the same way, the so-called trust fabric can be extended to anyone, including the defense industry’s hundreds of thousands of suppliers.
As already has been established, a major drawback to PKI has been locating and validating certificates. This new model creates a centralized vault, of sorts, where parties can look up certificates in real time. The architecture serves as a way to ensure that the sender’s and receiver’s identities have been vetted and can be trusted. Such a model rules out the possibility of insider malfeasance, such as a recently fired employee viewing a sensitive document.
At Northrop, employees and partners seeking clearance to participate in the standard must undergo in-person proofing, which includes providing fingerprints and submitting to a background check, Ward says. If successful, workers will receive the valid software certificate on a smart card. “We’re requiring a higher level of confidence in the asserted identity,” he says.
To launch the new standard, Nigriny says, organizations and government agencies need only point their email clients to an LDAP proxy — a software program that will crawl the “trust chains” to retrieve certificates containing public encryption keys and other data, such as attribute information for employees.
The framework likely will become widely accepted if it is flexible and easy to implement, Yoran says. But attempts at similar initiatives in the past have misfired, including the Defense Messaging System, a secure email system developed in the mid- 1990s and billed as the future messaging standard within the federal government. It never caught on due to deployment challenges, Yoran says.
“Part of the challenge with these systems is the credentialing,” he says. “Employers have a difficult enough
time credentialing their own employees. [But the standard] helps remove entire categories of problems that plague us like spear phishing, and it also will allow organizations to exchange information more freely.”
Reaping the benefits
Individuals involved with the new standard have high hopes for more widespread adoption beyond the defense departments, the major aerospace and defense contractors and their suppliers. They also foresee the framework not only becoming a government-wide standard but also making its way onto the product roadmaps of email encryption providers, as well as across verticals in corporate America — which are feeling the wrath of social engineering more than anyone.
“The financial industry is the next frontier,” Nigriny predicts, citing the well-documented impact of phishing attacks. “As much as aerospace and defense needs encryption and data confidentiality, the banking industry needs…the digital signature piece.”
Meanwhile, Paul Grant, information assurance executive for the DOD, says that over time, the framework will be used not just to authorize but also to grant access control privileges.
“The first step is to get identity federation to send signed and encrypted email,” he says. “We want to use fewer airplanes and fewer couriers to share sensitive stuff.”
Aside from gains in time and efficiency, cost is a huge driver for the new secure email specification. Ward says his company stands to see a 60 to 80 percent reduction in communication expenditures, although he would’t cite a specific figure.
And government agencies and defense contractors will be doing their part to reduce waste, a not-so-subtle side benefit in today’s environmentally focused society.
“You can only imagine,” Yoran says of the potential reduction in carbon footprint. “The government is not light on paperwork and process.”
Meanwhile, cost benefits may also lie in sidestepping costly penalties for violating International Traffic in Arms Regulations (ITAR) laws, which state that material related to defense and military technologies can only be shared with U.S. citizens, Nigriny says.
How does this apply to the new standard? Without it, there would be no way of assuring that an email was definitively delivered to an American citizen, Nigriny says. Some say this is the biggest reason for implementing the new framework, he says, given that the average ITAR fine topped $15 million last year.
Another reason to embrace the standard is the security aspect, especially as incidents of cyberwarfare against American government interests continue to make headlines.
After all, the war on terror shows no signs of stopping — making the information passing back and forth among the TSCP members more sensitive than ever before. Should the enemy get its eyes on it, well, who knows what could happen?
“I can’t speculate why it would be useful for al Qaeda to know about the specs of missiles, but I’m sure if they were clever enough, they would work out a way of shooting them down,” Grundy says.