Iranian President Mahmoud Ahmadinejad visits the Natanz uranium enrichment facilities, where a “closed” computer network was infected by malware introduced via a small flash drive. (AFP)
Iran’s uranium enrichment facility at Natanz may have had one of the most secure computer systems in the world. The building housing the nuclear program’s equipment is underground, protected by a combination of concrete walls, earth and military guards.
And it was a “closed” network, sealed off from the Internet and unsusceptible to vulnerabilities in the system’s Windows-based software.
All those precautions, however, didn’t stop the Stuxnet worm from infecting the system, disrupting the delicate balance of uranium-enriching centrifuges and rendering them useless. Stuxnet, part of a broader U.S./Israeli cyberwarfare campaign against Iran’s nuclear program called “Olympic Games,” was carried in on a small flash drive. Someone, either a spy or an unwitting accomplice, plugged it into a USB port on a computer inside the complex and let loose into the “secure” Iranian system the most devastating cyber weapon ever known.
Without smuggling that cyber weapon physically into the plant, the operation never would have worked, which underscores the problem: No matter how high-tech the cyber tool, the glaring weak link has been the ability to reach out and touch a system. A breach of physical security was required, either secretly getting hold of an employee’s thumb drive and infecting it, or working with someone on the inside to covertly plug the device into the network.
With thumb drives now a known vulnerability, most countries have banned their use on sensitive systems. Iran forbade them at Natanz shortly after the Stuxnet worm began to work its magic; the Pentagon banned their use in 2008.
It was right around that time that scientists began to turn their attention to another project: trying to access these protected networks remotely, through the air, by reading activity via electromagnetic field distortions and inserting code via radio frequencies. Accessing these networks — networks that don’t have wireless routers and aren’t connected to the Internet — became something of a holy grail, dubbed “jumping the gap.”
The science has progressed significantly, and now the Army is looking at demonstrating technology that can be deployed on aircraft and ground vehicles that can wage this kind of cyber warfare.
The Army’s Intelligence and Information Warfare Directorate, known as I2WD, hosted a classified planning day Nov. 28. Representatives from 60 companies and labs attended to discuss what can be done in the realm of electronic warfare and cyber, according to a source familiar with the program.
The roughly half-dozen objectives of the Tactical Electromagnetic Cyber Warfare Demonstrator program are classified. (The TECWD program is pronounced “techwood” by participants.) The source said the program is designed to demonstrate ready-made systems, dubbed “boxes,” that can perform a variety of tasks. Some are somewhat typical fare, like systems aimed at the improvised explosive device threat.
But among the objectives are these: inserting and extracting data from sealed, wired networks. The possibilities are remarkable. Imagine being able to roll a vehicle near a facility, sit for a short period while inserting a worm, and leave without having to buy off any employee or sneak anything past an attentive guard. Better yet, a stealthy unmanned aerial vehicle could be quietly flown far above a facility to insert code even in contested airspace. With that kind of tactical deployment, cyber could become a critical part of a wide variety of operations, as localized effects could be integrated with kinetic activities.
The Army program is designed specifically to test capabilities for air and ground platforms, according to an invitation to an information day on the program released by I2WD.
“The TECWD demonstration effort will serve as a technology demonstrator for offensive electronic attack, defensive electronic attack, electronic protection, and electronic support, and EW enabled cyber on ground and air platforms,” the invitation read. “TECWD will help the Army assess technologies and capabilities for potential applicability in the Army’s next generation EW and beyond.”
The program, which will consist of a series of demonstrations roughly every three months for the next two years, will test a variety of electronic warfare, or EW, capabilities, said Moses Mingle, branch chief of the EW systems ground branch at I2WD.
“It’s not a system; it’s a demonstration platform,” Mingle said. “Basically, we’re vetting systems concepts: tactical EW cyber scenarios that could be deployed in the future.”
Asked if one of the objectives is to demonstrate a system that could jump the gap and access systems remotely, Mingle declined to go into detail, citing classification issues, but said, “That’s a part of it, but not all of it.”
U.S. intelligence agencies began to worry about distortions to the electromagnetic fields around computer systems, and the potential that they would provide unique signatures that could tip off network activity, in the 1980s. The principle behind it is based on simple physics. Electronics in even a closed network emit an electromagnetic signal, however faint and accidental.
So at the time, a series of research efforts was undertaken to study these distortions, known as compromise emanations, under the code name “Tempest.” Could these the emanations be exploited in any reliable way? Researchers found that keystrokes could be detected from signals sent from keyboards to computer units, as well as information on a monitor. The ability to detect these disturbances has become increasingly sophisticated, with systems able to pick out signals from greater distances with greater clarity.
More recently, scientists have been paying special attention to the inverse of reading these emanations: insertion of data using radio frequencies. Again, in theory, since a wire can act as an antenna, an electromagnetic signal can be engineered and potentially transmitted to that wire.
The precision required is tremendous. Popular culture has introduced much of the world to the concept of the electromagnetic pulse, as featured in the George Clooney movie “Ocean’s Eleven.” (Don Cheadle’s character, quite implausibly, fries the electrical grid of Las Vegas.) The pulses are typically created by extraordinarily large systems supported by tremendous supplies of energy or as a side effect of nuclear detonations. They work as blunt-force instruments, frying a system and rendering the electronics useless.
The TECWD challenge would be a technique that would transmit not a destructive pulse but a signal finessed to a specific network. It’s more scalpel than sledgehammer.
The technology does exist, but the ability to add data still has limitations, mainly proximity and bandwidth, experts said. The “transmission” system has to get quite close to the targeted network. And at current levels, complex data can take extended periods to insert. Experts declined to provide full specifics on data transfer rates and range for data insertion using radio frequencies, citing the classified status of the capabilities and national security issues.
The actual power usage is far less than you’d expect: One expert said systems as small as man-packable radios could serve as the forward entry point for these types of cyber penetrations.
The recognition that electronic warfare methods can be critical for future cyber applications is clearly making its way up the leadership chain.
At a recent event at the Naval Surface Warfare Center’s Crane Division in Crane, Ind., Adm. Jon Greenert, chief of naval operations, made the case.
“We have to understand better the electromagnetic spectrum,” he said. “Cyber, our radar and communication, everything. If you control the electromagnetic spectrum, you control the fight.”
The cryptic remarks reflect the classified nature of nearly everything in the cyber realm, and particularly in regards to offensive cyber EW capabilities.
But the possibilities are being explored as the U.S. military increasingly recognizes the potential of cyber weapons in operations.
The actual technology that allows for the insertion of data — transmitting cyber into a closed system — isn’t novel, said retired Air Force Maj. Gen. Dale Meyerrose, former associate director of national intelligence.
“This is old technology,” he said. “The technology itself isn’t new, but the application of the technology is new, and the software running the technology on some of these devices is new.”
Meyerrose, who runs the Meyerrose Group, said connecting to closed networks using radio frequencies is about five years old, but some of the complications of cyber, including legal authority, have slowed progress. “This could be used to drop a Trojan into a system,” he said. “Like everything else in cyber, there are not a lot of legal parameters. Like everything else in cyber, our legal system is about 20 years behind.”
But if the legal questions and technical limitations are worked out, a new era of integrated cyberwarfare may be dawning.
This story appears in the January-February issue of C4ISR Journal.