Security Aspects and Concerns of Sandia National Laboratory
Security Aspects and Concerns of Sandia National Laboratory
In today’s cyber world, individuals, organizations and even entire governments are exposed to security threats from not only internal attackers and resources but from unknown external sources. These attackers may not even be located in the same country as their target. Threats and attacks may not even come from a human entity at all; in fact the owner of resource performing direct activity may not even be aware it is part of the operation at all. This creates a complex environment of having to protect oneself from various angles and to participate in elaborate methodologies of counter measures, detection schemes and finally non-uniform legal controls.
This paper examines the Sandia National Laboratory (SNL) and its roles, constraints, and challenges associated with many aspects of cyber security and cyber attacks. One of the aspects which will be highlighted in this paper is policy issues related to “attribution” during and after cyber crime attacks.
Organization Description and Mission
SNL, with two primary locations located in Albuquerque, New Mexico and Livermore, California, has been providing science-based technologies in support of national security since 1949. “Our highest goal is to become the laboratory that the United States turns to first for innovative, science-based systems engineering solutions to our nation’s most challenging national security problems that threaten peace and freedom for our nation and the globe”[ CITATION San11 \p “(Sandia Corp., 2011)” \l 1033 ] Though SNL supports numerous research and development projects, they focus on five key areas: Nuclear Weapons, Energy and Infrastructure Assurance, Nonproliferation, Defense Systems and Assessments, and Homeland Security and Defense.
SNL originally focused primarily on just ordnance by helping to turn nuclear physics developed by Los Alamos and modify them into deployable weapons. This led to their first official role by maintaining a safe and secure facility as the stewards of our nuclear stockpiles. Over the past decades past, their nuclear mission grew into areas where they now support weapon and surveillance technologies, new methods to safeguard nuclear production, evaluation of the nuclear arsenal for the safety and reliability and how all of these technologies can better protect our nation’s defenses.
The next area that they started to grow into is nonproliferation, which serves to combat proliferation and terrorism threats. Since the threat of nuclear and biological terrorism has increased the need for newer techniques and technologies to find these growing threats and help to reduce the impact and need for these weapons has become more relevant. So working with the nuclear program branch the nonproliferation project works with the government to offer protection aspects as well as better ways of detecting this type of terrorism.
As data accumulated in the overarching aspects of the previous programs, SNL utilized those areas and became a leader in defense systems and assessments. These defensive systems, that they have become known for, include synthetic aperture radars, space-based infrared sensors, and nuclear detonation detection. Helping to protect the nation’s critical security also allowed them to not just develop defense systems or nuclear programs but also to evolve various science and engineering technologies. These contributions have helped to mold areas of bioscience, microsystems, and pulsed power electronics and bettered the communities that they support.
The final piece that they contribute to the defense of the nation is in its Homeland Security. Though this area has numerous parts, they primarily focus on the physical defense of installations and how potential threats would perceive these defensive measures and attempt to counter attack us. This area of SNL is the most important, when considering cyber security and dealing with innumerable attacks which occur annually to their infrastructure.
One of their major contributions is from the program referred to as Information Design Assurance Red Team (IDART). Red Team operations can play a vital role in verifying security aspects of a company’s physical and technological infrastructure. “IDART, part of the Information Systems Analysis Center at SNL, continues to perform leading edge assessments to help its customers acquire an independent, objective view of their weaknesses from a range of adversaries’ perspectives.”[ CITATION IDART11 \l 1033 ][ CITATION IDART11 \l 1033 ][ CITATION IDART11 \l 1033 ] SNL is using a lifecycle methodology in order to generate specific advisory reports which define aspects to thwart security measures that might be used by attackers, see Figure 1.
Figure 1- The IDART Methodology (Sandia Corp., 2009)
“Adversary models include a spectrum of outsider and insider threats characterized by both measurable capabilities, such as knowledge, access, and resources as well as intangibles such as risk tolerance and motivation” (Sandia Corp., 2009). SNL Red Team has played a critical role in the development of numerous other branches of teams located within civilian, government, and military organizations. Because of this they have been able to develop and evolve that methodology and support all these various teams in order to create a more collaborative environment that leads to an overall more secure system of physical and network infrastructures.
The nature and sensitivity of the work performed at SNL makes the site a target for a myriad of foreign and domestic threats. Among the many functions performed by SNL, none ranks higher than their primary mission of “ensuring the U.S. nuclear arsenal is safe, secure, reliable, and can fully support our Nation’s deterrence policy” (Sandia Corp, 2011). Despite the relatively unique and highly sensitive mission of SNL, many of the threats posed against the organization are common to most organizations. The element of impact is what sets the organization apart from most, in that a successful security incident, cyber attack or cyber crime against SNL by an adversary could prove catastrophic not only to the company, but to public safety and morale. In order to properly secure the potential targets of an attack, the organization must identify the threats posed against those targets (Rich, et. al., 2005). In terms of physical and cyber security, there is a significant amount of information and best practices openly available which, when coupled with regulatory guidelines and legislation, provide a framework that an organization can use to secure an operating environment. The degree to which an environment can be secured will vary depending on available resources and the level of importance given to security among the organizations other priorities. Despite an organization’s best intentions and adequate planning, there are threats that will remain wildcards. The threat posed by the trusted insider, or the Insider Threat, is essentially an unknown variable which, according to Brenner, inflicts more damage to an organization than an external threat (as cited in UMUC, 2010, p. 3).
The importance of, and emphasis for physical security at SNL and other nuclear facilities, can be appreciated by those with even a basic understanding of nuclear power and weapons. The physical security needs for a nuclear facility such as SNL are based on the analysis of threat assessments and a design for physical safeguards based on the attributes and characteristics of adversaries and other potential threats (IAEA, 2010). Unfortunately, the intertwining realms of cyber security and cyber crime are still subjects whose full understanding can elude even the devout security conscious due in part to the relative ambiguity of the threats (Shaw, Ruby, Post, 1998). The typical security strategy relies on a defense-in-depth methodology in which layers of security safeguards, including physical, work in concert such that a failure or compromise at one layer does not constitute a catastrophic lapse in security for the environment (as cited in Vacca, 2009, p. 233). A defense-in-depth strategy is predicated upon an assumption that something or someone is attempting to make their way into some physical or logical space that they are not authorized to be in. For a majority of the cyber security threats, this assumption is sound, and therefore the strategies for defending against those threats although not infallible, are well documented. The insider threats, however, present additional challenges as the level of research into vulnerable insiders is disproportionate to that of technological threats (Shaw, Ruby, Post, 1998, p.2). The insider threats to SNL could include employee theft, violence in the workplace, and theft of intellectual property (UMUC, 2010, p. 3), and present great potential risk to the organization. As a revenue-based corporation, and trusted agent of the federal government, an incident of violence or theft from an internal threat could prove catastrophic to the company through loss of trust and customers, and could create a level of concern or panic in the general public depending on the severity of the incident.
In a society that depends on technology and cyber space for much of our functionality, the operations of an organization like SNL must account for the same dependency. From the development and integration of updates to classified weapons systems to the corporate office automation systems, SNL systems are an integral part of their operations (Sandia Corp., 2011). This same dependency, however, presents additional challenges to detecting and protecting against cyber crimes such as theft or destruction of intellectual and otherwise sensitive data. According to SNL’s own research, the nature of the insider threat is such that they will be more discrete than an external threat as they have more to lose, and will therefore be more wary of being caught, than an anonymous outsider (Duran, Conrad, Conrad, Duggan & Held, 2009). Aside from a blatant act of violence by an employee that might be more easily attributable, a crime of theft of intellectual property can elude detection and monitoring capabilities, and especially when executed under the guise of routine business. The insider seeking to steal data from SNL is not likely to attempt the removal of large amounts of hardcopy documents in a single instance by carting them out the back door. What is more likely, studies have shown, is that an insider will print small quantities of documents during regular working hours and remove them from the facility over long periods of time (Giani, Berk, Cybenko, 2006). With the prevalence of technology in the workplace, the likelihood that threats of theft and other cyber crimes has increased as an insider is able to remove large amounts of data via thumb drives or other media storage devices such as mp3 players with relative ease.
Liability and Regulation
With the efficiencies brought about by the Internet, and technology made possible through computer software and hardware, has come risk. There are now risks of unwanted and illegal access to or use of information. These risks have created liability issues for companies. Companies and customers alike can view liability from the same perspective – by determining what assets of theirs are at risk due to transmitting and receiving information via the Internet, how they are at risk, and what could happen if they are stolen (Bidgoli, 2006).
As is known, “SNL’s mission is to meet national needs in five key areas: nuclear weapons, non-proliferation and assessments, military technologies and applications, energy and infrastructure assurance, and homeland security. As a government contractor for the U.S. Department of Energy’s National Nuclear Security Administration, Lockheed Martin operates SNL (Sandia Corp., 1997-2011). Therefore, Lockheed Martin company data, secrets of the industries that they have/use in their operations, internal operating procedures, and employee names and personal information could all be considered assets from a cybersecurity standpoint. At SNL, there is liability for private industry (government contractor as well as sub-contractors), and a federal government Department and Agency.
In 2003, SNL was a victim of a cyber attack, which has been dubbed “Titan Rain”, in which sensitive software programming data was stolen, allegedly from China. This information could be potentially damaging to the U.S. as it could have pertained to nuclear weaponry in some way, which would make SNL seriously liable for damages if any were caused due to enemy knowledge and use of the information. As an example of such a situation, after the World Trade Center bombing, the New York Supreme Court upheld a court decision that found the Port Authority of New York and New Jersey liable for the bombing. “The court’s reasoning: The Port Authority was aware of the threat and did not take reasonable steps to mitigate it” (Heritage Foundation, 2009). Such lawsuits have now caused many companies to be very hesitant to “research, develop, and market anti-terrorism technologies” because of risk of liability and “potentially devastating jury verdicts” (Heritage Foundation, 2009).
Fortunately, to help the nation’s businesses continue to fight terrorism, Congress passed the “Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act”, also known as ‘Subtitle G’ of The Homeland Security Act of 2002. The SAFETY Act is a program provided by the Department of Homeland Security, and it gives companies legal liability protection for their “Qualified Anti-Terrorism Technologies”, which can be either products or services (DHS, n.d.). Lockheed Martin has designed many systems and had them certified. Two of the systems that would be applicable to SNL’s work are the “Risk Assessment Platform (RAP)” and the “Systems Engineering and Integration Services (SEIS) for the Fixed and Mobile Defender™ Systems”. RAP “includes hardware, software and services for implementing a system that captures and manages information for identifying potential terrorist threats. Its analytical processes assess the terrorist risk relating to processes, events, people, or other entities in near real-time. The Defender™ systems are designed to detect the presence of chemical, biological, radiological/nuclear, and explosive (CBRNE) threats and warn appropriate personnel” (DHS, n.d.).
Since SNL manages different departments and trades, it must comply with Federal and State operational regulations with respect to cybersecurity compliance. As a government contractor, it is also committed to contractual obligations as well.
There are also laws to help protect SNL and others against cybercrime. The Federal Computer Fraud and Abuse Statute, 18 U.S.C. 1030, protects computers connected to the Internet from hackers (Congressional Research Service, 2010). Penalties stipulated in 18 U.S.C. 1030 range from “imprisonment for not more than a year for simple cyberspace trespassing to a maximum of life imprisonment when death results from intentional computer damage” (Congressional Research Service, 2010).
Policy and Attribution
In the continuously evolving digital era, the security of information systems (cyber security) is a topic that is increasingly demanding the time, fiscal resources, and collaborative intelligence of nations across the globe. Largely, malicious hackers honing their ability to exploit vulnerabilities associated with the hardware, software, and human components of these systems can be credited for cyber security’s enhanced notoriety. The logic behind the widespread participation in the hacking community is that this is one of very few crimes that can be blatantly committed without the guarantee of consequences.
Attribution, which Hunker et al. (2008) define as the act or process of “determining the identity or location of an [cyber] attacker or an attacker’s intermediary”, can be an extremely difficult and time consuming task that often yields little result because of spoofed IP addresses and botnets. In addition to the technical difficulty associated with cyber attribution, and the inherent evasiveness of malicious hackers, there are also legal or policy aspects that pose further complexity. One of the more dominating aspects is privacy. Hunker et al. (2008) note that privacy (or inherent anonymity) is not only expected by web users, but, along with many political and social freedoms, it is protected by rights in various free countries; making it necessary to find an acceptable balance between privacy and attribution. Certain bodies of law already contain statutes that either directly address or can be applied to a small portion of cyber matters. However, some of these policies can be hindering to the full capability of attribution technologies and practices. For example, the Intelligence Reform and Terrorism Act of 2004 (IRTPA) states the duties of the Civil Liberties Protection Officer are as follows:
“ensure that the protection of civil liberties and privacy is appropriately incorporated in the policies and procedures developed for and implemented by the Office of the Director of National Intelligence and the elements of the intelligence community within the National Intelligence Program” (IRTPA, 2004).
Words like “appropriately” and the lack of overall clarity in this statute make it difficult to determine the full requirements of the policy as well as difficult to enforce. The same act goes on to state the mission of DHS (Department of Homeland Security) as follows:
“ensure that the civil rights and civil liberties of persons are not diminished by efforts, activities, and programs aimed at securing the homeland.” (IRTPA, 2004)
While the protection of rights and liberties such as privacy is certainly important, the full capabilities of attribution are hindered by the necessity of compliance.
As policies continue to develop to address the issue of cyber security, liability will also have to be considered. For instance, will the vendors that make exploitable software or owners of zombie computers used in an attack be free of all liability in an attack? Moreover, because attribution can involve forensic analysis, evidence preservation can also influence the development of policies (Hunker et al, 2008). Determining the identity or location of an attack may surface the need to tamper with evidence. Policies will therefore need to dictate which contexts or sought end results are acceptable reasons for attribution, as well as the extent of allowable tampering in those instances (Hunker et al, 2008).
Perhaps the most difficult aspect of all policy matters pertaining to attribution involves the lack of international coalescence. Because cyber attacks often cross various jurisdictional boundaries, some of which may involve warring or competing countries, the necessary cooperation to overcome differences in policy can be very difficult to overcome. Even when attacks only involve a single nation like the U.S., differences between policies that govern the public and private sector can nonetheless pose difficulty in that there will be discrepancies in obligation, roles, and incentives for cooperation (Hunker et al., 2008).
SNL, whose business solutions tie into national security and critical infrastructure, is an agency that cannot afford to be compromised; much less compromised without being able to trace a given attack back to the culprit(s). With nuclear weapons being part of SNL’s output, and malware as sophisticated as Stuxnet (which was used to target an Iranian nuclear plant) heightening the level of known threats, SNL certainly needs to be able to impose every available attribution technique and technology in the event of a compromise. The 6th title of The Intelligence Reform and Terrorism Act of 2004 states that DHS’s mission is to “reduce terrorist attacks within the United States” and “reduce the vulnerability of the United States to terrorism”. SNL’s involvement in Homeland security makes it equally responsible for prevention of terrorism. In short, compliance to policies that protect privacy and other rights is certainly important; but as policies are further composed and developed to address continuously evolving threats, some thought should be given to the exceptions that will be necessary to maintain national security and critical infrastructure.
In conclusion we find that SNL has a long history providing services of a sensitive and critical nature which contributes to the security and well being for our nation. Their mission critical objectives depend on careful and methodical processes used in the collection and analysis of data used in formulating many key infrastructure and defense mechanisms used by our nation. The protection of the data itself is paramount in both allowing SNL to achieve its mission and ensure the security of vital and classified intelligence information. Threats to SNL are far reaching however, primarily concerned with potential exposure from inside sources. This creates a great deal of need for the organization to expend resources and energy on qualifying staff in order to reduce threats from the inside which could remove information and provide it to anyone outside the confines of SNL with use of physical or electronic means. Policies are therefore necessary to create an environment which makes resources accountable for both productivity and specific security minded processes in handling SNL’s sensitive data.
As part of SNL’s security policy they have adopted processes to perform counter intelligence schemes and methods which will aid in ensuring data and intellectual property protection. The U.S. legal system had some deficiencies in the past which made it extremely challenging for organizations to take this type of approach for fear of potential liabilities resulting from terrorist attacks. In the event the organization was found to be incompetent or unauthorized to formulate such processes, they could be held accountable for far reaching damages after an incident. New laws and U.S. policy have now softened those liabilities somewhat and actually encouraged organizations like SNL to promote collaborative security measures with Government and public interests included.
Finally, attribution for cyber criminal activity becomes extremely difficult particularly when the sources of attacks are located in far remote locations. Furthermore, insider help is a greater concern for SNL in that masking the identity of an attacker is much more probable if physical changes can be made to mask the identity of the source of the attack. Attribution challenges go further when it comes to arrest and prosecution. Because international policy on cyber crime is still in its infancy many incidents must be handled on a case-by-case basis and may not have uniform rules between countries to allow for efficient law enforcement. Secondly, the basic legal systems of countries vary in how they deal with crimes in general and with cyber crime being relatively new these laws are quickly evolving. The evolution is evident and will happen as countries find it important to protect their own information and resources as their need for electronic communications and processing grows. However, until that time when the laws are more balanced between countries, cyber criminals will find ways to use specific weak cyber laws in certain countries to reduce to the possibility or even thwart prosecution from attacks all together.
Because of the current state of the security technology and subsequent legal structure it is important for organizations like SNL to continuously monitor and improve their security policies and process to conform to applicable Government standards. They also must work hard to drive position in global standardization of data protection and litigation measures in order to mitigate risks associated with exposure to very sensitive and critical information.
Bidgoli, H. (Ed.). (2006). Handbook of information security: Volume 2. Hoboken, NJ: John Wiley & Sons, Inc.
Congressional Research Service. (2010). Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws. Retrieved from https://www-hsdl-org.ezproxy.umuc.edu/?view&doc=136098&coll=limited
DHS. n.d. SAFETY ACT: Designations/Certifications. Retrieved from https://www.safetyact.gov/
DHS. n.d. SAFETY ACT: Approved Product List. Retrieved from https://www.safetyact.gov/
Duran, F.A., Conrad, S.H., Conrad, G.N., Duggan, D.P., Held, E.B. (2009). Insider threats: building a system for insider security. IEEE Security & Privacy. November/December. Retrieved from: http://people.eecs.ku.edu/~saiedian/Teaching/Sp10/711/Readings/sys-insider-security.pdf
Giani, A., Berk, V.H., Cybenko, G. V. (2006). Data Exfltration and Covert Channels. Proc. SPIE Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense. April. Retrieved from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.5290&rep=rep1&type=pdf
Heritage Foundation, The. (2009). The SAFETY Act: Obama cyber plans and the private sector. Retrieved from https://www-hsdl org.ezproxy.umuc.edu/?view&doc=111083&coll=documents: WebMemo
Hunker, J., Hutchinson, B., Marguilies, J. (2008). Role and challenges for sufficient cyber-attack
attribution. Retrieved on June 22, 2011 from http://www.thei3p.org/docs/
IAEA (2011). Design basis threat. Retrieved from: http://www-ns.iaea.org/security/dbt.asp?s=4
The Intelligence Reform and Terrorism Prevention Act, 50 U.S.C. §§ 403-3d
The Intelligence Reform and Terrorism Prevention Act, 6 U.S.C. § 111(b)
Rich, E., Martinez-Moyano, I. J., Conrad, S., Cappelli, D. M., Moore, A. P., Shimeall, T. J. & Wiik, J. (2005). Simulating insider cyber-threat risks: a model-based case and a case-based model. Proceedings at International Conference of System Dynamics Society, 2005. Retrieved from: https://www-hsdl-org.ezproxy.umuc.edu/?view&doc=94152&coll=i3p
Sandia Corp. (1997-2011). About Sandia. Retrieved from http://www.sandia.gov/about/index.html
Sandia Corp. (2009). Figure 1: The IDART Methodology. Retrieved from http://www.idart.sandia.gov/methodology/IDART.html
Sandia Corp. (2009). Red Team Methodology. Retrieved from http://www.idart.sandia.gov/methodology/index.html
Sandia Corp. (2009). The Information Design Assurance Red Team (IDART). Retrieved from http://www.idart.sandia.gov/
Sandia Corporation (2011). Mission areas: nuclear weapons. Retrieved from: http://www.sandia.gov/mission/nuclear/index.html
Sandia Corp. (2011). Vision: Helping our nation secure a peaceful and free world through technology. Retrieved from http://www.sandia.gov/about/vision/
Sandia’s national security missions (n.d.). Retrieved from http://sandia.gov/
Wheeler, D.A., Larsen, G.N. (2003) Techniques for cyber attack attribution. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA468859&
Shaw, E., Ruby, K. G., Post, J. M. (1998). The insider threat to information systems: the psychology of the dangerous insider. Security Awareness Bulletin, No. 2-98. Retrieved from: http://www.pol-psych.com/sab.pdf
UMUC. (2010). Module 4: human aspects. CSEC620 Online Classroom. Retrieved from: http://tychousa11.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1106:CSEC620:9047&fs_project_id=346&xload&tmpl=CSECfixed&moduleSelected=csec620_04
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.