presented by

Image courtesy of General Dynamics Mission Systems.

In this Q&A with Brian Morrison, Cyber Systems vice president and general manager for General Dynamics Mission Systems, we discuss cost-effective strategies for crypto mod, how Layer 2 encryption will enable missions such as the Joint Warfighting Cloud Capability, and how organizations can keep cryptographic systems compliant with NSA requirements.

Breaking Defense: Let’s set the scene. What is the steady state right now in cryptographic solutions? Where is modernization needed?

Brian Morrison, Cyber Systems vice president and general manager for General Dynamics Mission Systems.

Morrison: At a threshold level, NSA is the standard-setting organization and the certifier for all cryptographic equipment across the National Security Enterprise. It’s fair to say that crypto modernization for NSA has always been viewed as a continuous process.

That is to say, you and I have email accounts that we originally set up with a strong password. But since then, maybe we used that password on other accounts, or there was a penetration somewhere, or compute power has increased such that password crackers are more capable today. So what was once a strong password ends up being a really weak one and a vulnerability.

That’s an oversimplification, but what’s true for passwords is true for crypto gear. You can build the strongest crypto gear that exists but over time the security of that device, of the algorithms that underlie that device, of the protections that are wrapped around that device, all erode over time. Our adversaries get better at doing what they do. And we’re seeing new, persistent attacks due to network vulnerabilities.

Under the leadership of the NSA, we, as a National Security Enterprise, must continually refresh our crypto gear. That means discreet gates for Advanced Cryptographic Capability prescribed by NSA. It also means continuing to patch, maintain, and update all of our gear over time. And then at certain points in time, NSA says a particular family of cryptographic gear has to come offline because it has aged out; it can’t be secure anymore.

That’s the way I look at crypto modernization: from new crypto boxes to upgrading existing crypto boxes, to removing legacy crypto boxes from a network. All of that is the process of crypto mod. Our reason for being at General Dynamics Mission Systems is to make sure that our customers and the national security establishment have the most secure crypto that American ingenuity can provide.

Breaking Defense: How should organizations approach crypto mod? Is it akin to a software patch or a new iOS update that downloads in the background while we’re asleep?

Morrison: I wish it were that easy. There are two aspects. One is we know, without speaking to crypto gear specifically, that the overwhelming majority of cyber-security penetrations happen because somebody has not patched and updated, or they have been phished.

Our customers operate in vast networks, widely dispersed networks, high-latency networks, and in tactical, DIL (disconnected, intermittent, limited) environments. It’s very difficult for those networks with many pieces of gear to stay patched and updated all the time. At General Dynamics Mission Systems, we have what we call the GEM One Encryptor Manager, which is a software package that manages and updates all of the Type 1 crypto in the enterprise, including crypto devices made by other manufacturers. Remote management improves the health of the network and eases maintenance.

The second part of the problem is that our customers have thousands and thousands of cryptographic units in their inventory. The ongoing process of crypto mod, including the periodic deadlines that the NSA rightfully imposes, is difficult to manage from both a budgetary and a logistics perspective.

So we’re encouraging our customers to think proactively about what their needs are going to be for crypto in 6, 12, 18, 24, 36 months out. That helps them plan from a budget perspective so that we are able to plan from a manufacturing-capacity perspective so that when the time comes to switch out boxes, they’ve got the budget for it and we’re ready to satisfy their demand on time and within their budget. That’s easy to say and hard to do because they’re substantial investments. At the same time, they’re investments in the security of the most important secrets the nation has.

Breaking Defense: Is crypto mod more of a hardware or a software modification, or both?

Morrison: When we talk about crypto mod, we’re normally talking about updates to the hardware. But there are major software updates that we can do to provide compliance with crypto mod gates from the NSA. For example, our TACLANE-FLEX, TACLANE-10G, TACLANE-Nano, TACLANE-Micro, and Sectéra vIPer phones have all been software upgraded to the NSA’s Advanced Cryptographic Capabilities standard of modernization.

Breaking Defense: What is involved in keeping data-protection solutions up to date. I’m assuming we’re talking about NSA requirements and certifications.

Morrison: Yes, the NSA is the certification authority for Type 1 crypto. If you want to pass classified information across the network, you’ve got to do it over a piece of crypto that the NSA has certified. For the vendors and programs that develop new crypto, that certification process is every bit as rigorous, complicated, and demanding as you would imagine. And, frankly, as rigorous as you would hope as these are high-stakes networks. For the missions that consume the crypto, the fact that NSA has certified the encryptor makes the long-term management of the crypto infinitely simpler and more stable.

Today, the NSA is in the midst of introducing a new specification for what we call Layer 2 encryption. This is a new standard for encryption at a different network layer that is intended to deliver much higher speeds over the next few years. We’re very much a part of that effort and have made significant investments in delivering some mind-boggling speeds.

Breaking Defense: Speeds for what exactly?

Morrison: For the defense and intelligence establishment’s migration to the cloud. With defense networks operating in cloud environments, you have data center to data center transfers that have to happen at a very high rate of speed because those data center to data center transfers are aggregated traffic.

These transfers must be as bandwidth efficient as possible while keeping high security standards. When you move to Layer 2, you open up the possibility of much higher speeds at any given compute power. At the same time, we are pushing the boundaries of what compute power is available. We’re always looking for more compute power to deliver higher and higher speeds.

As we address the data center market for government data centers, we need to be able to deliver speeds that there isn’t even a market for today, but we know there will be tomorrow.

Breaking Defense: It almost sounds like the future of cloud computing in the DoD, particularly the Joint Warfighting Cloud Capability, is dependent on Layer 2 encryption. Is that an oversimplification?

Morrison: I don’t think it is. The cloud providers likely can, with their existing or soon-contemplated infrastructure, handle what is already within the boundaries of their clouds. But as we know, defense customers are going to require hybrid clouds. They’re going to require data transitioning from cloud to cloud, and that’s where we really need those higher speeds.

Breaking Defense: What do you see as hindrances to proper crypto modernization?

Morrison: I’m always sympathetic to the fact that the business I’m in, the crypto business, is often perceived by some of our customers as an unfunded mandate. It’s a real challenge.

That often stands in the way, even though nobody wants their systems to not be secure. Their number one concern is the life of their soldiers, sailors, airmen, and Marines. That necessitates the security of national security information traveling across their networks. But for many missions, crypto is not the core mission, it’s the thing that enables the mission.

As new requirements come online and as standards for crypto mod continue to evolve, tactical units might want to upgrade their crypto but just don’t have the budget or logistics bandwidth. In response to that, we have added more remote management features to ease the logistics burden of crypto mod. And a couple of years ago, we introduced the smallest, lightest, least expensive Type 1 crypto in its class — the TACLANE-Nano — which brought affordable crypto to the tactical market.

Breaking Defense: Your point about crypto enabling the mission and not being the mission is well taken. Can you offer a scenario where TACLANE-Nano is particularly valuable to a warfighter and also an affordable and effective crypto solution?

Morrison: Sure. The last decade or more has seen a large increase in the use of unmanned and unattended systems. The nice thing about the TACLANE-Nano is that it is at a price point where you can put it on an unmanned or unattended system, insert it into your adversary’s territory, for example, and not worry if it is lost or you lose connectivity; you can remotely zeroize that device. That means that if the cryptographic unit falls into the hands of our adversaries, it can’t be used against us.

You can’t do that with a big, heavy piece of crypto or one that costs $60,000 because that’s not the way those types of unmanned missions run by and large. We’re talking about much smaller, lighter airframes. We don’t think of those classes of UAVs as attritable, but it may be approaching the attritable market.

Breaking Defense: Final thoughts?

Morrison: Any customer in the national security space has to be thinking about, worrying about, and planning for crypto mod. It is not something that any of us can ignore and then play catch up later on. The planning and logistics behind replacing legacy gear and modernizing a network cryptographic solution is complicated and long tailed.

That’s what General Dynamics Mission Systems is all about. We are a leader in crypto mod and are ready for both today’s gates and tomorrow’s gates from the NSA. Our goal is to partner with our customers, help them understand and implement their modernization needs, and ensure their networks and communications are as secure as anyone can keep them.