What you’ll learn:
- The three router networks operated by the Department of Defense and Department of State are NIPRNet, SIPRNet, and JWICS.
- The steps involved with preparing information to be communicated from one secure network to another.
- How to ensure that information can be securely received from another secure network.
In Part 1 of this 3-part series (read Part 3 here), we introduced the concept of “air-gap networks”—secure computer networks that are physically isolated (“air gapped”) from their unsecured counterparts, such as an unsecured local area networks (LANs) or the public internet.
In addition to describing how data may be categorized as being Classified, Secret, Top Secret (TS), and Sensitive Compartmented Information (SCI), we also discussed the creation of secure facilities in the form of Sensitive Compartmented Information Facilities (SCIFs) or a Special Access Program Facilities (SAPFs).
The counterpoint to securing information is that such information is of use only if it can be used, which leads us to question what happens when there’s a legitimate reason to transfer information into or out of one of these secure facilities. This is subject of the article.
Let’s start with the fact that we have a large number of SCIFs and SAPFs located throughout the U.S. and around the globe. Let’s call these “silos” for short. When it comes to communicating information, three questions need to be addressed:
- Who do we want to communicate with?
- What information do we wish to communicate?
- How are we going to communicate this information?
It may be that we wish to communicate information from one silo to another silo. In this case, there are different procedures in place depending on whether the route is from lower-to-higher (in terms of the silos’ secrecy rankings), higher-to-lower, or peer-to-peer. Alternatively, it may be that we wish to import information from the outside world into a silo or, more rarely, export information from a silo to the outside world.
One huge consideration is that when we’re talking about silos containing top secret data, people in one silo who need access to data in another silo may not actually know that data exists. Similarly, people with access to data in one silo may have no clue that this data could be of use to people working on a project in another silo.
Things are challenging enough with respect to projects with a standard TS classification. The situation is even more complex when it comes to black projects—which is the unofficial name for Special Access Programs (SAPs)—because these highly classified, top-secret military or defense projects aren’t publicly acknowledged by the government, military personnel, or contractors. In some cases, even members of the U.S. Congress are unaware that such projects exist.
The problems associated with knowing whether data exists are beyond the scope of this article. For the sake of simplicity, let’s assume that someone in one silo wishes to communicate information to someone in another silo and that the originator already knows the intended recipient.
In that scenario, communication and associated data transfers often are part of a standard operational process. It may be that this is a regular update—perhaps modifications to a design along with the corresponding results from a simulation, for example. All we need now is some way to move the data...
Let’s start by noting that three main router networks are operated by the U.S. Department of Defense (DoD) and Department of State (DoS): the Non-classified Internet Protocol (IP) Router Network (NIPRNet), the Secure Internet Protocol Router Network (SIPRNet), and the Joint Worldwide Intelligence Communications System (JWICS). Each network is separated by the types of information on each one.
NIPRNet is an IP network used to exchange unclassified information, including information subject to controls on distribution, among the private network's users. The NIPRNet also provides its users access to the internet.
SIPRNet is a system of interconnected computer networks used by the DoD and DoS to transmit classified information (up to and including information classified Secret) by packet switching over the “completely secure” environment. It also provides services such as hypertext document access and electronic mail. As such, SIPRNet is the DoD's classified version of the civilian internet.
JWICS is a secure intranet system utilized by the DoD to house and communicate Top Secret and Sensitive Compartmented Information.
Of course, another question now arises: “What do secure networks like SIPRNet and JWICS have to do with air-gapped silos?” And the answer is...
Some secure silos have access to wide-area networks (WANs) that allow for communication at higher levels. To put this another way, these silos aren’t always restricted to a completely air-gapped solution, especially for purposes of communication.
This leads to a very common scenario of wanting to communicate information that resides on one of the air-gapped networks through a communication network. It’s sometimes referred to as cross-domain communication.
To do this, the data first needs to be cleaned and thoroughly scanned. Next, it can be migrated via a data diode, or unidirectional network solution like Forcepoint. Alternatively, the data may be copied to a secure encrypted storage device, on which it will be maintained, inventoried, and safeguarded until it can be uploaded onto a communication network.
These secure encrypted storage devices can be discs in the form of compact discs (CDs), digital video discs (DVDs), and Blu-ray discs (BDs), or removable drives in the form of hard-disk drives (HDDs) or solid-state drives (SSDs). In the case of removable drives, tamper-proofing and tamper protection are required in addition to encryption.
With respect to cleaning the data, specific required software programs must be used. One program will verify file media types (also known as MIME types) to determine that a file with the PDF extension really is a PDF, for example. Other programs will scan for potentially classified terms, for black text on black backgrounds (and white text on white backgrounds), for pictures behind pictures, for text embedded in images… the list goes on. Also, advanced virus scanning will be performed.
After these scans have been performed, a peer technical subject matter expert (SME) review is required. The SME is a qualified expert in the same field who can attest that none of the information is classified.
Following these steps, the data is encrypted using government-approved encryption standards and the disk is finalized. That means any additional available space on the disc is locked, no other data can be written to it, and it’s now non-reusable. The disc and data are encrypted multiple times as well during the transfer process.
These portable classified discs/drives always require two-person integrity (TPI) until stored in a TPI safe (two secret combinations where only one person knows each), or it’s destroyed with two witnesses and recorded in a database.
Assured File Transfer
The act of moving data off one network and onto a new network is known as an Assured File Transfer (AFT). Such transfers can be performed only by privileged network users known as Data Transfer Agents (DTAs). With the zero-trust method implemented, the “least privilege” concept requires a DTA to be present as well as use separate credentials for their privileged account.
Due to "separation of duties," each individual can hold only one privileged account. Therefore, the DTA shouldn’t be a system administrator or someone from the Cybersecurity or IT departments. The DTA must perform all AFT procedures in accordance with the Standard Operating Procedures (SOPs) defined by the Information Assurance Manager (IAM), a.k.a. Information Systems Security Manager ISSM).
General guidelines for AFT procedures can be found on the Defense Intelligence Agency (DIA) website. Each IAM/ISSM is responsible to the government’s cyber assessors to ensure the end-users utilize their network in accordance with the government’s procedure and laws. It’s their responsibility to report all violations and incidents through the proper authorities, such as the FBI or the Air Force Office of Special Investigations (AF OSI).
Multiple incidents can lead to removal from programs and revoking an individual's clearance. Intentional violations typically lead to immediate removal from position and potentially jail time.
Sometimes the air-gapped network has no corresponding communication network at the same level, which is when things really start to get interesting. As you can imagine, the number of procedural steps required gets quite sticky because of the logical differences when information is being communicated going up, down, or laterally.
Each network also has its own SOPs with respect to its AFT process that must be abided by accordingly. Then the data needs to be transported physically. If the target network is in the same secure area, this isn’t too big of a deal since the same individuals extracting the data can also typically perform the upload.
If the target network is in a different facility, possibly in a different country, then much more drastic procedures are required. For example, only authorized officials are permitted to transport the data following physical security SOPs for the facility in question. Unfortunately, for reasons of security, this is as detailed as we can go on this subject.
Finally, when bringing data into a new secure facility, that facility’s Special Security Officer (SSO) must be notified ahead of time, and you must ensure you're in compliance with that location’s Physical Security SOP. This most likely requires assessment of media and scanning on a demilitarized zone (DMZ) network before being allowed into the facility.
It’s necessary to ensure compliance with the IAM/ISSM's SOP, because that person is ultimately responsible for the data now entering the secure facility. Once admittance to the facility is granted, you go straight into the inventory process and proceed to the network specific DTA, under escort throughout the entire process. There’s a lot more to this than I’ve discussed here, but this is as far as I can go with the upload process for security reasons.
In Part 3, we will consider the solutions required to address the need to access isolated pockets of information, or to solve problems using multiple agencies or teams. The scope of this problem may transcend team, agency, or even country boundaries. Until that time, as always, I welcome your comments and questions.