FMS Readiness: A Critical Paradigm to Maintaining US Technological Advantage
FMS-readiness is quickly emerging as an important element to the U.S. National Defense Strategy. With roughly $41B[1] being spent on FMS cases each year, The U.S.’s efforts to prevent the rogue development and unintended transfer of critical military technologies continues with importance. Still, FMS programs are expensive and fraught with risk. These programs have more stakeholders, expanding requirements, and demands to protect critical technology. Unfortunately, most baseline programs, if triggered to perform an FMS program for the first time, are surprised at the requirements and often take an adversarial posture to meeting them. To counter this attitude and continue the important function of protecting our critical technology, programs should adopt an FMS-ready mindset during baseline development. This mindset can be fostered through several proactive efforts.
Study the DoD’s ATEA’s Anti-Tamper (AT) Planning and Execution Process
While the ATEA (Anti-Tamper Executive Agency) provides several documents to help program managers and engineers understand AT goals, processes, and purposes, the ATEA also puts on training courses such as the AT Short Course. Furthermore, there are numerous companies that specialize in AT, both to protect hardware and software. These companies often host working groups, webinars, and conferences where program managers and engineers can learn more about threats and protections. Note, many of these engagements will not take place in unclassified forums.
Identify CPI and characterize the cost of compromise
Protecting CPI, or critical program information, is the aim of AT technologies. Sometimes it is not clear what, if any, CPI is on the system. Novelty might be an easy way to identify something as CPI, but it might also be the case that an aged capability must be treated as CPI because it still provides the U.S. an advantage. CPI identification is difficult, but that only strengthens the need for an FMS-readiness mindset and a proactive approach to learning more about AT. Moreover, formulating a general appreciation for the cost of a compromise, and not just in terms of a monetary cost, is critical to understanding why the U.S. puts these systems together in the first place. Finally, by differentiating the CPI in a system early in the engineering process, engineers are further enabled to make FMS-ready design decisions. For example, separating and isolating CPI to a particular component or partition of the system, essentially de-risks future FMS programs.
Many might think that understanding cybersecurity threats meets this bar. Tamper threats, however, take many forms, many not traditionally recognized by cybersecurity professionals. Learning about tamper threats and protection approaches requires appreciating that systems under the total control of untrusted individuals (physically and with administrative privileges) come under a unique threat often not conceived by traditional security professionals. Furthermore, time, which often works against attackers, is a non-issue when they are in possession and control of a system. Learning about these threats and the protections to counter them will help program managers and system engineers identify and resolve potential engineering / design approaches that might require significant changes to meet FMS requirements. For example, decisions to use close-source, proprietary solutions in a highly privileged location in a system’s architecture.
Identify Components That Will be Influenced by AT Requirements and Solutions
The easy example is hardware. If a baseline system’s operating environment runs on commodity / commercial hardware, this is likely to change for FMS. Hardware with AT solutions has existed for decades, and there are many companies that specialize in improving the tamper resistance of processors, FPGAs, memory, and storage devices. Newer to the AT community are software solutions that protect CPI. These solutions leverage hardware, like TPMs and HSMs, but these solutions deny, delay, or disrupt attackers leveraging various software approaches. Key to understanding the impact of AT on a system design is to pinpoint components or subsystems that, if compromised, supply an attacker escalated privileges over the system. These privileges, if obtained by the adversary, can be used to access CPI or to turn off weaker tamper protections. Examples include an operating system kernel, a hypervisor, trusted execution environments, and out-of-band remote management controllers. If CPI is being maintained by, supported, or executed using system software, it is likely to invite additional scrutiny and thus require specific software-based AT solutions. Don’t select system software without considering AT. This might involve prototyping solutions and thinking through integration challenges to identify barriers to success.
Predict Costs of Implementing AT Measures
This is easy in the abstract. Programs that incorporate AT after system design invite extremely expensive outcomes. It is not the case that AT solutions are necessarily expensive, but their affordability declines as delays are incurred before they are introduced. Furthermore, many AT solutions, both hardware and software, can be dual purpose. For example, software-based AT solutions can meet many cybersecurity requirements, and they cooperate or integrate with other security solutions, decreasing programmatic risk and variation, for both the baseline and FMS versions.
FMS-readiness is important, not only for U.S. security, but also for confidence in the U.S. resource management. There is an opportunity for baseline programs to foster an FMS-ready mindset. There are opportunities to grow in the knowledge of anti-tamper, its purpose, and the processes used to successfully protect U.S. critical technology.