Security Wags: Network Resistance Futile

Tuesday, March 27, 2012 @ 06:03 PM gHale


Foreign spies continue to penetrate federal networks and current perimeter-based defenses that attempt to curb intrusions remain outdated and futile, network security experts said last week.

Speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities the experts told Senators the U.S. government needed to abandon the notion that it could keep outsiders off its computer networks.

RELATED STORIES
Data Breaches Focus on Money: Study
Agile Hackers will Break Security
Cyber Report: U.S. Knows Groups Behind Attacks
Execs Unaware of Security Risks

“We’ve got the wrong mental model here,” said Dr. James S. Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. “I don’t think that we would think that we could keep spies out of our country. And I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”

The situation is “an environment of measures and countermeasures,” said Zachary J. Lemnios, the assistant secretary of defense for research and engineering at the Department of Defense.

“We can do things to make it more costly for them to hack into our systems…,” Senator Rob Portman (R-OH), ranking member of the Emerging Threats and Capabilities subcommittee said as a point of clarification, “but you didn’t say we can stop them.”

Dr. Kaigham J. Gabriel acting director of DARPA likened the situation to treading water in the middle of the ocean as a metaphor to describe the state of security on federal networks. Treading water is a great way to stay alive, to buy breathing room, he said, but treading water in the middle of the ocean inevitably leads to drowning.

“It’s not that we’re doing wrong things, it’s just the nature of playing defense in cyber,” Gabriel said.

All the experts called for better offensive capacities, but opted to wait for a closed-door session to go into specifics.

Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators the federal government also faces a dire shortage of talent exacerbated by a sclerotic hiring and promotion system within the government.

The average annual salary increase for computer scientists in the private sector is 4 percent. The government norm is pay-freezes and DoD enforced pay-caps, Wertheimer said. He noted individuals with a PhD in computer science can enter the DoD at pay-grade 12, making, at most, $90,000 a year, and then stays at that pay grade an average of 12 years before winning any sort of promotion. Even with those obstacles, agencies are limited in the amount 13, 14, and 15-grade employees they may have on payroll.

Finally, staffing ends up complicated by the fast-revolving door between the government and its private contractors, which lure away top talent, then hire it back to the government at inflated rates. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring.

Peery pointed out Sandia National Laboratories, which operates under the DoE, pays starting salaries of $115,000 and $95,000 to persons with PhDs and Master’s in computer science respectively. Gabriel argued a focus on candidates with advanced degrees may be misguided, and a model with the expectancy of high turnover rates may not be such a bad thing. He explained he has a group of “cyber-punk” program managers that developed their skills in the hacking community. He says their skill sets have a 4-5 year shelf-life before DARPA needs to go out and hire newer white hats.



Leave a Reply

You must be logged in to post a comment.