Posts Tagged ‘DOD’
Wednesday, May 8, 2013 @ 09:05 PM gHale
This may not come as a big surprise, but China’s government and military appear to be an active participant in cyber attacks against the U.S., a new report said.
The conclusion, contained in the Department of Defense’s (DoD) annual report that evaluates China’s military capabilities, marked another pointed claim by the U.S. government amid rising tensions between the two nations over cyberspace.
RELATED STORIES
Federal Security Guidelines Reworked
Firing Up a Security Framework
Obama Inks Cyber Security Order
Hackers ‘Declare War’ on U.S.
The DoD said last year “numerous computer systems around the world, including those owned by the U.S. government, continued to be a target of intrusions, some of which appear to be attributable directly to the Chinese government and military. These intrusions were focused on exfiltrating information.”
The stolen information is useful to a range of Chinese entities, including its defense and technology industries, U.S. policy makers in China as well as military planners, the report said.
Cyber warfare capabilities could complicate efforts to respond during a military confrontation, including causing slow response times by constraining the communication and commercial activities of an adversary, the report said.
China denies it is coordinating hacking campaigns, but computer security researchers point directly to the nation when describing intrusions.
The DoD report also said Russia and China were playing a “disruptive role” in international forums aimed at establishing confidence-building measures and transparency in cyberspace.
Both nations are also pushing an Information Security Code of Conduct, which would give governments sovereign authority over content and information on the Internet. The proposal has quite a few critics.
The U.S. argues existing international humanitarian law should apply in cyberspace. China doesn’t agree, but “Beijing’s thinking continues to evolve,” the report said.
In March, U.S. President Barack Obama’s national security advisor Tom Donilon said U.S. businesses have serious concerns about “cyber intrusions emanating from China on an unprecedented scale.” He called on China to recognize the threat cyber attacks pose to the two countries’ relationship and trade.
In February, computer security vendor Mandiant released a comprehensive report that named a specific Chinese military unit called “61398″ as conducting an extensive, seven-year hacking campaign that struck 141 organizations.
The hacking group, also called the “Comment Crew,” was extremely active in targeting U.S. companies and other organizations despite China’s claims it does not permit state-sponsored hacking.
Monday, April 29, 2013 @ 04:04 PM gHale
A policy through which federal departments offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on private networks of defense contractors expanded by Executive Order to include other critical infrastructure industries, according to the Electronic Privacy Information Center (EPIC).
EPIC said the pilot-version of the program run with the Departments of Justice (DoJ), Defense (DoD), and Homeland Security (DHS) came to light in June 2011 after The Washington Post published a report detailing the implementation of a new program by National Security Administration that let them monitor traffic flowing from some defense contractors through certain Internet service providers. At the time, The Washington Post quoted Deputy Defense Secretary William J. Lynn III saying the program was to help thwart attacks against defense firms and the government hoped to expand the program moving forward.
RELATED STORIES
Web Access Means More Attacks
Phishers Hide Real Links with Javascript
APT Attacks Shut Down
Cyber Attack Against S. Korea
The documents obtained in the a Freedom of Information Act (FOIA) request, EPIC said, reveal the DoD advised private industry organizations on the ways in which they circumvent federal wiretap laws in order to aid the DoD and DHS in their surveillance of private Internet networks belonging to defense contractors.
EPIC, digital rights group the Electronic Frontier Foundation, and others fear the program’s expansion would apply to the broad swath of organizations that potentially fall under the vague category of critical infrastructure.
The government has not yet named the program, but EPIC said the NSA has partnered with AT&T, Verizon, and CenturyLink in order to keep tabs on the Internet traffic flowing into and out of some 15 defense contractors, including Lockheed Martin, CSC, SAIC, and Northrop Grumman.
For its part, the NSA said it is not directly monitoring these networks, but is rather filtering their traffic in order to detect the presence of suspicious packets based on a number of malicious code signatures the agency has developed.
EPIC issued a FOIA request in July 2011 requesting the following information: “All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman, or any other defense contractors regarding the new NSA pilot program; All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program; All analyses, legal memoranda, and related records regarding the new NSA pilot program; Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program; Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.”
The government failed to provide any of this information. So, EPIC filed a FOIA lawsuit on March 1, 2012 and eventually gained access to thousands of pages of previously unreleased documents, which they have posted on their website.
Friday, November 9, 2012 @ 09:11 AM gHale
A new program is starting up to implement automated monitoring of a set of critical security controls in government IT security this year, to provide a standardized cyber security baseline for agencies.
The effort, launched by the Department of Homeland Security (DHS), will include a set of technical specifications developed in cooperation with industry that would enable the automation of the controls in off-the-shelf products. There also would be a governmentwide dashboard to provide visibility into each agency’s status on the controls and help establish priorities for improvement during the current fiscal year.
RELATED STORIES
Ensuring Software Security Policies
Trojan that Supports Windows 8
Tracking Software Settlement
Pushdo Trojan a Master of Disguise
DHS unveiled the plans in conjunction with the release Nov. 5 of the latest version of the top 20 Critical Controls for Effective Cyber Defense and the news of a new international organization to oversee development of the consensus controls and promote their use in government and industry.
DHS, along with the National Security Agency, the Defense Department, the Defense Information Systems Agency and the DoD Cyber Crime Center, are among the members of the Consortium for Cybersecurity Action, which will maintain and update the list.
The critical controls, formerly the Consensus Audit Guidelines, are a set of security requirements developed in cooperation by government and private sector experts and published by the Center for Strategic and International Studies (CSIS) and the SANS Institute. Growing adoption of the controls in both government and industry has created the need for a more formal organization to house and maintain them, said former NSA official Tony Sager, who will lead the effort.
“It had to be a little more standardized,” said Sager, who retired as chief operating officer of the NSA’s Information Assurance Directorate in June. “If major organizations are going to make IT policy and spending decisions based on it, they have to know it will be there in two or five years.”
The critical controls are a reflection of the 80/20 rule at work in cyber security: Twenty percent of the effort produces 80 percent of the results. The controls are an effort to identify the 80 percent payoff that can prevent or mitigate the bulk of the attacks against IT systems today. By automating the application and monitoring of these basic security functions, resources and manpower could be free to address remaining more sophisticated challenges that require greater attention.
Development of the critical controls began in 2008 under the auspices of the CSIS in cooperation with other groups including NSA, US-CERT, DoD, Energy Department Nuclear Laboratories and the State Department. Their use at the State Department has gained attention as a way to measure and reduce meaningful vulnerabilities in widespread IT systems. The new consortium will have no power to require use of the control list, and its authority will come from the combined weight of its members.
Such a system does not provide complete security, but advocates said it helps focus security investment in the most needed areas and frees needed resources for more complex threats. By updating the list regularly to reflect changes in the threat landscape, the consortium will try to ensure that priorities remain properly focused.
The DHS program for implementing an initial set of five critical controls has been funded for fiscal 2013, which began Oct. 1. Capabilities will expand to other controls if funding is available. The department expects to issue a request for proposals that would provide a blanket purchase agreement for off-the-shelf automated monitoring tools for the initial set of controls:
• Hardware asset management
• Software asset management
• Configuration management
• Vulnerability management
• Network access control management
Monday, September 17, 2012 @ 04:09 PM gHale
U.S. power grids and other civilian infrastructure are not prepared for electromagnetic pulses (EMP) that could result from weapons or violent space weather, according to a congressional subcommittee hearing last week.
There are serious flaws in the nation’s infrastructure that could allow for EMP events to shut down power and communications for extended periods of time, said panelists at the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, headed by Chairman Dan Lungren R-CA.
RELATED STORIES
Profile on Civilian ‘Cyber Warriors’
Hacktivists Could Bring Down Grid
Schoolboys Behind Greek Hack
Tear Gas Maker Hacked
“Our civilian grid, which the Defense Department relies upon for 99 percent of its electricity needs, is vulnerable to these kinds of dangers,” Rep. Trent Franks, R-AZ, testified during the hearing. Franks, one of the leaders of the Congressional EMP Caucus, sponsored legislation in 2011 to protect U.S. infrastructure in the event of an attack by an EMP weapon.
Michael Aimone, a director of business enterprise integration at Defense, said the Pentagon had pursued a “two-track approach” to mitigate the impact an EMP attack could have on Defense facilities. He said his plan relied on in-house capabilities to maintain power and electronics and a means to communicate and coordinate with outside partners.
“DoD recently adopted an explicit mission assurance strategy, which is focused on ensuring operational continuity in an all-hazard threat environment,” Aimone said.
EMP disruptions and attacks can come from different types of events, including high-altitude or low-altitude nuclear weapons detonations, locally based radio frequency weapons, and solar weather. One of the largest impacts from an EMP-based disruption was in Quebec in 1989, when nearly 6 million people lost power because of a geomagnetic storm.
Brandon Wales, of the Homeland Security Department’s National Protection and Programs Directorate, said DHS was working with federal agencies on contingency plans for an EMP event. He said Federal Emergency Management Agency was establishing lines of communication with key agencies in case an EMP event occurs, and that Homeland Security Secretary Janet Napolitano had commissioned a report in 2011 to study the impact of space-based EMP attacks.
“DHS has pursued a deeper understanding of the EMP threat, as well as its potential impacts, effective mitigation strategies, and a greater level of public awareness and readiness in cooperation with other federal agencies and private equipment and system owners and operators through various communications channels,” Wales said.
Common standards for power grid equipment are a major issue, said Joseph McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. He said current standards to protect infrastructure and equipment do not address the many levels within the power grid and should undergo an update.
“Protecting the electric generation, transmission and distribution systems from severe damage due to an EMP-related event would involve vulnerability assessments at every level of electric infrastructure,” McClelland said.
Tuesday, May 1, 2012 @ 03:05 PM gHale
By Nate Kube
Though it’s critical to accurately identify vulnerabilities in process control networks and devices, a chief executive or management team will likely question the additional investment in robustness testing.
At first glance, what they often don’t recognize is that additional investment will end up improving the bottom line.
Robustness testing provides insight into how environments perform under stress, it goes the extra mile beyond requirement specifications to ensure control systems exceed specifications in emergencies.
RELATED STORIES
Siemens CERT Gains Achilles Status
Security First; Not in Smart Grid
Smart Meters Getting Smarter
Secure Smart Grid Moves Forward
National Aeronautics and Space Administration (NASA) and the U.S. Department of Defense (DoD) reports indicate over half of the bugs found in deployed devices directly relate to a lack of robustness testing. Now with resources in short supply, developers cannot be reverting to fixing flaws that should have never shipped.
While assuming there are extra resources to troubleshoot after the fact, the challenges of critical infrastructure testing are more significant. For instance, rebooting a PC can cause a minor disruption, rebooting a nuclear power plant has broader implications.
Defining Robustness Testing
The Institute of Electrical and Electronics Engineers (IEEE) defines robustness as “the degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.” Having a properly functioning system, despite the unpredictable, is essential in the industrial control systems world in order to “keep the lights on.”
Overlooking Robustness Testing
Quite a few DoD programs engage in what has been called “happy-path testing,” in other words only showing the system maintains functional requirements, according to a DoD assessment report. While this type of testing is essential, additional tests to ensure the system properly handles errors and failures appropriately are often neglected. Performing “happy-path testing” underscores that control system failure in the field is often due to a lack of robustness.
Although vendors’ solutions meet user requirements for particular installations, users may not be able to quantify the level of robustness required for specific installations. At present, most industrial control equipment manufacturers and software developers are limited in their ability to rigorously test new products for possible security flaws because of the lack of available tools.
As a result, new vulnerabilities are discovered each year, but only after the products are sold and installed by the end user. This is particularly true of control and SCADA systems used in critical infrastructures such as the oil and gas, water, and electrical generation/distribution industries. Standard information technology (IT) vulnerability testing does not typically address the unique resources and timing constraints of critical control systems or the specialized protocols used.
As business and technology continue to drive toward more open and connected networks, mission critical systems – including those used in the control of power generation, oil and gas production, water treatment and transportation – are becoming increasingly vulnerable to cyber attacks that penetrate or bypass perimeter defenses (e.g. firewalls).
Yet, how does one measure and assess something that doesn’t necessarily happen? Additional testing is a tough sell for management if the current testing regimes appear successful. How and why can one build a case for an expanded testing capability or continued diligence?
Dollars and Sense
NASA leads the industry in computer usage and complex systems. They advise robustness testing through usage of off-nominal cases. NASA believes a methodology able to test for off-nominal cases (i.e., hardware and software failures) during design, and the earlier test stages, could avoid over one-half of all failures and over two-thirds of the failures in the most severe classifications.
For a quick rubric:
1. Make an estimate of the additional costs you’ve incurred over the last year due to robustness failures of your systems in the field.
2. Multiply that figure by .50 to get the low end of the range and by .66 to get the high end of the range.
Although this can quickly determine the value of pursuing a course of action, this may not be enough to persuade management to make additional robustness testing investments.
Fortunately, several valuation models can aid in putting a dollar amount on security costs. Carnegie Mellon University for the U.S. Department of Homeland Security published a paper that makes a comparison between 13 different models for assessing the cost and value of software assurance. They found several features common to each model and categorized the models into four types: Cost-based, investment-based, quantitative estimation and environmental/contextual. A follow-up paper provided by the same company demonstrated organizing its approach focused specifically on the Balanced Scorecard model. The Balanced Scorecard is widely used; one major explanation to its success (and to the success of all quantitative methods) is data. Before embarking on any effort to quantify the cost of robustness testing, an organization must have metrics in place and data collected and validated.
Budgets are shrinking and threats are increasing. Times are difficult with economic hardships, but security cannot be compromised. Companies have the capability to increase the robustness of their systems to reduce the time to market and produce a quality product while decreasing overall costs.
Protecting critical infrastructure and “keeping the lights on,” is the singular aim of any robustness test. Robustness testing is not just important, it is essential. This expands from the plant floor to every point where an organization’s system is touched by the Internet.
As more devices become Ethernet-enabled in the control systems world, we can no longer depend on “security through obscurity.” Everyone needs to be confident that implemented security solutions function effectively under known, as well as, unexpected conditions.
Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technical Officer is responsible for strategic alliances, technology and thought leadership.
Wednesday, April 11, 2012 @ 05:04 PM gHale
By Richard Sale
The Stuxnet virus that damaged Iran’s nuclear program was implanted by an Israeli proxy — an Iranian, who used a corrupt “memory stick.32,” former and serving U.S. intelligence officials said.
In the continuing battle to hold off the Iranian nuclear program, Iranian proxies have also been active in assassinating Iran’s nuclear scientists, these sources said.
RELATED STORIES
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet
These sources, who requested anonymity because of their close proximity to investigations, said a saboteur at the Natanz nuclear facility, probably a member of an Iranian dissident group, used a memory stick to infect the machines there. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. “Iranian double agents” would have helped to target the most vulnerable spots in the system,” one source said. In October 2010, Iran’s intelligence minister, Heydar Moslehi said an unspecified number of “nuclear spies” were arrested in connection with Stuxnet.33 virus.
Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism. He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” Other former agency officials confirmed this.
As ISSSource reported, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.
But the United States never indulged in targeting killings of Iran scientists, and former senior U.S. officials said the U.S. public remained unaware of a separate Israeli program, independent of the United States, that has for ten years been assassinating key Iranian nuclear scientists and sabotaging key Iranian facilities using a proxy group of Iranian dissidents. These dissidents have a functioning, effective network inside Iran and they have access to officials in the nuclear program.
The MEK has a shadowy and unsavory history. Founded in the 1970s, the group was stridently anti-shah and allied itself with the dictatorship of Iraq’s Saddam Hussein from which it received most of its supplies. Performing security for Saddam, the MEK assisted Saddam in the slaughter of his domestic opponents and the massacre of Iraqi Shias and Kurds in the 1991 uprising.
As the military wing of the National Council of Resistance of Iran (NCRI), the MEK targeted Iranian officials and government facilities in Iran and abroad. In the 1970s, the group also attacked and killed Americans. According to one former senior CIA official who spoke on background to ISSSource, the MEK is particularly violent. In France, they conducted killings in Paris, including six or seven U.S. Army sergeants.” He added the French “were terrified of them.”
In 2003, the United States listed the NCRI as a terrorist organization and closed its Washington office. U.S. forces in Iraq captured the MEK’s weapons and turned the MEK over for investigation of terrorist acts. Since then, the group has been picking off Iranian nuclear scientists one by one.
When ISSSource asked Paul Pillar, a 28-year CIA veteran whether Israel was killing secondary or tertiary scientists instead of its major ones, he replied, “Israel kills any Iranians it can.” Since 2007, five Iranian nuclear scientists have been killed in Iranian territory, many victims dying from magnetic bombs that terrorists had attached to the exterior of their cars.
The damage caused by the MEK is not confined to killing individuals. On Oct. 12, 2011, just before Iranian President Mahmoud Ahmadinejad was to arrive in Lebanon, a huge blast destroyed an underground site near the town of Khorramabad in western Iran that housed most of Iran’s Shehab-3 medium-range missiles capable of reaching Israel and Iraq. A far right wing Israeli website, Debka, reported Iran suffered a “devastating blow” to its nuclear program. The blast killed 18 and wounded several more.
Former and serving U.S. officials both fingered the MEK as the killers. One such official said “computer manipulations,” caused the blast. They said the spies inside Iran had the access, the contacts, the positions and technical skill to do the job. “Given the seriousness of the impact on Iran’s (nuclear) program, we believe it took a human agent to spread the virus,” said one former U.S. intelligence source.
Meanwhile, going back to Stuxnet, once the memory stick was infected, the virus was able to infiltrate the network and take over the system. U.S. officials said they believe the infection commenced when the user simply clicked on the associated icon in Windows. Several reports pointed out this was a direct application of one of the zero-day vulnerabilities Stuxnet leveraged.
Building and deploying Stuxnet required extremely detailed intelligence about the systems it was supposed to compromise, and has made reprogramming highly specific installations on legacy systems more complex, not less. According to reports, the Stuxnet mystery was unveiled in June 2010, when a small company called VirusBlokAda in Minsk, the capital of Belarus was emailed by a dealer in Tehran about an irritating problem some of his clients were having with their computers.
The company analyst saw the computers were constantly turning off and restarting. At first the analyst thought it was just a problem with the hardware. But when they said several computers were affected, not just one, VirusBlokAda understood it was a problem with the software the computers were running.
U.S. officials confirmed Stuxnet takes advantage of zero-day vulnerabilities. This type of virus had been previously undetected, and remained unidentified by anti-virus software. According to public reports, early versions of Stuxnet used certificates by Realtek Semiconductor systems – later versions used certificates from JMicron Technology Corp. The use of these certificates gives the worm the appearance of legitimate software to Microsoft Windows.
In a report, Symantec said yes, Stuxnet was “splattered” far and wide, but it only executed its damaging payload where it was supposed to. The virus was so efficient that it could deliver its payload only to the designated target, and would not damage adjacent machines. Another expert, a former CIA official, likened it to a flu virus that only makes one family sick. Stuxnet was designed for sabotage, not crime.
It is interesting to note Stuxnet was not the first virus used by the U.S. military intelligence to try and disable opponents. In the 1980s, the United States had considerable success at planting viruses inside Soviet military-industrial structure that could be activated in time of war, a process still continuing with China. “We put in bugs inside the Soviet computers to feed back satellite information that had been ‘leeched’ off hard drives, in the Soviet Defense Ministry and others,” said a former U.S. intelligence official.
In December 1991, just before Desert Storm, the CIA and the British Government Communication Headquarters (GCHQ) had experimented with all sorts of viruses to inject into Iraq’s computers. In December, CIA operatives, working in Jordan, infiltrated bugs into hardware smuggled across the border and into Baghdad.
Once in place, NSA and GCHQ believed the virus would spread like a virulent cancer through the Iraqi Command and Control system, infecting every computer system it came across. But before the virus had reached its target, the air war began. U.S. planes destroyed Saddam’s command and control network, including the buildings where the infected computer hardware had been so successfully inserted. As a result, one of the most successful intelligence operations of the war was buried beneath the rubble. “The intelligence people were very pissed — all that work for nothing,” said a former senior DoD official.
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.
Wednesday, April 4, 2012 @ 01:04 PM gHale
Version 4.1 of the Cyber Security Evaluation Tool (CSET) is now available for download, said officials at the Department of Homeland Security (DHS) Control Systems Security Program (CSSP).
CSET is a DHS product that assists organizations in protecting their key national cyber assets. This new version of the tool is on the CSSP website.
RELATED STORIES
Adobe Offers Malware Tool
Updated DHS Cyber Security Tool
Threat Alert Reaches New High
DoD Readies for Stuxnet-like Attack
Cyber Report: Bad Guys Winning
Security Best Practices will Cut Downtime
CSET Version 4.1 provides users with the option of creating or modifying their network diagram in Microsoft Visio. This new functionality supplies a Visio stencil with network shapes recognized by CSET.
CSET imports the Visio diagram, assigns questions to the included components, and looks for general network vulnerabilities as if the diagram had been created within CSET itself. In addition, a diagram export function from CSET to Visio is also available.
Developed under the direction of the DHS’ NCSD by cyber security experts and with assistance from the National Institute of Standards and Technology (NIST), this tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes high-level and detailed questions related to all industrial control and IT systems.
CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.
The output from CSET ends up as a prioritized list of recommendations for improving the cyber security posture of the organization’s enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cyber security standards, guidelines, and practices. Each recommendation links to a set of actions that can apply to enhance cyber security controls.
Designed for easy installation and use on a stand-alone laptop or workstation, CSET incorporates a variety of available standards from organizations such as NIST, North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET will open a set of questions to answer.
The answers to these questions will the compare against a selected security assurance level, and a detailed report will show areas for potential improvement. CSET provides a means to perform a self-assessment of the security posture of your control system environment.
Wednesday, March 28, 2012 @ 10:03 AM gHale
The head of the U.S. military’s Cyber Command and National Security Agency, saw what seemed like never ending cyber storms on the horizon with mounting challenges to the Defense Department’s and nation’s IT systems.
“In framing my comments on our progress at Cyber Command, I have to begin by noting a worrisome fact: Cyberspace is becoming more dangerous,” Army Gen. Keith Alexander said in testimony delivered to the House Armed Services Subcommittee on Emerging Threats and Capabilities.
RELATED STORIES
System Security: IT Not So Sure
Security Wags: Network Resistance Futile
Data Breaches Focus on Money: Study
Agile Hackers will Break Security
At that same hearing on President Obama’s $37 billion Defense Department IT budget request, which includes $3.4 billion for IT security, DoD Chief Information Officer Teresa Takai said the department will employ a two-prong approach – securing the perimeter as well as the data — as information and services move to standardized cloud computing platforms. “We’re going to be able to better protect as we get more standardized,” Takai said.
DoD’s cloud initiative is part of the department’s consolidation of data centers, from more than 770 to 655 in less than two years. “Core data centers will be used for information services and applications that must be available broadly across DoD, and for the department’s outward-facing applications and services required for interaction with industry and the public,” Takai said. “These will, in fact, become the initial DoD cloud computing instantiation.”
As DoD fortifies its cloud offerings, Takai recognizes breaches will occur. “We need to be able to protect at the information level,” she said. “That is why we’re focusing very much on identity management so we know who is in the cloud. And, we’re also linking that to what information that particular individual has access. It’s really both of those that gives us assurance so that as we move to that kind of an architecture, we will be able to better protect our information.”
“The IT infrastructure of the future – the STIn (Security Technical Implementation) virtual cloud environment – will make it a much more defensible architecture,” Alexander said. “I think that’s the key to the future.”
Addressing the cyber threats the nation faces, Alexander characterized them as three-fold:
1. Exploitation, such as the theft of intellectual property
2. Disruption, such as the distributed denial of service attacks that disabled government IT in Estonia and neighboring nations
3. Destruction. “What we’re concerned about is shifting from exploitation to disruptive attacks to destructive attacks,” Alexander said. “Those attacks that could destroy equipment are on the horizon and we have to be prepared for them.”
It’s not that cyber protection advances have not occurred over the past year. Alexander said organizations are better in identifying botnets, although he quickly added that didn’t mean the computing environment is getting safer. “Now, the more sophisticated cyber criminals are shifting toward stealthier, targeted thefts of sensitive data they can sell … targeting (organizations) with similar malware, often spread by clever phishing emails that hit an information security system at its weakest point — the user,” he said.
Subcommittee Chairman Mac Thornberry, the Texas Republican who leads House cyber security efforts, lamented the deteriorating security in cyberspace. “Despite the successes of Cyber Command over the past year, which I do not discount, it still seems to me that the dangers to our nation in cyberspace are growing faster than our ability to protect the country,” he said.
The panel’s ranking Democrat, Jim Langevin of Rhode Island, said that despite increased awareness of cyber vulnerabilities, many in the public and Congress don’t fully recognize the potential for damage posed by a breached or disrupted network.
“Real and potential adversaries can and do learn a great deal about our personnel, procedures and deployments by monitoring the use that our people make of popular social media,” he said. “As our military goes wireless, these threats to our weapons systems, communications, databases and personnel demand attention.”