[LINK] US Gov in cyber fight but can't keep up

[stephen at melbpc.org.au]

Special report: Government in cyber fight but can't keep up

By Phil Stewart, Diane Bartz, Jim Wolf and Jeff Mason | Thu Jun 16, 2011
<http://www.reuters.com/article/2011/06/16/us-usa-cybersecurity-
idUSTRE75F4YG20110616?feedType=nl&feedName=ustopnewsafternoon>


WASHINGTON (Reuters) - The Pentagon is about to roll out an expanded 
effort to safeguard its contractors from hackers.

It's building a virtual firing range in cyberspace to test new 
technologies, according to officials familiar with the plans, as a recent 
wave of cyber attacks boosts concerns about U.S. vulnerability to digital 
warfare.

The twin efforts show how President Barack Obama's administration is 
racing on multiple fronts to plug the holes in U.S. cyber defenses.

Notwithstanding the military's efforts, however, the overall gap appears 
to be widening, as adversaries and criminals move faster than government 
and corporations, and technologies such as mobile applications for smart 
phones proliferate more rapidly than policymakers can respond, officials 
and analysts said.

A Reuters examination of American cyber readiness produced the following 
findings:

* Spin-offs of the malicious code dubbed "agent.btz" used to attack the 
military's U.S. Central Command in 2008 are still roiling U.S. networks 
today. People inside and outside the U.S. government strongly suspect 
Russia was behind the attack, which was the most significant known breach 
of military networks.

* There are serious questions about the security of "cloud computing," 
even as the U.S. government prepares to embrace that technology in a big 
way for its cost savings.

* The U.S. electrical grid and other critical nodes are still vulnerable 
to cyber attack, 13 years after then-President Bill Clinton declared that 
protecting critical infrastructure was a national priority.

* While some progress has been made in coordinating among government 
agencies with different missions, and across the public-private sector 
gap, much remains to be done.

* Government officials say one of the things they fear most is a so-
called "zero-day attack," exploiting a vulnerability unknown to the 
software developer until the strike hits.

That's the technique that was used by the Stuxnet worm that snarled 
Iran's enriched uranium-producing centrifuges last summer, and which many 
experts say may have been created by the United States or Israel. 

A mere 12 months later, would-be hackers can readily find digital tool 
kits for building Stuxnet-like weapons on the Internet, according to a 
private-sector expert who requested anonymity.

"We're much better off (technologically) than we were a few years ago, 
but we have not kept pace with opponents," said Jim Lewis, a cyber expert 
with the Center for Strategic and International Studies think tank. 

"The network is so deeply flawed that it can't be secured."

"IT'S LIKE AN INSECT INFESTATION"

In recent months hackers have broken into the SecurID tokens used by 
millions of people, targeting data from defense contractors Lockheed 
Martin, L3 and almost certainly others; launched a sophisticated strike 
on the International Monetary Fund; and breached digital barriers to grab 
account information from Sony, Google, Citigroup and a long list of 
others.

The latest high-profile victims were the public websites of the CIA and 
the U.S. Senate - whose committees are drafting legislation to improve 
coordination of cyber defenses.

Terabytes of data are flying out the door, and billions of dollars are 
lost in remediation costs and reputational harm, government and private 
security experts said in interviews. 

The head of the U.S. military's Cyber Command, General Keith Alexander, 
has estimated that Pentagon computer systems are probed by would-be 
assailants 250,000 times each hour.

Cyber intrusions are now a fact of life, and a widely accepted cost of 
doing business.

"We don't treat it as if it's here today, gone tomorrow," said Jay 
Opperman, Comcast Corp.'s senior director of security and privacy. "It's 
like an insect infestation. Once you've got it, you never get rid of it."

The private-sector expert who requested anonymity said a top official at 
a major Internet service provider told him that he knew his network had 
been infiltrated by elite hackers. He could digitally kick them out - but 
that would risk provoking a debilitating counter-attack.

"THE THING ... THAT KEEPS ME UP AT NIGHT"

The idea behind the soon-to-be-announced Pentagon program for defense 
contractors is to boost information-sharing with the Defense Department 
on cyber threats. It also aims to speed reporting of attacks on firms 
that make up what the Pentagon calls the Defense Industrial Base.

The DIB, as it is sometimes known, provides the Defense Department some 
$400 billion a year in arms, supplies and other services. The new program 
is voluntary and builds on a smaller pilot, reflecting the persistent 
challenge of regulating private firms that traditionally shield 
proprietary data and often downplay cyber setbacks.

Ultimately, the new program may lead to agreement to put at least some 
Pentagon contractors behind military-grade network perimeter defenses, 
such as those that protect the Pentagon's own classified networks.

On another front, the Pentagon's far-out research arm, the Defense 
Advanced Research Projects Agency, is expected to launch by mid-2012 the 
National Cyber Range, a kind of replica of the Internet costing an 
estimated $130 million that would be used to test cutting-edge cyber 
defense technologies and help train cyber warriors.

The Obama administration has made cyber security a national priority, and 
tried to fashion an "all-government response" that imposes order on the 
competing domains and priorities of the Pentagon, FBI, Department of 
Homeland Security, the super-secret National Security Agency and the 
private sector.

"We're far better prepared than we've ever been before," said White House 
cybersecurity coordinator Howard Schmidt.

"Notwithstanding all the threats that we see out there, the things that 
are making news on a regular basis about a company that's been intruded 
upon ... (look at) how much the system still runs," Schmidt told Reuters 
in an interview.

The key, Schmidt said, is resiliency, "to make sure that we're better 
prepared, to make sure that the disruptions when they do occur are 
minimum - we're able to recover from them."

Still, he said major worries remain. "The thing that I worry about that 
keeps me up at night is the unknown vulnerability that may exist out 
there."

Some officials are even less sanguine.

The Pentagon's computer systems are widely considered to be better 
protected than other U.S. government agencies', and far safer than the 
private sector's. 

Still, a U.S. defense official told Reuters he would give the Pentagon 
just a "C+" grade overall for its cyber defenses. "We're not impervious 
to attack by any stretch, but nor are we 'open kimono'," the official 
said. He added: "And we're getting better."

WHAT IS 'CYBER'?

Experts say that one of the toughest challenges of cyber defense is, 
oddly, definitions. What constitutes "cyber"? Computers and digital 
networks, certainly. But how about digitized pictures or video streams 
from a pilotless Predator drone flying over Pakistan?

Who is responsible for protecting what? Where does national security 
begin and privacy end?

"The other big problem is lack of policy," said one former U.S. 
official. "(We) lack policy because we lack consensus. We lack consensus 
because we haven't had an informed debate. We lack an informed debate 
because we don't have a common pool of data. And we don't have a common 
pool of data because we don't share it."

Nowhere is the problem more acute than in thinking about cyber warfare. 
What constitutes an act of war in cyberspace? And how do you determine 
who it was that fired the shot?

U.S. military officials, eager to talk about how the Pentagon has boosted 
computer defenses, clam up when the topic turns to offensive capabilities.

The Pentagon has put together a classified list of its cyber capabilities 
so policymakers know their options - just as it does for more 
conventional weapons.

Offensive actions against foreign systems would require White House 
authorization. But the Pentagon does not need special approval to do the 
kind of cyber surveillance work that can identify vulnerabilities in 
foreign networks, a U.S. official told Reuters, speaking on condition of 
anonymity.

That includes leaving hidden digital "beacons" inside adversaries' 
networks that could be used to pinpoint future targets. The beacons can 
phone home to tell U.S. military computers that they are still 
operational, the official said.

While the United States is trying to apply conventional military logic to 
the cyber realm, there is no global consensus about the rules of cyber 
war. A Pentagon report due out toward the end of the month is not 
expected to articulate case-by-case possibilities of when a cyber war 
could turn into a real one.

INTO THE CLOUD

Even as such policy debates rage, the technological landscape is being 
remade, seemingly by the month, posing new challenges - and 
opportunities. Tens of thousands of mobile applications for smartphones 
and tablet computers represent new vectors for hacks and attacks.

"The quick answer is we haven't been doing enough and we're semi-late to 
the game" on protecting mobile applications, said Rear Admiral Mike 
Brown, a senior Department of Homeland Security cyber security official.

U.S. government agencies are working with major commercial vendors "to 
start looking together at how to address the issues of mobile 
vulnerabilities," Brown said at a symposium sponsored by Symantec Corp.

Meanwhile, the U.S. federal government is planning to move in a big way 
into "cloud computing," in which off-site providers offer network and 
storage resources accessible remotely from a variety of computing 
platforms.

Potential cost savings are significant. Handled correctly, computing 
clouds could offer added security, specialists say. But there are also 
risks.

A study released in April by CA Technologies and the Michigan-based 
Ponemon Institute contained alarming findings. 

Based on a survey of 103 U.S. and 24 European cloud computing providers, 
it found that a majority did not view security of their services as a 
competitive advantage, and believed that security was their customers' 
responsibility, not theirs.

Most did not have dedicated security personnel on staff.

Deputy Defense Secretary William Lynn met Google executives in California 
in mid-February to discuss cloud computing. On May 19, Lynn instructed 
the Pentagon's Defense Science Board to study the benefits and risks of 
cloud computing, "paying particular attention to attacks on 
communications that would destroy or delay delivery of services and 
information for time-critical uses."

Lynn told Reuters that "cloud computing has the potential to offer 
greater capability at equal or lesser costs." He added: "I want to make 
sure we are taking full advantage of these advanced technologies."

The Pentagon is preparing a cloud computing strategy, which it expects to 
complete by the end of the summer, a U.S. defense official told Reuters.

"We're trying to get to the place where warfighters or any of us can get 
to our information from anywhere on the planet, with any device," the 
official said.

Schmidt, the White House coordinator, said as many as 170 security 
controls are being built into government cloud computing projects from 
the start. "It's not deploying something and securing it later. We're 
setting the requirements at the outset."

"I'M NOT CONFIDENT THAT WE WOULD KNOW..."

So how safe are the computer networks of the United States, which perhaps 
more than any nation relies on them for banking, electric power and other 
basics of modern civilization?

In May 1998, then-President Clinton signed Presidential Decision 
Directive 63, calling for a "reliable, interconnected, and secure" 
network by 2003, and establishing a national coordinator for protecting 
critical infrastructure.

The Department of Homeland Security now has lead responsibility for 
protecting the power grid. Yet, as with almost everything involving 
cyber, it's not quite that simple.

If there were a cyber attack on the power grid today, "I'm not confident 
that we would know what parts of the government should respond," said one 
former U.S. official, who asked not to be identified. "Who jumps in 
there? DHS, DoD, Cyber Command, NSA, the intelligence community?"

"So nothing's really happened." said former Pentagon general counsel 
Judith Miller, talking about grid vulnerability at a cyber event in 
Washington this month.

"This is a discussion we had in the 1990s. We're having it right now. 
Nothing really has changed, although perhaps the ability of attackers, 
whether they're nation states or just kids, has grown apace," she said.

A central conundrum is that the Pentagon's National Security Agency, 
which specializes in electronic eavesdropping, has personnel with the 
best cyber skills, but has been until recently mostly shut out of 
protecting domestic networks. That's due to the highly classified nature 
of the NSA's work, and fears that it will stray into domestic spying.

Another complicating factor: the 1878 Posse Comitatus Act, which 
generally bars federal military personnel from acting in a law-
enforcement capacity within the United States, except where expressly 
authorized by Congress.

"NSA has a long history in cyber security, on both the offensive and the 
defensive sides. It has great resources and expertise. But it makes 
privacy advocates nervous," said Stewart Baker, a former DHS official now 
at the law firm Steptoe and Johnson LLP.

Last October, the Defense Department and Homeland Security - responsible 
for protecting civilian U.S. government networks - signed a memorandum to 
cooperate, with the NSA sharing technology and the agencies swapping 
personnel.

The effort has gotten mixed reviews. Schmidt said that early reports of 
inter-agency tension have dissipated, and Representative James Langevin, 
a member of the House intelligence committee, said DHS is improving. "I 
don't think that they're there yet but we're moving in the right 
direction," he said.

However other experts, who would not be quoted for the record, said the 
gap between the two agencies remains wide.

Even if the NSA, DHS and other agencies worked together seamlessly, the 
problem remains of coaxing industries in critical infrastructure to 
accept more government regulation.

"There's absolutely no question that the power companies and indeed state 
regulators have been unenthusiastic about a federal role," Baker said. He 
added this warning: "The regulation that would pass after a disaster is a 
lot worse than they would get right now."

And then there's the Stuxnet-like "zero day" attack, exploiting a flaw no 
one knew existed, perhaps tucked into some off-the-shelf software like 
that purchased daily by federal agencies.

"Our largest fear ... is the zero day attack," said Sherrill Nicely, the 
CIA's deputy chief information officer. "It's very, very, very difficult 
to protect oneself from an attack that you did not know was coming or the 
vulnerability that you did not know existed."

(Additional reporting by Jeremy Pelofsky and Warren Strobel; Writing by 
Warren Strobel; Editing by Kristin Roberts and Claudia Parsons)

--

Cheers,
Stephen
'


Message sent using MelbPC WebMail Server