[LINK] US Gov in cyber fight but can't keep up
stephen at melbpc.org.au
stephen at melbpc.org.au
Fri Jun 17 04:13:51 AEST 2011
Special report: Government in cyber fight but can't keep up
By Phil Stewart, Diane Bartz, Jim Wolf and Jeff Mason | Thu Jun 16, 2011
<http://www.reuters.com/article/2011/06/16/us-usa-cybersecurity-
idUSTRE75F4YG20110616?feedType=nl&feedName=ustopnewsafternoon>
WASHINGTON (Reuters) - The Pentagon is about to roll out an expanded
effort to safeguard its contractors from hackers.
It's building a virtual firing range in cyberspace to test new
technologies, according to officials familiar with the plans, as a recent
wave of cyber attacks boosts concerns about U.S. vulnerability to digital
warfare.
The twin efforts show how President Barack Obama's administration is
racing on multiple fronts to plug the holes in U.S. cyber defenses.
Notwithstanding the military's efforts, however, the overall gap appears
to be widening, as adversaries and criminals move faster than government
and corporations, and technologies such as mobile applications for smart
phones proliferate more rapidly than policymakers can respond, officials
and analysts said.
A Reuters examination of American cyber readiness produced the following
findings:
* Spin-offs of the malicious code dubbed "agent.btz" used to attack the
military's U.S. Central Command in 2008 are still roiling U.S. networks
today. People inside and outside the U.S. government strongly suspect
Russia was behind the attack, which was the most significant known breach
of military networks.
* There are serious questions about the security of "cloud computing,"
even as the U.S. government prepares to embrace that technology in a big
way for its cost savings.
* The U.S. electrical grid and other critical nodes are still vulnerable
to cyber attack, 13 years after then-President Bill Clinton declared that
protecting critical infrastructure was a national priority.
* While some progress has been made in coordinating among government
agencies with different missions, and across the public-private sector
gap, much remains to be done.
* Government officials say one of the things they fear most is a so-
called "zero-day attack," exploiting a vulnerability unknown to the
software developer until the strike hits.
That's the technique that was used by the Stuxnet worm that snarled
Iran's enriched uranium-producing centrifuges last summer, and which many
experts say may have been created by the United States or Israel.
A mere 12 months later, would-be hackers can readily find digital tool
kits for building Stuxnet-like weapons on the Internet, according to a
private-sector expert who requested anonymity.
"We're much better off (technologically) than we were a few years ago,
but we have not kept pace with opponents," said Jim Lewis, a cyber expert
with the Center for Strategic and International Studies think tank.
"The network is so deeply flawed that it can't be secured."
"IT'S LIKE AN INSECT INFESTATION"
In recent months hackers have broken into the SecurID tokens used by
millions of people, targeting data from defense contractors Lockheed
Martin, L3 and almost certainly others; launched a sophisticated strike
on the International Monetary Fund; and breached digital barriers to grab
account information from Sony, Google, Citigroup and a long list of
others.
The latest high-profile victims were the public websites of the CIA and
the U.S. Senate - whose committees are drafting legislation to improve
coordination of cyber defenses.
Terabytes of data are flying out the door, and billions of dollars are
lost in remediation costs and reputational harm, government and private
security experts said in interviews.
The head of the U.S. military's Cyber Command, General Keith Alexander,
has estimated that Pentagon computer systems are probed by would-be
assailants 250,000 times each hour.
Cyber intrusions are now a fact of life, and a widely accepted cost of
doing business.
"We don't treat it as if it's here today, gone tomorrow," said Jay
Opperman, Comcast Corp.'s senior director of security and privacy. "It's
like an insect infestation. Once you've got it, you never get rid of it."
The private-sector expert who requested anonymity said a top official at
a major Internet service provider told him that he knew his network had
been infiltrated by elite hackers. He could digitally kick them out - but
that would risk provoking a debilitating counter-attack.
"THE THING ... THAT KEEPS ME UP AT NIGHT"
The idea behind the soon-to-be-announced Pentagon program for defense
contractors is to boost information-sharing with the Defense Department
on cyber threats. It also aims to speed reporting of attacks on firms
that make up what the Pentagon calls the Defense Industrial Base.
The DIB, as it is sometimes known, provides the Defense Department some
$400 billion a year in arms, supplies and other services. The new program
is voluntary and builds on a smaller pilot, reflecting the persistent
challenge of regulating private firms that traditionally shield
proprietary data and often downplay cyber setbacks.
Ultimately, the new program may lead to agreement to put at least some
Pentagon contractors behind military-grade network perimeter defenses,
such as those that protect the Pentagon's own classified networks.
On another front, the Pentagon's far-out research arm, the Defense
Advanced Research Projects Agency, is expected to launch by mid-2012 the
National Cyber Range, a kind of replica of the Internet costing an
estimated $130 million that would be used to test cutting-edge cyber
defense technologies and help train cyber warriors.
The Obama administration has made cyber security a national priority, and
tried to fashion an "all-government response" that imposes order on the
competing domains and priorities of the Pentagon, FBI, Department of
Homeland Security, the super-secret National Security Agency and the
private sector.
"We're far better prepared than we've ever been before," said White House
cybersecurity coordinator Howard Schmidt.
"Notwithstanding all the threats that we see out there, the things that
are making news on a regular basis about a company that's been intruded
upon ... (look at) how much the system still runs," Schmidt told Reuters
in an interview.
The key, Schmidt said, is resiliency, "to make sure that we're better
prepared, to make sure that the disruptions when they do occur are
minimum - we're able to recover from them."
Still, he said major worries remain. "The thing that I worry about that
keeps me up at night is the unknown vulnerability that may exist out
there."
Some officials are even less sanguine.
The Pentagon's computer systems are widely considered to be better
protected than other U.S. government agencies', and far safer than the
private sector's.
Still, a U.S. defense official told Reuters he would give the Pentagon
just a "C+" grade overall for its cyber defenses. "We're not impervious
to attack by any stretch, but nor are we 'open kimono'," the official
said. He added: "And we're getting better."
WHAT IS 'CYBER'?
Experts say that one of the toughest challenges of cyber defense is,
oddly, definitions. What constitutes "cyber"? Computers and digital
networks, certainly. But how about digitized pictures or video streams
from a pilotless Predator drone flying over Pakistan?
Who is responsible for protecting what? Where does national security
begin and privacy end?
"The other big problem is lack of policy," said one former U.S.
official. "(We) lack policy because we lack consensus. We lack consensus
because we haven't had an informed debate. We lack an informed debate
because we don't have a common pool of data. And we don't have a common
pool of data because we don't share it."
Nowhere is the problem more acute than in thinking about cyber warfare.
What constitutes an act of war in cyberspace? And how do you determine
who it was that fired the shot?
U.S. military officials, eager to talk about how the Pentagon has boosted
computer defenses, clam up when the topic turns to offensive capabilities.
The Pentagon has put together a classified list of its cyber capabilities
so policymakers know their options - just as it does for more
conventional weapons.
Offensive actions against foreign systems would require White House
authorization. But the Pentagon does not need special approval to do the
kind of cyber surveillance work that can identify vulnerabilities in
foreign networks, a U.S. official told Reuters, speaking on condition of
anonymity.
That includes leaving hidden digital "beacons" inside adversaries'
networks that could be used to pinpoint future targets. The beacons can
phone home to tell U.S. military computers that they are still
operational, the official said.
While the United States is trying to apply conventional military logic to
the cyber realm, there is no global consensus about the rules of cyber
war. A Pentagon report due out toward the end of the month is not
expected to articulate case-by-case possibilities of when a cyber war
could turn into a real one.
INTO THE CLOUD
Even as such policy debates rage, the technological landscape is being
remade, seemingly by the month, posing new challenges - and
opportunities. Tens of thousands of mobile applications for smartphones
and tablet computers represent new vectors for hacks and attacks.
"The quick answer is we haven't been doing enough and we're semi-late to
the game" on protecting mobile applications, said Rear Admiral Mike
Brown, a senior Department of Homeland Security cyber security official.
U.S. government agencies are working with major commercial vendors "to
start looking together at how to address the issues of mobile
vulnerabilities," Brown said at a symposium sponsored by Symantec Corp.
Meanwhile, the U.S. federal government is planning to move in a big way
into "cloud computing," in which off-site providers offer network and
storage resources accessible remotely from a variety of computing
platforms.
Potential cost savings are significant. Handled correctly, computing
clouds could offer added security, specialists say. But there are also
risks.
A study released in April by CA Technologies and the Michigan-based
Ponemon Institute contained alarming findings.
Based on a survey of 103 U.S. and 24 European cloud computing providers,
it found that a majority did not view security of their services as a
competitive advantage, and believed that security was their customers'
responsibility, not theirs.
Most did not have dedicated security personnel on staff.
Deputy Defense Secretary William Lynn met Google executives in California
in mid-February to discuss cloud computing. On May 19, Lynn instructed
the Pentagon's Defense Science Board to study the benefits and risks of
cloud computing, "paying particular attention to attacks on
communications that would destroy or delay delivery of services and
information for time-critical uses."
Lynn told Reuters that "cloud computing has the potential to offer
greater capability at equal or lesser costs." He added: "I want to make
sure we are taking full advantage of these advanced technologies."
The Pentagon is preparing a cloud computing strategy, which it expects to
complete by the end of the summer, a U.S. defense official told Reuters.
"We're trying to get to the place where warfighters or any of us can get
to our information from anywhere on the planet, with any device," the
official said.
Schmidt, the White House coordinator, said as many as 170 security
controls are being built into government cloud computing projects from
the start. "It's not deploying something and securing it later. We're
setting the requirements at the outset."
"I'M NOT CONFIDENT THAT WE WOULD KNOW..."
So how safe are the computer networks of the United States, which perhaps
more than any nation relies on them for banking, electric power and other
basics of modern civilization?
In May 1998, then-President Clinton signed Presidential Decision
Directive 63, calling for a "reliable, interconnected, and secure"
network by 2003, and establishing a national coordinator for protecting
critical infrastructure.
The Department of Homeland Security now has lead responsibility for
protecting the power grid. Yet, as with almost everything involving
cyber, it's not quite that simple.
If there were a cyber attack on the power grid today, "I'm not confident
that we would know what parts of the government should respond," said one
former U.S. official, who asked not to be identified. "Who jumps in
there? DHS, DoD, Cyber Command, NSA, the intelligence community?"
"So nothing's really happened." said former Pentagon general counsel
Judith Miller, talking about grid vulnerability at a cyber event in
Washington this month.
"This is a discussion we had in the 1990s. We're having it right now.
Nothing really has changed, although perhaps the ability of attackers,
whether they're nation states or just kids, has grown apace," she said.
A central conundrum is that the Pentagon's National Security Agency,
which specializes in electronic eavesdropping, has personnel with the
best cyber skills, but has been until recently mostly shut out of
protecting domestic networks. That's due to the highly classified nature
of the NSA's work, and fears that it will stray into domestic spying.
Another complicating factor: the 1878 Posse Comitatus Act, which
generally bars federal military personnel from acting in a law-
enforcement capacity within the United States, except where expressly
authorized by Congress.
"NSA has a long history in cyber security, on both the offensive and the
defensive sides. It has great resources and expertise. But it makes
privacy advocates nervous," said Stewart Baker, a former DHS official now
at the law firm Steptoe and Johnson LLP.
Last October, the Defense Department and Homeland Security - responsible
for protecting civilian U.S. government networks - signed a memorandum to
cooperate, with the NSA sharing technology and the agencies swapping
personnel.
The effort has gotten mixed reviews. Schmidt said that early reports of
inter-agency tension have dissipated, and Representative James Langevin,
a member of the House intelligence committee, said DHS is improving. "I
don't think that they're there yet but we're moving in the right
direction," he said.
However other experts, who would not be quoted for the record, said the
gap between the two agencies remains wide.
Even if the NSA, DHS and other agencies worked together seamlessly, the
problem remains of coaxing industries in critical infrastructure to
accept more government regulation.
"There's absolutely no question that the power companies and indeed state
regulators have been unenthusiastic about a federal role," Baker said. He
added this warning: "The regulation that would pass after a disaster is a
lot worse than they would get right now."
And then there's the Stuxnet-like "zero day" attack, exploiting a flaw no
one knew existed, perhaps tucked into some off-the-shelf software like
that purchased daily by federal agencies.
"Our largest fear ... is the zero day attack," said Sherrill Nicely, the
CIA's deputy chief information officer. "It's very, very, very difficult
to protect oneself from an attack that you did not know was coming or the
vulnerability that you did not know existed."
(Additional reporting by Jeremy Pelofsky and Warren Strobel; Writing by
Warren Strobel; Editing by Kristin Roberts and Claudia Parsons)
--
Cheers,
Stephen
'
Message sent using MelbPC WebMail Server
More information about the Link
mailing list