[ISN] Security experts question DOD cybersecurity

From: InfoSec News (isnat_private)
Date: Thu Jul 24 2003 - 23:10:24 PDT

  • Next message: InfoSec News: "[ISN] Malaysia permits text message divorce"

    Forwarded from: William Knowles <wkat_private>
    [GAO report on DOD security released July 24, 2003
    http://www.gao.gov/new.items/d031037t.pdf  - WK]
    By Grant Gross
    IDG News Service 
    July 24, 2003 
    WASHINGTON - The U.S. Department of Defense (DOD) relies too much on 
    commercial software, doesn't know who is creating the software, and 
    faces other significant cybersecurity problems, witnesses told a U.S. 
    House of Representatives subcommittee Thursday. 
    The U.S. military's use of commercial, off-the-shelf software has 
    yielded fast improvements in software and cost-savings benefits for 
    U.S. taxpayers over the last 20 years, but such software has its 
    downside, said Professor Eugene Spafford, director of the Center for 
    Education and Research in Information Assurance and Security at Purdue 
    "Most of those products are not written to be used in an environment 
    where there is a significant threat," Spafford told the House Armed 
    Services Committee's Subcommittee on Terrorism, Unconventional Threats 
    and Capabilities. "We have ... attacks being committed by hackers, by 
    anarchists, by criminals, probably by foreign intelligence services. 
    The (commercial) products have not been designed to be reliable or 
    robust under those kinds of circumstances." 
    As the subcommittee attempted to assess the cybersecurity programs at 
    the DOD, Spafford and Robert Dacey, director of the Information 
    Technology Team at the U.S. General Accounting Office (GAO), both 
    raised questions about cybersecurity efforts in the U.S. military. 
    In addition to relying on too much commercial software, the DOD uses 
    the same software across many of its systems, forming a "near 
    mono-culture," Spafford added, without naming any software packages. 
    Common software products suffered about 2,000 vulnerabilities last 
    year, he said. 
    "When a new attack is found that has affected any one of these 
    products, it seeps through the entire network," he said. "Operators of 
    systems may be in the position of applying three to five security 
    critical patches per week for every system under their control. That 
    really is unacceptable for us to be in a state of high readiness." 
    But Scott Charney, chief security strategist for Microsoft Corp., said 
    homogeneous software systems also have their advantages. It's easier 
    to train systems administrators on one piece of software than on 
    multiple products, he said, and patching can happen faster if an 
    agency has just one product to patch. 
    "Reasonable minds are debating whether a homogeneous environment or a 
    heterogeneous environment is better for decreasing risk," Charney 
    said. "The advantage of a homogeneous environment, or more of a 
    mono-culture, is it's much easier to manage. You train your people in 
    a particular system, and they manage that system, they know all the 
    security settings, you run tools to make sure they lock it down." 
    The GAO's Dacey highlighted cybersecurity weaknesses identified in DOD 
    reports on fiscal year 2002. The DOD, he said, has concerns about the 
    amount of time necessary for correcting reported vulnerabilities, 
    about training all its network workers, and about ensuring that 
    computer security policies are distributed quickly. Other DOD concerns 
    include the lack of comprehensive testing of cybersecurity policies 
    and increasing the use of authentication certificates to aid 
    But the DOD has at least acknowledged those problems, Dacey added. 
    "DOD has been at the forefront of many information security 
    initiatives in the federal government," he said. 
    Robert Lentz, director of information assurance at the DOD, said the 
    agency is making "significant progress" in protecting its information 
    networks. The agency is complying with cybersecurity policies required 
    by the Federal Information Security Management Act of 2002, he said, 
    and it is working from a cybersecurity roadmap that includes major 
    goals of defending systems and networks, focusing on research, and 
    protecting information. 
    "This means that all information must be protected from end to end, 
    and through its lifecycle, from the most sensitive nuclear command and 
    control to business transactions," Lentz said. 
    Last year, the DOD successfully defended against 50,000 attempts to 
    gain root level access on its computers, Lentz said.
    While Lentz defended the DOD's cybersecurity efforts, Spafford 
    questioned the DOD's use of commercial software that's often produced 
    outside the U.S. "Much of this software, an increasing amount of this 
    software, is being written by individuals we would not allow into the 
    environments where it's operating," he said. "The reason for that is, 
    they're not U.S. citizens ... they don't have any kind of background 
    Outsourcing software development is good for the world economy and 
    good for U.S. software vendors trying to compete in the marketplace on 
    price, but using this software for computer systems containing 
    national security information may be questionable, Spafford said. 
    "It introduces a tremendous vulnerability to our systems," he said. 
    "The software is being developed, sometimes tens of millions of lines, 
    by individuals whose motivations and agendas may not be fully known." 
    Microsoft's Charney suggested that asking where a piece of software 
    was developed is the wrong question. Instead, purchasers of software 
    should ask if good quality assurance processes are in place to test 
    the software after the code has been written. 
    "One of the things you have to have is very rigorous processes in 
    place to examine the code," he said. "If you are getting components 
    from overseas and actually reviewing the quality of the component and 
    testing the component, you will know what's in your code." 
    Representative Roscoe Bartlett, a Maryland Republican, asked witnesses 
    what would happen to the U.S. military if all computer systems were 
    knocked out and unable to be brought back up again. A nuclear bomb set 
    off in the upper atmosphere could take out most communication 
    satellites, Bartlett said, and he questioned if the DOD had a backup 
    plan for such a scenario. 
    "Are we just through if our computer systems don't work?" he asked. 
    "Are we looking at what would happen if they went away and didn't come 
    Such a scenario seems unlikely, Spafford answered. "Taking out all the 
    computers would be a very difficult thing to do," he said. 
    Representatives Marty Meehan, a Massachusetts Democrat, and Joe 
    Wilson, a South Carolina Republican, both asked whether cyberterrorism 
    training camps exist. 
    Lentz offered to give representatives a classified briefing on such 
    activity, and Spafford suggested that tools available to the public 
    can instruct anyone on how to be a cyberterrorist. 
    "There are bulletin boards and discussion lists where techniques are 
    taught, where tools are available, so that anyone, even a juvenile, 
    spending a minimum amount of time online, is able to learn some very 
    sophisticated attack methodologies," Spafford. "We happen to have a 
    virtual worldwide training camp going on, on a regular basis, of 
    individuals with various motivations using these tools and 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 01:58:56 PDT