[ISN] What's Brewin': Inside the world of defense information technology

From: InfoSec News (alerts@private)
Date: Mon Jul 30 2007 - 22:22:40 PDT


http://www.govexec.com/dailyfed/0707/072707bb1.htm

By Bob Brewin 
July 27, 2007  

Defense Net Attacks Should Be Countered With 'Disproportionate Response'

That's the advice contained in a little-noticed report, "The Defense 
Science Board (DSB) 2006 Summer Study on Information Management for 
Net-Centric Operations," which was released in April.

"Adversaries need to be assured that their attacks against U.S. 
information systems will be detected, that U.S. functionality will be 
restored," according to the report. "... and an adversary needs to know 
that the U.S. possesses powerful hard and soft-kill (cyberwarfare) means 
for attacking adversary information and command and support systems at 
all levels."

Attacks against U.S. information systems should be countered with 
"disproportionate response," the report said, adding that "every 
potential adversary, from nation states to rogue individuals, could be 
targets of an integrated offensive capability."

Any attack against a U.S. information system should be met with a 
counterattack that results in "highly undesirable consequences" for the 
attacker's systems.

I have a feeling this means more than cutting off access to MySpace or 
TMZ.com.


The Network's 'Soft Underbelly'

One reason for Defense to take such an aggressive response is that 
adversaries have recognized the increasing importance to the U.S. 
military of networks and information systems, which are built on 
commercial hardware, software and the Internet -- all of which are 
easily exploited, the DSB report goes on to say.

"There is ample evidence that U.S. adversaries have recognized this 
potential vulnerability and are aggressively developing doctrine, 
tactics and technology to attack this soft underbelly," the report 
added.

The current state of network and information system defense is so poor 
that it "will be considerably outmatched by a sophisticated, well 
resourced and motivated opponent," according to the report. Considering 
this, network and information system defense presents a "daunting" 
challenge, and "innovative application of offensive techniques to 
support defensive objectives shows great promise," the report said.

It's no surprise that, over the past few months, both the Army and Air 
Force have taken their offensive information warfare capabilities 
public.


The Offshore Problem

The United States doesn't manufacture much stuff, or even software, 
anymore. That's all done offshore, which creates another set of network 
vulnerabilities, the DSB report said.

Defense networks and information systems are patched together from 
commercial hardware and software "whose provenance is increasingly 
foreign," according to the report. "The complexity of both the 
microelectronic and software components is enormous. Consequently, the 
challenge of discovering malicious constructs introduced by an adversary 
through life-cycle opportunities is exceedingly difficult."

In plain English, this means that our reliance on low-cost software 
written in India and computers made in China threatens our national 
security. But, hey, this approach underpins myriad Silicon Valley 
fortunes.

I know most reports written in Washington end up quickly filed and 
forgotten. This one needs to be read and acted on.


But We Still Do It in the Clear

Despite the threats to Defense networks outlined by the DSB, military 
end users still don't take simple steps to protect the integrity of 
information sent over military systems, according to a briefing that 
Luanne Overstreet, acting director of the Joint Interoperability Test 
Command, presented last month to Air Force Lt. Gen. Charles Croom, 
director of the Defense Information Systems Agency.

Overstreet told Croom in a set of briefing slides, which magically made 
their way here to What's Brewin' Central, that in recent combatant 
command exercises, high-risk Internet services such as Telnet and file 
transfer were done in clear text and were easily intercepted.

Sometimes the best defense is not a good offense; rather, the best 
defense is ensuring that good defensive policies and procedures are 
followed. That probably includes making sure I don't get internal DISA 
slides.


Honey, We Shrunk the Navy

A high-level and "For Official Use Only" set of Navy briefing slides 
that inadvertently made it to the Internet shows that the service plans 
to shrink its active-duty force from 341,000 today to 322,000 by 2013. 
But that's OK, as high-tech ships of the future will only require half 
the crews of today's ships.

The slides show that the guided missile cruiser of 2023, the CG(X)71, 
will only require a crew of 150 versus the crew of 350 for one of 
today's cruisers, the USS Cape St. George.

The planned CG(X)71 will have sensor systems with a range of 500 miles 
and weapons systems with a range of 1,000 miles compared with a 256-mile 
range for the Cape St. George's sensors and 800 miles for its weapons 
systems.

The slides don't provide cost estimates for the CG(X)71, but as 
shipbuilding costs continue to spiral into the megabillion-dollar range, 
the Navy might be able to afford only one or two newfangled cruisers, 
unless it finds a way to control costs.


Health Data Sharing: It's the Politics

The President's Commission on Care for America's Returning Wounded 
Warriors wants the Military Health System and the Veterans Health 
Administration to develop within 12 months a Web-based portal that 
provides, at a glance, patients' health care and benefits information 
from the two departments' information systems.

I called a bunch of the likely inside-the-Beltway vendors to get their 
take on the complexity of the task, and ran into a wall. The technology 
part is not hard, I was told. The politics and battles between Defense 
and VA are the challenge. Therefore, no one wants to go on the record on 
what is viewed as a relatively easy bit of work.

Does this surprise anyone?


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 30 2007 - 22:31:27 PDT