http://www.govexec.com/dailyfed/0707/072707bb1.htm By Bob Brewin July 27, 2007 Defense Net Attacks Should Be Countered With 'Disproportionate Response' That's the advice contained in a little-noticed report, "The Defense Science Board (DSB) 2006 Summer Study on Information Management for Net-Centric Operations," which was released in April. "Adversaries need to be assured that their attacks against U.S. information systems will be detected, that U.S. functionality will be restored," according to the report. "... and an adversary needs to know that the U.S. possesses powerful hard and soft-kill (cyberwarfare) means for attacking adversary information and command and support systems at all levels." Attacks against U.S. information systems should be countered with "disproportionate response," the report said, adding that "every potential adversary, from nation states to rogue individuals, could be targets of an integrated offensive capability." Any attack against a U.S. information system should be met with a counterattack that results in "highly undesirable consequences" for the attacker's systems. I have a feeling this means more than cutting off access to MySpace or TMZ.com. The Network's 'Soft Underbelly' One reason for Defense to take such an aggressive response is that adversaries have recognized the increasing importance to the U.S. military of networks and information systems, which are built on commercial hardware, software and the Internet -- all of which are easily exploited, the DSB report goes on to say. "There is ample evidence that U.S. adversaries have recognized this potential vulnerability and are aggressively developing doctrine, tactics and technology to attack this soft underbelly," the report added. The current state of network and information system defense is so poor that it "will be considerably outmatched by a sophisticated, well resourced and motivated opponent," according to the report. Considering this, network and information system defense presents a "daunting" challenge, and "innovative application of offensive techniques to support defensive objectives shows great promise," the report said. It's no surprise that, over the past few months, both the Army and Air Force have taken their offensive information warfare capabilities public. The Offshore Problem The United States doesn't manufacture much stuff, or even software, anymore. That's all done offshore, which creates another set of network vulnerabilities, the DSB report said. Defense networks and information systems are patched together from commercial hardware and software "whose provenance is increasingly foreign," according to the report. "The complexity of both the microelectronic and software components is enormous. Consequently, the challenge of discovering malicious constructs introduced by an adversary through life-cycle opportunities is exceedingly difficult." In plain English, this means that our reliance on low-cost software written in India and computers made in China threatens our national security. But, hey, this approach underpins myriad Silicon Valley fortunes. I know most reports written in Washington end up quickly filed and forgotten. This one needs to be read and acted on. But We Still Do It in the Clear Despite the threats to Defense networks outlined by the DSB, military end users still don't take simple steps to protect the integrity of information sent over military systems, according to a briefing that Luanne Overstreet, acting director of the Joint Interoperability Test Command, presented last month to Air Force Lt. Gen. Charles Croom, director of the Defense Information Systems Agency. Overstreet told Croom in a set of briefing slides, which magically made their way here to What's Brewin' Central, that in recent combatant command exercises, high-risk Internet services such as Telnet and file transfer were done in clear text and were easily intercepted. Sometimes the best defense is not a good offense; rather, the best defense is ensuring that good defensive policies and procedures are followed. That probably includes making sure I don't get internal DISA slides. Honey, We Shrunk the Navy A high-level and "For Official Use Only" set of Navy briefing slides that inadvertently made it to the Internet shows that the service plans to shrink its active-duty force from 341,000 today to 322,000 by 2013. But that's OK, as high-tech ships of the future will only require half the crews of today's ships. The slides show that the guided missile cruiser of 2023, the CG(X)71, will only require a crew of 150 versus the crew of 350 for one of today's cruisers, the USS Cape St. George. The planned CG(X)71 will have sensor systems with a range of 500 miles and weapons systems with a range of 1,000 miles compared with a 256-mile range for the Cape St. George's sensors and 800 miles for its weapons systems. The slides don't provide cost estimates for the CG(X)71, but as shipbuilding costs continue to spiral into the megabillion-dollar range, the Navy might be able to afford only one or two newfangled cruisers, unless it finds a way to control costs. Health Data Sharing: It's the Politics The President's Commission on Care for America's Returning Wounded Warriors wants the Military Health System and the Veterans Health Administration to develop within 12 months a Web-based portal that provides, at a glance, patients' health care and benefits information from the two departments' information systems. I called a bunch of the likely inside-the-Beltway vendors to get their take on the complexity of the task, and ran into a wall. The technology part is not hard, I was told. The politics and battles between Defense and VA are the challenge. Therefore, no one wants to go on the record on what is viewed as a relatively easy bit of work. Does this surprise anyone? _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 30 2007 - 22:31:27 PDT