Defense Dept. Vulnerable to Cyber Attacks, Lawmakers Hear
Cyberspace is a “tough neighborhood” full of accidents, glitches, and attacks, a former member of the White House’s National Security Council told lawmakers Thurs. The Defense Dept. faces several serious challenges concerning information assurance and data superiority, House Armed Services Committee members heard.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Paul Kurtz, who now heads the Cyber Security Industry Alliance (CSIA), said critical issues requiring attention include: (1) Securing war fighting and defense capabilities and operations that depend on privately owned and operated information infrastructure, and hardware and software produced around the globe. (2) The need to build and support an information infrastructure that’s resilient and can operate under duress or attack. (3) DoD’s role of protecting, defending and responding to a cyber incident of “national significance” that doesn’t involve assets critical to its operations or under its immediate control. (4) The absence of a national policy to assure the security of critical U.S. information technology and telecommunications infrastructures.
Significant disruptions occur daily, Kurtz told lawmakers in prepared testimony, citing the case of a major backbone provider that suffered last weekend a complete outage caused by an error in router configuration. While the incident was not an attack, restoration of the system required “powering down” routers and bringing them back online slowly, Kurtz said. Attacks are accelerating and becoming more sophisticated, he said. In 1999, the Melissa virus took 3 days to spread across the Internet -- but now the world is faced with “zero day attacks,” giving security experts little or no time to react, Kurtz said. “We must plan for the unexpected and think the unthinkable. Just because a massive attack has not happened doesn’t mean it will not occur.”
The govt. must also examine insidious attacks. The manipulation or corruption of data involving the altering target sets, soldiers’ blood types or scrambled logistics orders sending supplies to the wrong places before a critical deployment, are examples of hacks that could be “catastrophic and difficult to untangle,” Kurtz said. Meanwhile, technology is changing rapidly -- and to complicate matters, other countries are starting to understand the critical importance of the information infrastructure, as evidenced by the growing political battle over Internet governance, he said.
DoD’s dependence on privately owned and operated networks is also a key concern, lawmakers heard. Since DoD shares its information infrastructure backbone with the private sector, the same attacks that disrupt corporate networks can affect DoD systems, Kurtz said. Besides, the vast majority of IT products the agency uses are manufactured by vendors with facilities and personnel from around the world. It’s not feasible to build an “air gapped ‘parallel universe'” and given the global economy, it’s not advisable to block the sale of particular assets to foreign parties, he said. Procurement process rigor and a solid information assurance program will help safeguard critical systems, Kurtz said. But this can only happen by escalating the criticality of information assurance within DoD and partnering with the private sector. “Such a program must involve the triad of people, process and technology,” he said.
A Presidential directive is needed to set a national policy to ensure the critical IT security and telecom infrastructures are secure, Kurtz said. Such a directive would also better organize the roles and responsibilities of all of govt.-related players involved in information security. At least 8 agencies and departments. address pieces of the problem and several have overlapping responsibilities and membership, he said.
Purdue U. professor Eugene Spafford offered a slew of recommendations for govt. in his written testimony, including several for Congress: (1) Increase the priority and funding for security and IT protection research. (2) Let security system designers and operators have a say in making sure their needs aren’t trumped by arbitrary purchasing decisions. (3) Provide more support for govt. investigators who track malware and support the investigation and prosecution of those who write malicious code and attack systems. (4) Reconsider laws, including the Digital Millennium Copyright Act, that criminalize technology instead of behavior.