“We are experiencing damaging penetrations — damaging in the sense of loss of information. And we don’t fully understand our vulnerabilities,” [ James ] Miller said.
The above is a quote posted in an article up on Reuters by Dr. James N. Miller, Principal Deputy Under Secretary of Defense for Policy, during a forum on Cyber Warfare hosted by Ogilvy Exchange. In the Government Computer News article about the forum, it quotes him as saying,
“The cyber threat has outpaced our ability to defend against it,” he said. “We still are learning” the extent of our dependency on these networks and the scope of the threats against them. “We still see significant gaps and vulnerabilities. We don’t fully understand them, but we’re learning.”
Who, exactly, are the “we” that he is referring too? There are many within the U.S. government and the Department of Defense that know exactly where they are vulnerable, why they are vulnerable, the real threat associated with the millions of probes/scans he refers to in the article, and what can be done to improve the security posture of networks and computers. They have known about these things for many years.
After reading the Reuters and GCN news story, there are some important things you should know:
1. In 2004, eEye Digital Security was contracted to provide vulnerability assessment, management and remediation services to the DoD. eEye’s Retina vulnerability scanning software and online training to use the software are provided free of charge. Organizations are required to scan their computers and networks every month for vulnerabilities.
2. Department of Defense Directive 8570.1 was signed on August 15, 2004. This directive requires every military service member, civilian and defense contractor with privileged access to a DoD system, to obtain a commercial security certification (DoD 85070.1M) . That was almost six years ago.
3. Many systems are intentionally not patched for weeks or months after a patch is released, despite the fact that a directive is issued to apply the patch by a certain date.
4. People blindly open email and attachments they receive from people they don’t know, who have crafted creative subject lines or messages that entice people to take specific actions resulting in compromise of a system or their personal information. Are people actually paying attention when they view the annually mandated computer security awareness training? Anti-spam and anti-malware software filters are not catching everything.
5. People are surfing potentially hostile Websites that have nothing to do with government or defense business. The effectiveness of Web content management systems is not being audited and adjusted based on people’s behavior, and as a result, people are able to continue surfing potentially hostile Websites. What’s happened to the policy of restricting government computer use to official government business? See computer security awareness training.
6. Many system administrators and security personnel don’t know how to detect unauthorized network activity or compromised systems. They don’t have the right tools or skills to do the job. In some cases, even “trained” security personnel are unable to find evidence of compromise on systems that they are told are compromised. It takes more than a wall full of framed certifications to catch professional hackers.
7. Although Joint Task Force – Global Network Operations (JTF-GNO) CTO 07-12 mandated (Sorry, I couldn’t find better references that are accessible, there is more info here) the implementation of the DoD’s Host-Based Security System (HBSS) over three years ago by the third quarter of 2008, it has yet to be fully deployed or implemented.
And the list goes on and on…
As I pondered in my blog post about the CNCI, do U.S. government official really know what’s going on beyond what they’re being told? Do any of the decision makers in the White House or Congress have any direct experience doing computer security work? Do they really understand the threat or do they just think they understand the threat? Do they really understand what U.S. Cyber Command can and cannot a achieve?