The Complex

The cyber threats keeping DoD officials awake right now

What threat to the banks, utility companies, and telecommunications companies that make up the "critical online infrastructure" of the United States worries one of the Pentagon's top cyber officials more than almost any other?

You might think it is a strategic, Stuxnet on steroids-style cyber attack designed by a rival nation with deep pockets and lots of engineers to cripple American industry. While state-sponsored attacks remain a big threat to large corporations and the U.S. government, the cyber tools available to average hackers are increasing in potency at an alarming rate. The proliferation of tools allowing anyone to easily detect where a device connects to the Internet, combined with growing ability of private hackers to discover previously unknown vulnerabilities inherent in computer systems (called zero day exploits), now poses a large threat, according to Eric Rosenbach, deputy assistant secretary of defense for cyber policy.

"It's this combination of a program, which is essentially a Google-like browser on the Internet right now that allows you to scan for vulnerabilities in the industrial control systems in the U.S. and around the world, . . . that combined with the phenomena of these black market zero day exploits and malware tools that makes me extremely nervous," said Rosenbach during a Sept. 4 interview with Killer Apps, during which we also discussed the automation of cyber defense and the holy grail of cyber security.  "Because then it's not just a nation-state that wants to harm the U.S., but it could be a rogue group or some crazy individual that wants to leave their mark on history. The perspective on the vulnerabilities is there [for anyone to see], and some of the tools that you need to do it are there too. I think that is what worries us the most."

The program Rosenbach referred to is called Shodan; its website describes it as a search engine that allows users to find any device connected to the Internet -- whether that's a server, the controls of a power plant, or even a refrigerator.

Columbia University professor Abraham Wagner, who specializes on how technology has impacted national security, points out that there are already reports of hackers using Shodan to find weak spots in the programs, known as Supervisory Control and Data Acquisition (SCADA) systems, which control everything from an office building's air-conditioning to the speed at which a uranium-enrichment centrifuge in a nuclear plant spins.

"Tools like this certainly make hacking easier," wrote Wagner in a Sept. 13 email to Killer Apps. "The vulnerable systems are still in serious need of major security upgrades, and we are still in a ‘transitional' period where nobody seems willing to undertake the level of effort that is required. There is still an operative mentality that states it must be somebody else's problem to do it."

While basic cyber hygiene -- such as using tough-to-crack passwords and regularly updating a computer and network's security settings -- can thwart many attacks, Rosenbach doesn't think that private companies will take action until they have suffered too many costly cyber attacks, or the government can work with them to implement cyber security standards. The latter however, remains a tough nut to crack. In August, Republican senators shot down the latest attempt to legislate minimum cybersecurity standards for companies involved in maintaining critical infrastructure.

shodanhq.com

National Security

DoD looking to automate its cyberdefenses

What's the Pentagon's next big focus in cyber security technology? I'll give you a hint: it has to do with sifting through reams of data and deciding how to respond at incredibly high speeds. How do you do that? Automation.

The sheer volume of cyber security incidents that the Pentagon must monitor at any given time on its more than 15,000 networks is so staggering that the only way to manage the threat is to have a system that automatically detects suspicious software, quickly decides what type of threat it is, alerts the proper people as to its existence, and helps them figure out how to deal with it. Kind of like your antivirus software on steroids.

"As we're utilizing more and more automated tools to collect information on behavior on our networks, we can no longer analyze that or bring on, in a time of shrinking budgets, people to do that analysis," Teri Takai, DoD's chief information officer told Killer Apps on Sept. 4. "What we want to be able to move to is to use Big Data processes to be able to identify trends, to be continuously monitoring to feed Big Data and then, to get to the point where we are correcting and putting in place the measures to defend or prevent [attacks] without having to do that with people." (Big Data processes are the techniques aimed at managing and measuring the massive amounts of data -- hence "Big Data" -- produced everyday in the online world.)

That's right, the only way to handle the flood of network information is to automate it.

Sound familiar? That's because the Air Force has long said that it needs to turn to automated technology to make sense of the thousands of hours' worth of imagery collected by its drones every day. (Killer Apps reported on one of the air service's many initiatives to deal with this problem just last week.)

Automation "gives us a chance to keep up" with the onslaught of cyber attacks that are growing more sophisticated, and potentially more damaging, as they move from simple intrusions toward attacks aimed at disrupting information, taking over networks, or even damaging devices linked to a network, according to Takai.

This is all part of DoD's effort to stop playing cyber defense by building a massive , imaginary wall around its online information -- something that many cyber experts have said for years is a failing strategy since an enemy will always figure out how to breach a cyber wall.

"We're moving away from what I call protecting at the perimeter, which has been a posture that we've had," said Takai. "We have to recognize that we are big, we are going to have breaches -- both from the outside but also the insider threat -- and so the question is, how do we make our networks resilient so that even if we don't catch them [on the way into the network] that we have places within the network that we can pick up that behavior and not only pick it up but be able to correct it on the fly and to be able to take the necessary action to" deal with the attack.

The Pentagon is working to make its networks more resilient, meaning that the military can be assured that its most important online information is safe and usable even if networks are under attack. It is also moving to dramatically consolidate its thousands of networks -- a process designed to make managing and protecting its online infrastructure easier. Fewer networks mean fewer places to protect and fewer areas of vulnerability.

"Our systems are being attacked constantly, and we may not [always] be aware of it, we may not find the forensics on it for months afterwards because we can't see or get a good situational picture...of what's going on out there because we have 15,000 different networks in the Department of Defense and 400 different points of presence [places where a physical device connects to an online network] and many [are] boutique type configurations," said Marine Corps Maj. Gen. George Allen during an Aug. 16 speech at an AFCEA sponsored conference.

"We need to get down to one solid JIE-like construct," he said, referring to a consolidated group of cloud-based DoD networks, "so that we can actually see what we're doing and defend. One law of combat is, if you can't see the enemy, it's very difficult to figure out what's going on. You can't attack the enemy, you can't disrupt them, you can't block what's going on. That's one of the basic premises that we still don't have in our domain."

DoD wants to protect its networks "not just once but multiple times" on multiple levels, according to Takai. This means identifying which data is the most important and giving it elaborate protection measures and having numerous backup ways to transmit and store data if a normal data channel is attacked and compromised.

"If in fact, the commander suspects that he has any kind of a disruption or any kind of a breach that he can move to an alternate channel where he has perhaps slower response, perhaps less data but secure information," said Takai. "The worst thing for a commander isn't just having it stop or be slow. The worst thing is when he can't trust the information, where he thinks that there may be corruption because then he or she doesn't know where to go next."

U.S. Army