The Pentagon is denying that any real damage resulted from hackers accessing the designs for more than 24 major U.S. weapons systems.
"We maintain full confidence in our weapons platforms," reads a just-released statement from DOD Press Secretary George Little. "The Department of Defense takes the threat of cyber espionage and cyber security very seriously, which is why we have taken a number of steps to increase funding to strengthen our capabilities, harden our networks, and work with the defense industrial base to achieve greater visibility into the threats our industrial partners are facing. Suggestions that cyber intrusions have somehow led to the erosion of our capabilities or technological edge are incorrect."
That's right, DOD claims that all is well despite the fact that, according to a classified version of a Defense Science Board report, hackers have accessed designs for dozens of weapons systems, ranging from the F-35 and F-22 stealth fighters to numerous air-defense missiles, advanced communications technologies, lasers, RC-135 Rivet Joint spy planes, and even the Navy's Aegis anti-missile system.
Little's statement comes a little more than two months after the U.S. Intelligence Community listed "Cyber" as the top security challenge in its annual Worldwide Threat Assessment, saying that U.S. adversaries are "almost certainly" using cyber espionage to catch up to the U.S. military:
Highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers, and others to target and collect sensitive US national security and economic data. This is almost certainly allowing our adversaries to close the technological gap between our respective militaries, slowly neutralizing one of our key advantages in the international arena.
His comments also come after years of warnings by U.S. government officials -- from U.S. Cyber Command chief Gen. Keith Alexander to House Intelligence Committee Chairman Mike Rogers -- about the damage caused by cyber espionage and crime.
We've written plenty on allegations that Chinese hackers have stolen the plans for various U.S. weapons systems and have pointed out that China's stealth jets bear a suspicious resemblance to U.S. stealth planes like the F-22 and F-35. Designs for the F-35 were reportedly hacked by Chinese spies in an incident that may have contributed to the redesign of the jet's computerized maintenance system.
Perhaps Little's message is simply a display of false confidence, or perhaps the U.S. has made enough changes to programs accessed by hackers that it's not worried, or maybe it simply fed them the wrong information.
Some cybersecurity experts are already calling on U.S. firms to start making it costly for hackers to steal information from them by poisoning the virtual well.
"We have to get the Chinese and the other adversaries off the idea that when they exfiltrate the data out [of U.S. networks], that it's pure," said James Mulvenon, vice president of intelligence at security consulting firm Defense Group, Inc., during a speech last week at the Center for Strategic and International Studies. "They believe this is Ultra, this is the most profoundly successful intelligence operation they've ever had. They believed with metaphysical certainty, up until recent times, that what they're exfiltrating is actually true."
Mulvenon seems to be suggesting that the U.S. is already pumping false info to cyberspies.
"Using deception and poisoning the well and things like that in terms of the data exfiltration is obviously not new. It can be technically difficult, but we've seen [that] the tried and true methods we've used in the counterintelligence and counterespionage realms have really helped us," Mulvenon added.
At the same event, Shawn Henry, a former FBI cybercrime investigator who heads the services division at cybersecurity firm Crowdstrike, said that American businesses need to start "being proactive...being able to raise the cost to the adversary. Right now there's no cost, the risk is about zero because people have been called out on it for years and years and nothing is happening."
"Denial and deception is key -- changing the way we look at these things, being proactive on the network, not in an offensive, aggressive way" but by creating capabilities that "make things more difficult for the adversaries" by giving them bad information and quickly identifying the attackers, he said.
Still, this approach might backfire if not executed by anyone but the most sophisticated cyber security teams warns Dave Merkel, chief technology officer of cybersecurity firm, Mandiant.
"I myself am skeptical of those approaches, when I go take a look at a large organization and the challenges it has managing its own legitimate information, and then you talk about managing legitimate disinformation and being able to tell one from the other and being able to make decisions based on what happens with it seems pretty far fetched," Merkel told Killer Apps. "Those kinds of techniques can be effective in highly-targeted ways, used by specialists to get some particular result like learning more information about an adversary . . . but as some kind of broad-based defense or mechanism to change the economics of stealing digital information, I just don't see it."
Mandiant famously published a report in February detailing the exploits of an alleged Chinese-military hacking group against U.S. businesses. Merkel said the latest news about DOD weapons designs being hacked is nothing new.
"This just verifies what we're seeing within our own client base," said Merkel. "I wasn't even mildly shocked."