The Complex

DOD says don't worry about hackers accessing key U.S. weapons designs

The Pentagon is denying that any real damage resulted from hackers accessing the designs for more than 24 major U.S. weapons systems.

"We maintain full confidence in our weapons platforms," reads a just-released statement from DOD Press Secretary George Little. "The Department of Defense takes the threat of cyber espionage and cyber security very seriously, which is why we have taken a number of steps to increase funding to strengthen our capabilities, harden our networks, and work with the defense industrial base to achieve greater visibility into the threats our industrial partners are facing. Suggestions that cyber intrusions have somehow led to the erosion of our capabilities or technological edge are incorrect."

That's right, DOD claims that all is well despite the fact that, according to a classified version of a Defense Science Board report, hackers have accessed designs for dozens of weapons systems, ranging from the F-35 and F-22 stealth fighters to numerous air-defense missiles, advanced communications technologies, lasers, RC-135 Rivet Joint spy planes, and even the Navy's Aegis anti-missile system.

Little's statement comes a little more than two months after the U.S. Intelligence Community listed "Cyber" as the top security challenge in its annual Worldwide Threat Assessment, saying that U.S. adversaries are "almost certainly" using cyber espionage to catch up to the U.S. military:

Highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers, and others to target and collect sensitive US national security and economic data. This is almost certainly allowing our adversaries to close the technological gap between our respective militaries, slowly neutralizing one of our key advantages in the international arena.

His comments also come after years of warnings by U.S. government officials -- from U.S. Cyber Command chief Gen. Keith Alexander to House Intelligence Committee Chairman Mike Rogers -- about the damage caused by cyber espionage and crime.

We've written plenty on allegations that Chinese hackers have stolen the plans for various U.S. weapons systems and have pointed out that China's stealth jets bear a suspicious resemblance to U.S. stealth planes like the F-22 and F-35. Designs for the F-35 were reportedly hacked by Chinese spies in an incident that may have contributed to the redesign of the jet's computerized maintenance system.

Perhaps Little's message is simply a display of false confidence, or perhaps the U.S. has made enough changes to programs accessed by hackers that it's not worried, or maybe it simply fed them the wrong information.

Some cybersecurity experts are already calling on U.S. firms to start making it costly for hackers to steal information from them by poisoning the virtual well.

"We have to get the Chinese and the other adversaries off the idea that when they exfiltrate the data out [of U.S. networks], that it's pure," said James Mulvenon, vice president of intelligence at security consulting firm Defense Group, Inc., during a speech last week at the Center for Strategic and International Studies. "They believe this is Ultra, this is the most profoundly successful intelligence operation they've ever had. They believed with metaphysical certainty, up until recent times, that what they're exfiltrating is actually true."

Mulvenon seems to be suggesting that the U.S. is already pumping false info to cyberspies.

"Using deception and poisoning the well and things like that in terms of the data exfiltration is obviously not new. It can be technically difficult, but we've seen [that] the tried and true methods we've used in the counterintelligence and counterespionage realms have really helped us," Mulvenon added.

At the same event, Shawn Henry, a former FBI cybercrime investigator who heads the services division at cybersecurity firm Crowdstrike, said that American businesses need to start "being proactive...being able to raise the cost to the adversary. Right now there's no cost, the risk is about zero because people have been called out on it for years and years and nothing is happening."

"Denial and deception is key -- changing the way we look at these things, being proactive on the network, not in an offensive, aggressive way" but by creating capabilities that "make things more difficult for the adversaries" by giving them bad information and quickly identifying the attackers, he said.

Still, this approach might backfire if not executed by anyone but the most sophisticated cyber security teams warns Dave Merkel, chief technology officer of cybersecurity firm, Mandiant.

"I myself am skeptical of those approaches, when I go take a look at a large organization and the challenges it has managing its own legitimate information, and then you talk about managing legitimate disinformation and being able to tell one from the other and being able to make decisions based on what happens with it seems pretty far fetched," Merkel told Killer Apps. "Those kinds of techniques can be effective in highly-targeted ways, used by specialists to get some particular result like learning more information about an adversary . . . but as some kind of broad-based defense or mechanism to change the economics of stealing digital information, I just don't see it."

Mandiant famously published a report in February detailing the exploits of an alleged Chinese-military hacking group against U.S. businesses. Merkel said the latest news about DOD weapons designs being hacked is nothing new.

"This just verifies what we're seeing within our own client base," said Merkel. "I wasn't even mildly shocked."

Wikimedia Commons

National Security

The White House: Cyber attacks against critical infrastructure are way up

Here's the White House's response to Killer Apps' request for comment on last night's Wall Street Journal article citing current and former administration officials saying that Iranian hackers have penetrated the networks of U.S. energy firms.

Basically, National Security Staff spokeswoman Laura Lucas confirmed that our critical infrastructure, including the energy sector, is under cyber-attack, with DHS responding to 177 attacks in 2012, and that the administration is hustling to share as much information as possible about cyber-threats with critical-infrastructure providers. Notice the statement below doesn't confirm or deny the WSJ's claim that Iranian hackers specifically are responsible.

Each and every day, the United States faces a myriad of threats in cyberspace, from the theft of U.S. intellectual property through cyber intrusions to distributed denial of service attacks against public-facing websites to intrusions against U.S. critical infrastructure companies, including those in the energy sector. We have observed a trend over the last year, exemplified by this recent activity, of malicious actors increasing their focus against critical infrastructure. Secretary Napolitano has noted these trends in hearings before Congress. For example, in March she cited a campaign of intrusions targeting oil and pipeline companies. Last year DHS responded to 177 incidents against industrial control systems up from just nine three years earlier. The U.S. government is, of course, researching attribution and investigating specific events.

We are concerned about all threats to the security of our networks and critical infrastructure and are actively collaborating with our public and private sector partners to detect and mitigate disruptions and attacks against the nation's critical cyber and communications networks. We are leaning much further forward on providing warning to specific industry and international partners and are working to get ahead of the threat by providing actionable warnings and possible mitigations to all partners. This is part of our effort to implement the President's executive order. We will continue to share information with companies in our critical infrastructure sectors and are working with many institutions to establish a common understanding of malicious tactics and techniques, share network defense best practices, and provide technical assistance. What is critical is that our partners understand the nature and implications of this activity, evaluate the sufficiency of network defenses, remain vigilant, be prepared to respond and recover when such activity does occur, and work with industry organizations and the government to share information about any observed activity.

The WSJ article comes the same week that Richard Bejtlich, of the cybersecurity firm Mandiant, told Killer Apps that his company is seeing a suspected Iranian presence inside his clients' networks for the first time. Last fall, we reported that foreign hackers had penetrated the networks of U.S. energy firms in an effort to scout their weaknesses.

"There's some amount of reconnaissance that is required to infiltrate a large critical-infrastructure network, understand which systems are deployed, and how an attack should be structured to be most effective," Ashar Aziz chief technology officer of cyber security firm FireEye told Killer Apps over coffee this week when asked about foreign hackers infiltrating U.S. power networks. "There's scout malware and there's killer malware. I would not be surprised if scout malware has scouted all the vulnerabilities in critical infrastructure" in the United States, he said.

"I'm sure we have done the same thing" to potential U.S. adversaries, added Aziz. "Basically, we've got our fingers on the trigger very close to the brain of the [power] grid on the other side, and I would not be surprised if our grid was in the very same situation. If somebody felt threatened and wanted to pull the trigger, it would not be hard for them to do that."

Getty Images