Cyber-Fu Panda
Posted by Bill Sweetman at 7/15/2011 6:52 AM CDT
http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckScript=blogScript&plckElementId=blogDest&plckBlogPage=BlogViewPost&plckPostId=Blog%3A27ec4a53-dcc8-42d0-bd3a-01329aef79a7Post%3A23107949-f170-4435-a09c-2b919a890b61
Only five or six years (but who's counting) after the Advanced Persistent
Threat was first detected, jimmying away at every portal in the US defense and
defense-industry database, the Pentagon has a cyber-strategy, unveiled on
Thursday.
It's focused on defense and is crafted to sound inoffensive - in part to allay
fears that the US wants to militarize cyberspace. The strategy's "overriding
emphasis is on denying the benefits of an attack", says deputy defense
secretary William Lynn, spokesman for the new approach.
That's a great idea, in theory. It's rather like using civil defense as a major
element of nuclear deterrence. As Lynn and I are both old enough to remember,
that was a much ridiculed approach back in the 1980s. And, as of now, it
doesn't seem to be working at all.
Back in March, Lynn says, a foreign intelligence agency hit a major defense
contractor and exfiltrated 24,000 files concerning a developmental system. The
Pentagon is still reviewing whether the system (which Lynn did not identify)
will need to be redesigned, and to what extent.
That can be necessary if the compromised information would not only help the
intruder to develop similar systems, but to develop methods of attack and
defense against US systems. Classic example: the CIA's infiltration of Russia's
Phasotron radar development bureau. After it was discovered (courtesy of the
turncoat Edward Howard) the Soviet Union was forced to redesign the radar
systems of the MiG-29 and MiG-31 fighters.
Big difference: The CIA's agent, Adolf Tolkachev, was arrested and
unfortunately expired while assisting the KGB with their enquiries. The US is
not even publicly identifying the nation involved in the March exploit (and
terabytes of others) but here is a clue:
(insert pic of cute panda munching on bamboo shoot --rick)
As Lynn says, "we have complex economic and military ties" to many nations.
However, it's possible that the policy of refusing to identify "the panda in
the living room" could lead to the implementation of blanket security policies
designed to protect everything against everybody, where more targeted measures
might be more effective.
Something of the sort may be under way under the Defense Industrial Base Cyber
Pilot program, which was first unveiled in June. Under that program, classified
threat intelligence is shared with defense companies and their internet service
providers to allow them to strengthen their defenses.
But DIB Cyber Pilot is just beginning to address the problem, with fewer than a
couple of dozen major contractors involved. Decisions as to whether it could be
expanded vertically (into the supply chain) or horizontally (into non-defense
infrastructure) remain to be taken. It's also a temporary, 90-day effort,
partly because nobody has quite decided who will pay for upgraded security. For
90 days, Lynn says "people are willing to hold their breath and wait to know
who pays for it."
Two more observations. One is from yesterday's roll-out of the new policy at
the National Defense University: How is the Pentagon/DC culture of suits, ties
and white-haired Kennedy bouffants, where everyone stands as the bosses enter
the room, and 20-year R&D programs are called successful, going to keep pace
with hackers, who - according to their attack fingerprints - are often
criminals under contract to governments?
The other question: Which program was compromised in March? All I can say is
that if I was a curious panda, my first targets would not be MRAPs or GCVs - I
would be looking at missile defense, or JSF. And which of those just had its
Defense Acquisition Board review delayed at the last minute?
_______________________________________________
Infowarrior mailing list
[email protected]
https://attrition.org/mailman/listinfo/infowarrior
