• United States
Senior Editor

Security experts question DOD cybersecurity

Jul 24, 20036 mins

The Department of Defense relies too much on commercial software, doesn’t know who is creating the software, and faces other significant cybersecurity problems, witnesses told a U.S. House of Representatives subcommittee Thursday.

The U.S. military’s use of commercial, off-the-shelf software has yielded fast improvements in software and cost-savings benefits for U.S. taxpayers over the last 20 years, but such software has its downside, said Professor Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University.

“Most of those products are not written to be used in an environment where there is a significant threat,” Spafford told the House Armed Services Committee’s Subcommittee on Terrorism, Unconventional Threats and Capabilities. “We have … attacks being committed by hackers, by anarchists, by criminals, probably by foreign intelligence services. The (commercial) products have not been designed to be reliable or robust under those kinds of circumstances.”

As the subcommittee attempted to assess the cybersecurity programs at the Defense Department, Spafford and Robert Dacey, director of the Information Technology Team at the U.S. General Accounting Office (GAO), raised questions about cybersecurity efforts in the U.S. military.

In addition to relying on too much commercial software, the Defense Department uses the same software across many of its systems, forming a “near mono-culture,” Spafford added, without naming any software packages. Common software products suffered about 2,000 vulnerabilities last year, he said.

“When a new attack is found that has affected any one of these products, it seeps through the entire network,” he said. “Operators of systems may be in the position of applying three to five security critical patches per week for every system under their control. That really is unacceptable for us to be in a state of high readiness.”

But Scott Charney, chief security strategist for Microsoft, said homogeneous software systems also have their advantages. It’s easier to train systems administrators on one piece of software than on multiple products, he said, and patching can happen faster if an agency has just one product to patch.

“Reasonable minds are debating whether a homogeneous environment or a heterogeneous environment is better for decreasing risk,” Charney said. “The advantage of a homogeneous environment, or more of a mono-culture, is it’s much easier to manage. You train your people in a particular system, and they manage that system, they know all the security settings, you run tools to make sure they lock it down.”

The GAO’s Dacey highlighted cybersecurity weaknesses identified in Defense Department reports on fiscal year 2002. The Defense Department, he said, has concerns about the amount of time necessary for correcting reported vulnerabilities, about training all its network workers, and about ensuring that computer security policies are distributed quickly. Other Defense Department concerns include the lack of comprehensive testing of cybersecurity policies and increasing the use of authentication certificates to aid cybersecurity.

But the Defense Department has at least acknowledged those problems, Dacey added. “[The Defense Department] has been at the forefront of many information security initiatives in the federal government,” he said.

Robert Lentz, director of information assurance at the Defense Department, said the agency is making “significant progress” in protecting its information networks. The agency is complying with cybersecurity policies required by the Federal Information Security Management Act of 2002, he said, and it is working from a cybersecurity roadmap that includes major goals of defending systems and networks, focusing on research, and protecting information.

“This means that all information must be protected from end to end, and through its lifecycle, from the most sensitive nuclear command and control to business transactions,” Lentz said.

Last year, the Defense Department successfully defended against 50,000 attempts to gain root level access on its computers, Lentz said.

While Lentz defended the Defense Department’s cybersecurity efforts, Spafford questioned the Defense Department’s use of commercial software that’s often produced outside the U.S. “Much of this software, an increasing amount of this software, is being written by individuals we would not allow into the environments where it’s operating,” he said. “The reason for that is, they’re not U.S. citizens … they don’t have any kind of background checks.”

Outsourcing software development is good for the world economy and good for U.S. software vendors trying to compete in the marketplace on price, but using this software for computer systems containing national security information may be questionable, Spafford said.

“It introduces a tremendous vulnerability to our systems,” he said. “The software is being developed, sometimes tens of millions of lines, by individuals whose motivations and agendas may not be fully known.”

Microsoft’s Charney suggested that asking where a piece of software was developed is the wrong question. Instead, purchasers of software should ask if good quality assurance processes are in place to test the software after the code has been written.

“One of the things you have to have is very rigorous processes in place to examine the code,” he said. “If you are getting components from overseas and actually reviewing the quality of the component and testing the component, you will know what’s in your code.”

Representative Roscoe Bartlett, a Maryland Republican, asked witnesses what would happen to the U.S. military if all computer systems were knocked out and unable to be brought back up again. A nuclear bomb set off in the upper atmosphere could take out most communication satellites, Bartlett said, and he questioned if the Defense Department had a back-up plan for such a scenario.

“Are we just through if our computer systems don’t work?” he asked. “Are we looking at what would happen if they went away and didn’t come back.”

Such a scenario seems unlikely, Spafford answered. “Taking out all the computers would be a very difficult thing to do,” he said.

Representatives Marty Meehan (D-Mass.) and Joe Wilson (R-S.C.) asked whether cyberterrorism training camps exist.

Lentz offered to give representatives a classified briefing on such activity, and Spafford suggested that tools available to the public can instruct anyone on how to be a cyberterrorist.

“There are bulletin boards and discussion lists where techniques are taught, where tools are available, so that anyone, even a juvenile, spending a minimum amount of time online, is able to learn some very sophisticated attack methodologies,” Spafford said. “We happen to have a virtual worldwide training camp going on, on a regular basis, of individuals with various motivations using these tools and techniques.”