Top agency officials who testified before the Senate Armed Services Committee advised that the government can assume we are well beyond the threat of attackers gaining access to our critical networks, and that we must assume they have already successfully infiltrated them.
"I think we've got the wrong mental model here. We've got to go to a model where we assume our adversary is in our networks, on our machines, and we've got to operate anyway, we've got to protect the data anyway," said Sandia National Laboratory's James Peery.
DARPA's Ken Gabriel believes that the current strategies employed for the defense of sensitive networks are insufficient, and are merely providing the margin of opportunity to develop more substantial methodologies that would increase the level of investment attackers need to make for successful incursions.
"If you find yourself in the middle of the ocean, treading water is a good thing...buying tactical breathing room [is] much like treading water," Gabriel stated.
Gabriel's assertion prompted a terse response from Ohio Senator Rob Portman, who queried him by stating, "You believe we can do things that make it more costly for them to hack into our systems... but you didn't say that we can stop them."
The revelation that there is no state of absolute security is nothing surprising to those in the infosec realm, but apparently the notion is just taking a foothold with legislators.
In an attempt to explain the dynamic between attackers and those charged with defending networks, the Pentagon's chief technology officer Zachary Lemnios responded to Portman by stating that "we are in an environment of measures and countermeasure... for every concept that's deployed, a countermeasure is deployed by an adversary."
Lemnios went on to explain the basics of a perimeter defense approach to securing critical networks in which the focus is placed on preventing access to systems by attackers.
He continued that the perimeter defense strategy does little to protect critical data once an intrusion has occured, and also does little in the way of securing data against the possibility of an insider threat, for which he cited the WikiLeaks case in which Bradley Manning abused his access to systems in order to leak classified government materials to the activist group.
Lemnios advocated the monitoring approach in which activities within a secured system are evaluated in real time for inconsistencies and violations of access controls, such as with Manning's ingresses.The key to advanced monitoring is not in intrusion detection, but in securing the critical data and preventing exfiltration.
Also key to bolstering network defenses is the ability to effectively triage intrusion events, as not all attempts represent a critical threat. Some incursions are carried out by automated botnets that may simply be conducting "routine" reconnaissance, but in actuality pose no immediate threat of data loss.
The NSA's Michael Wertheime advocated for a retreat from reacting to the sheer volume of events lagged and for a closer examination of the who the attacker may be, noting that the greatest threats materialize from state-supported operations.
"Routine doesn't mean that it isn't important... we're not keeping a close enough eye on that nation-state threat... We have to deploy a Division I team because the adversaries are Division I," said the NSA's Michael Wertheime.