Pentagon Cyberstrategy: The Good, Bad, and the Ugly

Wednesday, September 01, 2010

Richard Stiennon


William Lynn,the US Deputy Secretary of Defense wrote the most succinct description  of the US Pentagon Cyberstrategy yet in the September/October issue of Foreign Affairs. Here are the good, the bad, and the ugly components of that strategy.

The Good

Lynn begins by acknowledging successful cyber attacks against the US military, in particular the intrusion via USB thumb drives that occurred in the fall of 2008. This intrusion led to the Pentagon making an unprecedented move to ban USB thumb drives from the military; a ban that was only rescinded in February 2010.

The cleanup effort to recover from the widespread worm infection, that Lynn claims was initiated in a Mideast base by foreign agents, was dubbed Operation Buckshot Yankee (OBY) in the Defense Department and Operation Rampart Yankee in the Army.

Lynn also states “To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.” 

This is an important acknowledgement and reflects the state of cyber defense for every organization.  There is no single technology solution to be deployed that will counter all threats and even the latest and greatest technology will not defend against tomorrows attack methodologies.

Deterrence has been the subject of many recent reports coming from think tanks and cyber commissions.  Most have taken the view that cyber offensive or retaliatory measures must be in place to deter assailants. 

I like Lynn’s take: "Deterrence will necessarily be based more on denying benefit to attackers than on imposing costs through retaliation.”

In other words, a strong defense is the best cyber defense.

Lynn also addresses the issue of international cooperation: “If there are to be international norms of behavior in cyberspace, they may have to follow a different model, such as that of public health or law enforcement."  Agree.

I can find no fault with Lynn’s summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces; to employ layered protections with a strong core of active defenses; to use military capabilities to support other departments' efforts to secure the networks that run the United States' critical infrastructure; to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe so that its revolutionary innovations can enhance both the United States' national security and its economic security.”

The Bad

Even after highlighting the problems facing the Defense Department Lynn makes the argument that the Pentagon must leverage its ten years of concerted investment in cyberdefense to support broader efforts to protect critical infrastructure.   Yet the two areas that he suggests the DoD has made headway in are computer hygiene (keeping anti-virus and firewalls up to date) and “sensors which detect and map intrusions.”   

As I am the one most often associated with criticism of these sensors (IDS) I must point out that while they sound sexy, the industry has moved way beyond signature based intrusion detection.  There is no argument that a massive government initiative could provide some interesting intelligence about the source and methods used by attackers if they deployed sensors on the 15,000 networks Lynn says they have. 

But the effort will not do anything to stop those attacks today when there are many technologies that will.  If the most that DoD can offer to protect critical infrastructure is IDS and anit-virus updates we have a problem.

The Ugly

Back to Operation Buckshot and Rampart Yankee.  Wired questions the attribution to foreign agents for the attack.  If such claims are to be made the Defense Department is going to have to do more to make visible the results of their forensic work.

There is no question that the cleanup activity truly turned Pentagon resources out in a massive effort.  One Army base awarded four IT personnel special medals for the work they did to reimage all of the computers on an entire base.  If universal reimaging was the response to a spreading worm there is much yet to be done within DoD to update its security practices.

Apparently that military has recognized some of the work needed and even states in the DoD Fiscal Year 2011 IT President's Budget Request dated March 9, 2010:

“The AF (AirForce)Network Action Plan is designed to reinvigorate operational rigor and address lingering systemic issues in the AF Global Information Grid highlighted by the Operation BUCKSHOT YANKEE”

Those “lingering systemic issues” apparently include the lack of ability to use networks to communicate effectively that created the wide spread use of USB thumb drives.

Barry Rosenberg interviewed Lt. General Jeffrey Sorenson, August 10, 2009:

“When the dictate was put out that thumb drives were no longer going to be allowed, it did have some operational implications because this was how different orders, missions and organizational information were transmitted from headquarter to headquarter. Over time, we’ve had to go back and look at how we transfer data, and, clearly, the use of the thumb drive was one of these expedient methods by which information was passed between computers because we didn’t have a system set up properly to transfer the data. And there is the whole concept of the network service center, by which data can be forward-staged and transmitted via the network as opposed to people picking up their hard drives, or, in this case, what used to be thumb drives or servers, and moving them. We’re still a number of years in the future before we have a net-centric or net-enabled capability that can be used to share data. In many cases, as we’ve learned through the most recent Army “Rampart Yankee” and [Defense Department] “Buckshot Yankee” exercise — where we had to go off and remediate computer systems because of some infected thumb drives — that was a rather laborious, manually intensive effort to essentially achieve a capability that we would like to have, which would be machine-to-machine."

This raises the almost insurmountable prospect of an IT infrastructure stuck in the ‘90s. The effort to modernize includes a plan to consolidate Active Directories as well. 

Lt. General Sorenson states here that   17 trees and 5 rogues (with that number climbing) exist within the Air Force alone.   User identity directory consolidation was a big issue in 2003.  If the military has standardized on Microsoft and is only now moving to a consolidated directory structure they have a long road ahead of them in modernizing their IT operations.

Lynn has set the stage for the creation of a concise Cyberstrategy for the Pentagon.  Now they need to follow through on defending their networks at least up to industry standards.

Cross-posted from ThreatChaos

Possibly Related Articles:
Defense Cyberwar
Post Rating I Like this!
Mister Reiner "If the most that DoD can offer to protect critical infrastructure is IDS and anit-virus updates we have a problem."

Definitely an understatement. DoD leadership continues to demonstrates its lack of understanding of the problem by proposing old school solutions that haven't been effective against sophisticated adversaries for the last 8 years. Whoever is making decisions is listening to the wrong people.

The ability to detect intrusions in the absence of alerts generated by signature and malicious activity based sensors is the only way the DoD is ever going to get ahead of the game.

"Now they need to follow through on defending their networks at least up to industry standards"

Unfortunately, the DoD has a terrible record of following through when it comes to computer security, as I've documented here:

I still haven't seen anything that states how the DoD intends to measure the success of its efforts, but perhaps they can just pull a fast one by stating that they've "... accomplished intended objectives."
Dr. Steve Belovich Sadly, the DoD's defensive approach cannot work. Please see one of my earlier posts which will explain why:
Margaret Esler The Sci Fi / technical thriller view of access into a system where the intruder is master of all they survey and in control of all activity is a scenario that is alien to my experience in even the most advanced information management systems.
Even more so in the present DoD information management – silo, local, dispirit and diverse, lacking in industry standards.
An external intruder into DoD will have their access and their opportunity of gaining or destroying anything useful severely limited.. .
Thesystem internal DoD flash drive introduced virus. Sale of bank records of tax evading customers of Swiss Banks, loss of data in transport through accident or design are other pertinent examples of internal system damage opportunity identified and maximised.
Business Process Change of any kind is painful. There is a risk that the over emphasis on cyber - external system attack may in part move the focus away from the wholesale change in approach to information management needed to move DoD into World Class.
Cyber attack is a sexier concept –the impression of a system that is defending against the evil intent of another with attacker the baddy and DoD the goody.
The reality of old fashioned theft of poorly protected assets, , poor system governance, old fashioned ways of working no longer appropriate for the job needed would not bring the same government or national sympathy or support – would require a level of change at a cost and timescale which the DoD may not presently have appetite for.
B Anderson Nice spin Richard. Viruses are not the only threat imposed by USB although they are they most widespread. We recently wrote a book related to this topic as part of the Syngress 7 Deadliest Attacks series titled “7 Deadliest USB Attacks”. The subject matter in this publishing covers a broad range of security categories including forensic acquisition & analysis, penetration testing, social engineering, auditing, viruses, malware, mitigation strategies and more from a USB perspective.

Best Regards,

Barbara and Brian Anderson
Christopher Warner That's a great post on this very important topic. Seems the issue is that the military, which is suppose to be the expert in security for our world, still deploys Operational Security solution mitigation to problems that are actually solved by using the approved regulatory compliance like FIPS 140-2 for USB devices. It's too bad that those in charge cannot understand the difference. Just as what is going on in the Corporate World, those that make the decisions are not deploying enough resources in Information Security and Threat Management. This is such an important topic the more we migrate to full use of technological solutions.
Christopher Warner
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.