The Pentagon's strategy for defending its computer networks is
underpinned by the notion that the private sector can provide many
of the needed cyber weapons. Because both industry and government
computers confront similar threats, such as hackers and viruses,
it would appear that the Pentagon's plan makes sense. But things
are not quite so simple. The Defense Department's number one computer
security concern, for example, is attack by foreign nations or terrorists.
In industry, executives worry the most about disgruntled employees
and thieves. If military computers were attacked, human lives could
be at risk. For the private sector, the likely price for network
disruptions is damage to customer confidence and financial losses.
These are some of the findings by a recent industry survey that
was briefed to the top leaders of the U.S. Space Command, in Colorado
Springs, Colo. The command is responsible for Pentagon information
warfare operations.
As the command goes about deciding how to best protect the Pentagon's
computers, it must determine whether there is any common ground
with the private sector, said Navy Vice Adm. Herbert A. Browne,
the number two official at U.S. Space Command. This is important
because, in the United States today, private and public networks
often are linked and, therefore, vulnerable to the same types of
attack.
Browne discovered, however, that information security priorities
are ranked differently in the military and in the private sectors.
That means, for example, that the Defense Department will not tolerate
certain risks that are perfectly acceptable in industry.
"In industry, if it costs $100 million to protect the network,
and [it costs] $90 million to leave it unprotected, they will leave
it unprotected ... In the military, we can't do that because the
risk involves lives," Browne told National Defense during a
conference in Huntsville, Ala. "Industry sees the threat as
internal" and is less concerned about terrorists and foreign
national organizations, he explained. "In the military, we
are focusing primarily on the national threat and terrorist threat."
One example of following a cost-vs.-benefit approach in information
security is the credit card industry, said Guy Copeland, vice president
of information infrastructure programs at Computer Sciences Corporation
(CSC), in Falls Church, Va. "It's fairly common knowledge that
credit card companies accept some fraudulent activity, because it
will cost more money to protect the system," he said in an
interview.
There is a need, nevertheless, for the Defense Department to work
"in partnership" with the private sector, Browne said.
As far as diverging priorities are concerned, he asked rhetorically,
"Where is the right place? We'll know as time moves forward."
The industry survey was completed last month by the Space Committee
and the Rocky Mountain Chapter of the National Defense Industrial
Association.
Experts generally agreed with the findings in the survey. Despite
common vulnerabilities to hacking, the military confronts unique
problems. "A war situation produces different kinds of threats
than just mischievous teenagers or [breaches of] industrial security,"
said James H. Frey, president of Litton-TASC, in Chantilly, Va.,
a supplier of information security products and services.
But Frey, like many others in industry, does not believe the Defense
Department can afford to defend against every threat. "The
military, like any customer, has needs that exceed the resources
available. They are forced to prioritize and make compromises,"
he said in an interview.
John P. Casciano is TASC vice president for information operations
and infrastructure protection. A former two-star Air Force general
who managed information warfare programs, he noted that the Pentagon
is looking for commercial security technologies, because it wants
to benefit from the fast-paced advancements in that sector.
As the government begins to understand its network vulnerabilities,
said Casciano, it must acknowledge that technology is not the only
solution. "You need both technology and process. The two have
to go together," he said. "Because of the pace of the
Internet, things are changing so fast. I don't believe you will
ever be able to come up with a black box that will solve the problem
... You have to have rules, policy, people who are trained in security.
"The minute we come up with a good black-box solution,"
he added, "somebody out there will find a way around it, and
we'll have to continue the process ... And there is a lot that we
can do that doesn't cost much money."
The weak links at the Defense Department primarily have to do with
lack of "training, awareness, and skills of the systems administrators,"
said Casciano. "We have had a lot of success with the technology
in terms of intrusion detection systems: building firewalls, being
able to pick out threats that are occurring within the network.
What we haven't been able to do is, in real time, spot trends and
react to them swiftly."
Shortfalls in training are not exclusive to the Defense Department,
noted Copeland. "There is a tendency for all of us to look
to the technology as the answer. But ultimately people are the linchpin
... We are all guilty of trying to find an easy technical solution."
Poor training and "lack of awareness" are the "biggest
problems of all," said Ed Giorgio, a principal at Booz-Allen
& Hamilton, in Falls Church, Va. Giorgio was a former cryptographer
at the National Security Agency (NSA) and specialized in breaking
codes.
Both government and private information systems are exposed to
similar threats, but the way each sector handles those threats differs,
largely for cultural reasons, explained Giorgio. The government
traditionally is risk-averse and plans for the worst-case scenario.
Industry is more concerned about "dollars and cents and return
on investment," Giorgio said. During his days at the NSA, "we
used to give enemies more credit for their capabilities than they
deserved, which meant we over-designed systems that were too expensive."
The government is being forced to re-assess that approach for financial
reasons, he said. The upshot is that agencies are learning about
"risk management."
Giorgio believes that much of the future growth in the industry
will come from work in technologies that can detect, warn and report
attacks in cyberspace.
"Trend spotting in real time" is one breakthrough the
Defense Department is seeking, said Casciano. "We are getting
better. It used to take days. Now it takes hours."
A former airman, he compared network defense to the protection
of the airspace in military operations. "We have radars and
command-and-control systems to tell us when hostile aircraft come
in ... It's the same thing in the cyber world." Networks should
have intrusion detection sensors that can pinpoint attacks, he said.
An example is the Air Force automated intrusion monitoring system,
which is deployed in 125 locations worldwide. "All that is
tied into the Air Force information warfare center, in San Antonio,"
said Casciano. "They can look across the entire network and
see patterns that are of concern."
Some of the most advanced technology in network security is pursued
at the Air Force Research Laboratory, in Rome, N.Y. Under a project
called data resilience in information warfare (DRIW), the lab developed
a laptop computer-based capability to detect network attacks and
to recover damaged data. The first operational DRIW system is being
delivered to the lab later this month by prime contractor Northrop
Grumman Corporation's Logicon division, in Herndon, Va. This capability
could, in the future, migrate to large, distributed computer systems,
said Paul Zavidniak, program manager at Logicon. One of the DRIW
demonstrations developed for the lab, he said in an interview, showed
how the system can detect illegal changes made to Air Force air
tasking orders during strike operations. In this example, an intruder
had changed the scheduled air-refueling times for two F-16 fighter
missions. Had the intrusion not been detected, both flights would
have run out of fuel.
Attacking Networks
The Space Command, meanwhile, will assume responsibility on October
1, for the so-called computer network attack mission for the Defense
Department. Although officials are reluctant to provide details
for obvious reasons, the plan is to develop cyber weapons that can
be used to destroy enemy databases and disrupt their information
networks.
According to Browne, the technology to do that is available quite
easily, "but the real issue is in the policy area," he
said. "Attack tools are developed by teenagers. Developing
the tools is not complex." But the policy implications are
complicated, because if the United States decided to use computer
attack weapons, it essentially would legitimize a form of warfare
that currently is only conducted covertly.
"We are still working out how we are going to put together
a multi-organizational structure" to manage computer network
attack operations, said Browne. "Our view is that we ought
to have the tools" available for commanders, so they can decide
whether they should disable an enemy radio station, for example,
through computer attacks, rather than iron bombs. "Why shouldn't
you have the option of using electrons to take it down?" he
said. "We think it makes a great deal of sense."
Casciano believes that industry has a future role in developing
these offensive capabilities for the Defense Department. Network
attack, he explained, is "the other side of defense ... By
knowing how to defend, you have to know what the attack mechanisms
are."
In the end, he added, developing defensive and offensive cyber
weapons becomes a "never-ending spiral," because as soon
as one vulnerability is patched up, a new gap is opened.
Another somewhat controversial dimension to information warfare
for the Space Command is satellite control, noted Browne. Satellite
control refers to the ability to turn off enemy satellites and prevent
them from gathering battlefield data. "We need localized, reversible,
non-destructive space control capabilities," said Browne. "We
are serious about satellite control. It's technologically possible
to shut down satellites" so the enemy cannot obtain imagery.
But he acknowledged that there are "large legal barriers"
to such actions.
Lt. Gen. John Costello, chief of the Army's Space and Missile Defense
Command, noted that "there is great concern about space control,
both defensive and offensive." Particularly, he said, U.S.
forces must worry about "hiding from the enemy," which
means not only shutting down enemy satellites but also protecting
U.S. spacecraft and ground equipment.
Despite widespread worries about the lack of security in commercial
communications satellites, CSC's Copeland, said those fears are
unfounded. "The command uplinks of the commercial satellites
are encrypted."
Other sources of potential vulnerabilities for the Defense Department,
noted Zavidniak, are those "unique" military networks
that are not linked to the Internet, but nevertheless could be hacked.
A case in point is the radio systems the military services use for
tactical communications. Those systems, he said, need customized
security solutions that are not available in industry because the
commercial market primarily is focused on protecting systems tied
to the Internet. Concerns about having secure tactical radios, particularly
in coalition operations, were raised recently by Navy Adm. Harold
Gehman, head of Joint Forces Command. (National Defense, June 2000,
p.11)
According to Zavidniak, "The commercial industry cannot solve
the military problem ... Commercial industry hasn't seen the iceberg
yet."