Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

Summary: Our nation faces risks far greater than a rogue flash drive: Failure to properly safeguard our consumer and industry systems; unwillingness to invest in ongoing security; and ordinary computer users playing with digital weapons of mass destruction.

SHARE:
TOPICS: Security, CXO, Hardware
33

Updated: With the news about how 250,000 confidential diplomatic cables got released by Wikileaks, this article becomes even more relevant.

The September/October issue of Foreign Affairs is now available online and within its virtual pages is one of the most important cyberwar articles in modern history.

Written by United States Deputy Secretary of Defense William J. Lynn III, the article is as important to understanding America's global cyberwarfare strategy as the Monroe Doctrine was to understanding America's approach to foreign affairs.

It should be noted that Secretary Lynn is the #2 person at the Pentagon, effectively the Pentagon's chief operating officer and operates as the Secretary of Defense by delegation in the absence of SecDef.

This article, written by Lynn at this time, is more, therefore, than simply an opinion piece by a government functionary. It is a detailed description of American policy in what Lynn calls:

As a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain of warfare.

Later today, you'll be able to hear an interview I did on this matter with Voice of America, where I discuss many of the questions that have come up since Lynn's article became available.

One issue that's caused a lot of concern is Lynn's admission that the United States was the victim of a cyberattack in 2008. The attack was caused by an infected flash drive, which propagated attack software throughout a military network.

In my roles as Cyberwarfare Advisor for the International Association of Counterterrorism and Security Professionals, a member of the FBI InfraGard program, and a technology editor and advisor, I have been warning about the flash drives, thumb drives, iPods, iPhones, cameras, and all forms of removable media as a cybersecurity risk for years now.

Given that most of us can roll with 16-32 gigabytes just in our phones, it's possible for an enemy (or an unwitting accomplice) to bring very dangerous software behind the firewall simply by carrying in a phone or an iPod. It's also possible for an enemy to remove vast amounts of secured information simply by loading up an iPhone or other handheld device.

The risks, as Lynn details, are far more than just rogue flash drives. However, what this incident shows is the asymmetric nature of cyberwarfare. It's very easy and very inexpensive for an enemy state, an enemy actor, a terrorist organization, a crime organization, or even teenage hackers to cause measurable damage. For a detailed backgrounder on this disproportionality factor, I recommend reading my article, The coming cyberwar.

One question I was asked by Voice of America is important to address. I was asked if Lynn's article discloses too much information and gives an advantage to our enemies.

The answer to that is an emphatic "no". First, there's nothing in that article our enemies don't know. Regular, non-technical readers may find it containing shocking news, but for those of us responsible for dealing with cyberattacks, there's nothing really new from a technical perspective.

What makes this article so important is its policy implications, rather than its technical implications. In Defending a New Domain, the Pentagon's Cyberstrategy, the United States government is effectively making an international statement on the importance of cyberdefense.

It's a call to arms for our allies, a cautionary tale for American industry, and a warning shot to those who might attack us.

Before I close this article, I have one more thing important thing to say about America's cyberdefense. I've worked with a lot of people on the front lines of America's cyberdefense and these are some of the most amazingly smart and aware professionals I've every met.

The risk is not with having smart enough people on the job. The risk is our own lack of caution in keeping our consumer and industry systems properly protected, a lack of willingness on the part of managers and policy makers to invest in ongoing security, and the challenge that ordinary computer users are, effectively, playing with digital weapons of mass destruction with barely any awareness of the basic risk.

My final recommendation is simple. Read Lynn's article. If you're an IT professional of any level, it's one of the most important pieces you'll read this year. (One note: you will need to register to read the article, but registration is free).

Topics: Security, CXO, Hardware

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

    i read about the attack and i want to know one thing - who the hell made the secret network connected to the unclassified network? that person should be taken out and shot as well as who ever approved it.
    stevejg61
    • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

      @stevejg61

      Yah. When i was working in Navy crypto (Viet Nam), we had "Red" (cleartext) and "Black" (encrypted) loops which did <i><b>nut</b></i>connect directly.

      Who was dumb enough to (apparently) change that doctrine?
      fairportfan
      • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

        I LIKE GO http://goph3r.com/29d
        Really good
        lincc256
    • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

      @stevejg61

      Then you would want to shoot the President, because it was most likely him (past President, not Obama) who greenlighted this.
      Lerianis10
      • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

        @Lerianis10 is that the pres that had a vice that invented the internet
        pschmidtgesling@...
      • Really! Really!

        @Lerianis10
        Do you realy think W was cable or desiring to render judgment on such a technical issue. George wanted to be Ronnie, but lacks the verve to pull it off.
        wsimpson58
  • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

    Until they realise that security can't be an afterthought and that a system has to be built from the ground up with security as the No.1 priority this sort of thing will keep happening.
    AndyPagin
    • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

      @AndyPagin Even building from the "ground up" will NOT guarantee the pickup of bad stuff very quickly.
      twaynesdomain-22354355019875063839220739305988
  • Our cyber defense policy is really stupid

    Until we can attack the people that are attacking us (my servers get hammered hundreds of times each day), we're well and truly doomed.
    rick@...
    • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

      @rick@...

      Never going to be allowed to happen. First off, someone's system might have been hijacked without their knowledge, and when you attack them you are punishing them wrongly.
      Secondly, it is VERY HARD to trace back an attack today if people are using proxy connections and things that 'strip' identifying data out of their packets.
      Lerianis10
      • Not quite right

        @Lerianis10 That's not entirely true. When it comes to Joe Hacker who just wants to cause a little mayhem you're right, but make no mistake there are foreign powers attempting, and succeeding, in compromising our vital networks. Most notably China, although they won't admit to it. Considering our standard military doctrine is to match and surpass enemy capability then you should believe we have people doing the same thing. The only difference is that when one of ours compromises a Chinese system the Chinese don't run an article about it in the news.
        Str0b0
  • Vicious circle.

    Hacker (black hat) sometimes turn into White Hat.<br>And White Hat is key for to create countermeasure and to protect their system.<br>But, under the DMCA, hackers are illegals (almost terrorists) so, without hacker then there are not white hat, and without white hat then there are a expert in security.<br><br>So, most of the security is based in foreign companies, mostly russian (or ex-russian).<br><br>ps :ethical hacker courses are a joke.
    magallanes
  • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

    Dont drink the water...and,

    Don't trust the vendors!!

    Hey David, what do you way we move the entire government off of Dell (all of the USAF bases I was at were splattered with Dell machines) and move them onto OS X?

    Hahaha! Thought that might make your head spin a little. But if all end users got Minis maybe we'd save on electricity?

    All joking aside, there were a number of years when I don't think matter were taken seriously enough and I believe it was partly a lack of pressure exerted by elected officials into putting resources into hardening. Now I believe we are in a game of catch-up, and at the worst possible time--when agencies need (or at least believe they need) access to everything at all times, and through the same machine.

    Bad practices all around.

    Your article even mentions the ingredients for the wikkileaks event, and whether someoneone believes the public has a right to that data, I believe in all circumstances in a "wingman"--and data access quotas that require dual-member authentication to surpass.

    Maybe the army pvt was helped by his supervisor, but if his access to THAT much data were dependent on the servers logging an authentication of his supervisor's or coworker's CAC, I know he would have had to pry my card from my cold, dead, hands to gain access to it.
    lelandhendrix@...
  • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

    The best thing that they could do is to have military flash drives (that are wiped on a regular basis) that never leave the building (unless someone is escorted) and computers that NEVER TOUCH THE INTERNET at all.

    Burning a CD just for a 13KB file like one person said he had to do recently is WASTEFUL in the extreme and unnecessary.
    Lerianis10
  • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

    Here is another thing that I just thought of: why don't we just have almost all information UNclassified. There is no reason to have anything except current troop movements and locations classified.
    Lerianis10
    • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

      @Lerianis10

      I think your idea is the best. Our real enemy is our own incomprehensible foreign policy. What would we do without the Cuba embargo, for instance...

      gary
      gdstark13
      • RE: What would we do without the Cuba embargo, for instance...

        @gdstark13

        Easy, go sightseeing in Havana, of course.

        The embargo of Cuba does not truly hurt the Cubans, they simply do an `end run` around US. Florida is in a perfect location to reap the benefits of trade with Cuba, but.....

        Politics.

        It all boils down to who has the bigger set of cojones. Who is going to say `Uncle` first, US or the Cubans?
        fatman65535
  • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

    The clear pattern I see over and over is a FAILURE to learn from History! We are a REactive country, as much as we like to publicize how PROactive we are! To this country's nations, "proactivity" consists of telling someone else about it, figuring we did our duty, and moving on to something else more interesting. We're boring. And we're beatable f anyone ever thinks outside the wrong box.
    tom@...
  • What scares me is the Irish potato famine.

    Got your attention?
    The great famine in the mid 1800s has been reported to be due to the dependency of the Irish on the potato for food resulting in 1 million deaths and 1 million people fleeing the country. What a tragic situation as a result of a dependency on a crop monoculture.
    What scares me is the small number of types of Client and Server operating systems.
    That's close to a software systems monoculture.

    Server systems:
    The market is dominated by Linux and Microsoft servers.
    Of course there are mainframe operating systems that act as servers too.

    Client systems:
    Here Microsoft is dominant with some 91% of PCs running Windows.

    So will we have one day an attack that disables the dominant server and client operating systems?
    Could the defence for servers be to
    1. eschew the dominants
    and
    2. develop unique server systems for critically important defence systems?

    I can't envisage any defence stategy for client systems. OS/X systems share is some 5% and Linux distributions some 1%, others less than 1%.
    So what chance of a polyculture of client systems here?
    a foot in both camps
    • RE: Inside look at Pentagon's cyberdefense strategy: The battlefield beyond bad flash drives

      @a foot in both camps
      There are countless system architectures available, not just the two or three we use on our toy x86 boxes. There are highly classified operating systems designed specifically for high security work that are utterly unbreakable, (don't bother googling', believe me you won't find anything). Problem is once some idiot provides an authenticated gateway to the web - the whole thing's screwed.
      AndyPagin