More efforts needed to thwart cyberthreats

The Defense Department is still vulnerable to a number of cyberthreats, and further research needs to be done to determine how the department can best be protected, DOD's top information assurance official said recently.

The threat of cyberterrorism is still a concern and more needs to be done to ensure the department's protection, Robert Lentz, DOD's director of information assurance, told the House Armed Services Committee's Terrorism, UnconventionalThreats and Capabilities Subcommittee.

"As our dependence on information networks increases, it creates new vulnerabilities, as adversaries develop new ways of attacking and disrupting U.S. forces," Lentz said. "Everyone who uses, builds, operates, researches, develops, tests and explores information technology is responsible" for information assurance.

The department has shifted its focus in recent years to buying industry-proven, commercial off-the-shelf (COTS) products. Unfortunately, holes repeatedly emerge in the code, requiring security patches, and the code is often written by people in foreign countries with no security clearance, some experts say.

"Over the past two decades, the policy of using COTS products, whenever possible, has provided a great benefit to the military and the taxpayers," said Eugene Spafford, a professor and director of the Center for Education and Research in Information Assurance and Security at Purdue University. "But there are some downsides to the department's increased dependence on COTS" products.

Namely, much of the commercial software used by DOD agencies was never intended to be subjected to the significant threat level of DOD's networks. Spafford noted the inability to determine the code's authors or what their intentions or politics may be.

Using foreign labor "has been wonderful for the economy," he said, "but it has introduced tremendous vulnerability to our software."

Last year alone, the department defended itself against 50,000 attempts to gain access to the network, according to Lentz.

A General Accounting Office report released in July said DOD does not yet have the policies to guarantee tight information assurance or methods by which it can enforce its policies.

In the past few years, DOD officials have undertaken a departmentwide information assurance program and issued policy guidelines.

But, the report said, DOD "does not have the mechanisms in place for comprehensively measuring compliance with federal and defense information security policies and ensuring that those policies are consistently practiced throughout DOD."

Robert Dacey, director of GAO's information technology team, credited DOD with being one of the most advanced agencies or departments for which information assurance is a concern. But he added that DOD's work is too important to be left unprotected.

Jim Saxton (R-N.J.), chairman of the House subcommittee, called information dominance the "cornerstone of the department's force transformation for the 21st century."

"Armed with incredible capabilities, our military forces have gone into battle with more situational awareness than any other troops in history," Saxton said. "While new technological advances bring information superiority, [they] also bring new responsibility and challenges."

Rep. Marty Meehan (D-Mass.) expressed concern about groups like al Qaeda running terrorist computer training camps.

"Have we done an analysis of terrorists training in cyberterrorism?" he asked. "Are there terrorist training camps for computer geeks?"

In response, DOD's Lentz said that particular topic would be better addressed in a classified setting.

Purdue's Spafford satisfied Meehan's curiosity when he said that virtually anybody with an Internet connection can get the information necessary to launch a successful cyberattack on nearly any computer network.

***

Pros and cons of commercial software

Pros:

* Costs less to buy than to develop in-house.

* Tested through rigorous methods and techniques.

* Tech support available any time, anywhere.

* One definitive point of contact for problems, errors and holes.

Cons:

* Security is an issue, and patches are constantly being updated.

* Individuals writing code seldom undergo security background checks.

* Individuals writing code are often from foreign countries and are difficult to monitor.

* Fragmented, disparate defense networks can be more complicated than the networks for which the commercial software was intended.