The Register® — Biting the hand that feeds IT

Feeds

Congress warned that military systems may already be pwned

Radical rethink of computer security needed

By Iain Thomson in San Francisco, 24th March 2012
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Security experts testifying at hearings held by the US Senate Armed Services Committee on cybersecurity have warned that maintaining a perimeter to keep out spies is unsupportable, and that the US should assume that its networks have already been fully penetrated.

"We've got the wrong mental model here," said Dr. James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. "I don't think that we would think that we could keep spies out of our country. We've got this model for cyber that says, 'We're going to develop a system where we're not attacked.' I think we have to go to a model where we assume that the adversary is in our networks. It's on our machines, and we've got to operate anyway."

The committee heard that the US Department of Defense (DoD) operates over 15,000 networks with around seven million computing devices, and protecting them against hacking was virtually impossible, particularly in light of the increasing complexity of both the devices and the software that runs on them.

The commercial software industry has, of course, realized that the old idea of a perimeter defense is increasingly useless, and groups such as the Jericho Forum have been working on systems to protect data, rather than network boundaries for many years. Such principles might be antithetical to the military mind, but Dr. Kaigham Gabriel, current head of the DARPA, said that the cost of perimeter control would be huge and most likely ineffective anyway.

"Modern operations will demand the effective use of cyber, kinetic, and combined cyber and kinetic means," he suggested. "The shelf-life of cyber tools and capabilities is short – sometimes measured in days. To a greater degree than in other areas of Defense, cybersecurity solutions require that DoD develops the ability to build quickly, at scale, and over a broad range of capabilities."

Cyber arms races are all well and good, but the head of research at the National Security Agency (NSA) Dr. Michael Wertheimer warned that the US is also facing an increasing intelligence gap, as not enough citizens have the skills of online defense. In 2010 there were just 726 computer science PhDs awarded to US citizens, and only 64 of them signed up for government service.

The open session of the committee hearings can be viewed here.

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (57)
Highly Rated
Neil Barnes

Anyway, all the real data is transmitted by carrier pigeon.

There's a flap for that.

15
0
John Smith 19
Reply Icon

Re: Numpties, the lot of 'em.

"Just because your OS of choice has been seen by a 'BUNCH OF PEOPLE' does not make it more secure or any less likely not to have back doors in it. ( I read both your links)"

Actually, in principle, it does.

One of the key techniques developed and used by the people who built the Space Shuttle software was *exactly* that.

Multiple *eyeballs* on the same piece of code.

Likewise putting "If userID = john-q-hacker copy(unencrypted_password_file, local_output) in the source would also be pretty obvious.

Relying on the fact the software *is* closed source is just another version of security-by-obscurity.

IT security is one area where *transparency* is the best policy. The *odds* are that the white hats outnumber the black hats and will find more bugs faster. SBO did not work for GSM, the Charlie Card, the Ti Keylock remote car and garage door opener chips or a bunch of other systems.

The (open source) DES standard stayed secure for *decades* and people where able to recognize *when* it was starting to become insecure because they knew its computational complexity, like RSA key lengths.

7
0
Anonymous Coward
Reply Icon

Re: They might like to start with reviewing clearance levels for staff.

If anybody had inspected the logs periodically Mr Manning would have been caught very early. The problem is all these "Executive" f$ckers who can't be bothered to set up processes which do create serious security.

All they can do is to wring hands and fork over billions every year to Lockheed Martin, Raytheon, ITT and the rest of this mafia. They are still in search of the Silver Bullet when the solution lies in well-paid, non-overtimed and respected system administrators who have time to look at logs. And have time to write perl scripts for log analysis, as opposed to swearing at the latest incarnation of crap from Locktit Martin.

6
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19