(LiveHacking.Com) – It should be assumed that foreign spies have penetrated the US military networks was the message sent to American’s politicians last week when security experts testified at hearings held by the US Senate Armed Services Committee on cybersecurity. The committee was told that enforcing a perimeter to keep out spies is unsupportable, and that the US should assume that its networks have already been fully penetrated. Instead, the committee was told, cyberdefence should be about protecting data not controlling access.
“We’ve got the wrong mental model here,” said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. “I think we have to go to a model where we assume that the adversary is in our networks.”
As part of a prepared statement to the committee Dr. Peery said “A silver bullet for solving the ‘cyber problem’ for DoD, DOE, dot-gov or the private sector does not exist. It is impossible to make an absolutely secure information technology (IT) system.”
Dr. Kaigham Gabriel, current head of the Defence Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean. The DoD oversees 15,000 networks that connect about seven million devices which presents numerous security challenges to the DoD. These challenges include:
- Attackers can penetrate our networks: In just 3 days and at a cost of only $18,000, the Host-Based Security System was penetrated.
- User authentication is a weak link: 53,000 passwords were provided to teams at Defcon; within 48 hours, 38,000 were cracked.
- The Defense supply chain is at risk: More than two-thirds of electronics in U.S. advanced fighter aircraft are fabricated in off-shore foundries.
- Physical systems are at risk: A smartphone hundreds of miles away took control of a car’s drive system through an exploit in a wireless interface.
- The United States continues to spend on cybersecurity with limited increase in security: The Federal Government expended billions of dollars in 2010, but the number of malicious cyber intrusions has increased.
With regards to cyber offense (rather than defense) Dr. Gabriel wrote: “DARPA’s belief is that the Department must have the capability to conduct offensive operations in cyberspace to defend our Nation, Allies, and interests. To be relevant, DoD needs cyber tools to provide the President with a full range of options to use in securing our national interests. These tools must address different timescales and new targets, and will require the integrated work of cyber and electronic warfare at unprecedented levels.”
Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators that the federal government also faces a shortage of talent. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said that 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring.