The military faces shadowy enemies, adversaries who may have already acted against it but whose capabilities and intentions are not entirely known. Terrorist groups regularly threaten to wage war in the virtual theater, and there's also the threat of cyber-attacks by rogue nations.
The armed services have implemented measures to protect their systems from enemy infiltration but acknowledge that more can be done. The military could take a cue from the financial services industry, which beefed up its systems security after the Sept. 11, 2001, attacks. Any such program must include the elements of technology, physical security and personnel training.
Terrorist groups may be interested in launching a cyberattack because it is "a more feasible and less expensive approach than more conventional approaches," said Thomas Mahnken, visiting fellow at the Johns Hopkins University School of Advanced International Studies. "It has been demonstrated that attacking the United States head-on is not a winning strategy."
And the threat of other nations taking a cyber option is more than mere speculation. In their book, Unrestricted Warfare, authors Qiao Liang and Wang Xiangsui, two Chinese Army colonels, propose attacking an enemy nation's systems as part of a new warfare paradigm for state-on-state actions. The colonels suggest a "combination method" that would pair the systems attacks with military strikes.
On the Alert
A recent Defense Department assessment concluded, "China is likely to continue making large investments in high-end, asymmetric military capabilities, emphasizing electronic and cyberwarfare." The department's "Military Power of the People's Republic of China 2006" also notes the formation of information warfare units that would support military forces "by conducting hacker attacks and network intrusions, or other forms of cyberwarfare, on an adversary's military and commercial computer systems."
Defense officials have acknowledged that hackers based in China have been successfully penetrating U.S. military networks since 2001, according to Clay Wilson, a researcher with the Congressional Research Office. Wilson contends that hackers have already broken into networks — most of them unclassified — at the Army Information Systems Agency, Naval Ocean Systems Center, Defense Information Systems Agency, and Army Space and Strategic Defense installation.
The Air Force has also been victimized. "We're getting better at securing our networks, but attacks continue to happen every day," says Lt. Gen. Michael Peterson, the service's CIO. Perpetrators manipulate users to give up identity information that can then be used to steal sensitive information, he says.
Spearphishing, a phishing ploy targeted at a select group of users, "could get users to download a program that gives outsiders a back door into the system," adds Alan Paller, director of research at the SANS Institute of Bethesda, Md. The hackers "can send an e-mail to users and make it look like it's coming from their colonel," he explains. "Eight percent of people fall for this, even after a four-hour security awareness class."
Exactly who is behind current network penetration activity is not known, says Sami Saydjari, president of the Cyber Defense Agency, a consultancy in Wisconsin Rapids, Wis. "We don't have a smoking gun, and there is no evidence anyone has pre-placed Trojan horses in strategic systems."
But Saydjari adds that any number of national and transnational organizations have the capability or are developing the capability to penetrate the government's networks. These attackers "have the means, motive and opportunity, so it's only a matter of time before they launch a strategic attack," he says. He rates the chances of such an attack at 30 percent within the next five years.
This level of vulnerability has come about, according to Paller, because "there are no readiness measures for cybersecurity, like the military has for equipment and personnel. Instead, they have certification and accreditation of systems," he says. "That's like checking an airplane once every three years. You need continuous and much tighter monitoring."
At the Perimeter
The Air Force's network security program revolves around improving network command and control and enhancing access and rights management, Peterson says. Tightening up command and control has involved consolidating the number of access points to networks. Previously, every base had its own network entry points, adding up to several hundred vulnerability points, Peterson notes, "which made security difficult to manage, control and monitor." By contrast, today the Air Force has limited the number of network gateways, he says.
The implementation of the Common Access Card program has also improved the service's ability — and that of organizations across DOD — to manage user access and rights privileges, Peterson notes. Previously, single-password logins, if compromised, gave perpetrators systemwide access in some cases. But each CAC login requires two forms of authentication — the user's card and a personal identification number.
Security experts, such as SAIS' Mahnken, SANS' Paller and author Winn Schwartau, say that although the Air Force's efforts make sense and are a good start, DOD needs to do even more. The fact that agencies overall continue to garner "D" grades on Congress' annual security report card backs up the contention that IT security remains elusive.
The military could do more by "taking a page from private industry's book," particularly from the efforts of financial services, Schwartau says. Financial institutions came to grips with information security after the World Trade Center attacks, he says, and realized that the best practice for IT security requires "logical, physical and people security working together."
Mahnken adds, "The private sector seems to be able to do things much more seamlessly."
Paller says the key to improving military cybersecurity involves a fundamental change "from believing that the perimeter will protect you to knowing that you have to protect every system and every user. You have to encrypt even when you don't think you need to. You need to turn off unneeded services on boxes that you thought were protected because they were behind a firewall. You must require users to demonstrate they are competent at resisting spearphishing."
The only fix for spearphishing, according to Paller, is a people solution, a method he terms inoculation. "You run spearphishing exercises on all of your people multiple times," he says.
The New York State government is the only place where such an exercise has been run, according to Paller, and the results have been quite effective. But many organizations are reluctant to run such drills, he says, "because they don't want to be seen fooling their own employees."
But it's needed, Paller says, saying simply, "You have to confront the people who fall for it until they don't fall for it anymore."