Risk
3/6/2013
03:33 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

U.S. Cybersecurity Status Weak, Reports Charge

DOD report says the military is "not prepared" for cyber war, while a White House report says agencies fall short of federal cybersecurity goals.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
The Department of Defense is "not prepared" to defend against sophisticated international cyber attacks, and government-wide, agencies have failed to meet some White House cybersecurity targets, according to two new reports.

Although the reports differ in tone and structure -- one demands urgent action by the military and the other is a straightforward compliance report -- together they underscore the hard work the government still has ahead of it as it faces an onslaught of increasingly sophisticated cyber attacks.

The report on the military, a study by the Defense Science Board, a civilian committee providing solicited scientific and technical advice to DOD leadership, finds that the Department of Defense is woefully unprepared to fight in cyberspace due to "inherently insecure architectures," fragmented efforts, "inadequate" intelligence and the sheer limits of today's technology.

[ Will the finger pointing only get worse? Read China Targets U.S. In Hacking Blame Game. ]

"Without an urgently implemented and comprehensive strategy to offset the cyber security threat, U.S. national objectives will be nearly impossible to achieve in times of crisis," said the report on the military. "Additionally, the long term loss of so much intellectual property and capability will result in a serious competitive disadvantage to the U.S. economy."

The report warns of cyber attacks that could disrupt military actions by turning U.S. weapons against its own troops, and of civilian attacks that could disrupt food and medical distribution systems and make transportation systems "useless."

Despite the committee's concerns, however, the Defense Science Board says it thinks the challenges manageable. "The Department can effectively manage the risks presented by the cyber threat," the report notes.

In order to meet the challenges, the report prescribes a set of actions the military must take, from more aggressive pursuit of cyber intelligence to the use of deterrence to improved cyber defenses, to the adoption of metrics to measure performance against the military's cyber goals.

The report calls on the military to develop offensive cyber capabilities, including the development of a formal career path for both civilian and military workers involved in offensive cyber "actions"; strengthen the "cyber resiliency" of military vehicles and weaponry from submarines to bombers; and establish an enterprise security architecture.

The report also encourages the DOD's CIO to work with the military branches to create an "enterprise security architecture" that includes minimum standards to ensure a "reasonable" level of defensibility, and to increase the probability that attacks are detected. The report recommends these standards be integrated as requirements in new acquisitions and that existing systems be audited to ensure that the architecture is in place.

Putting the report's recommendations into place will not come cheaply. The report estimates that just providing the resources necessary to secure the U.S. nuclear arsenal will cost more than $500 million annually. Implementing these changes will also take time. The report predicts that it will take "years" for the military to execute an "effective" multi-part response to cyber threats.

The White House report, meanwhile, says agencies have seen a drop in compliance with White House goals over the last year, although the report notes that this is "associated with adjustments and improvements to measurement methodology" as opposed to any actual weakening of the government's cybersecurity readiness.

The recalibration should help improve agencies' cybersecurity stances, but the need for recalibration itself shows that the White House has been operating with a less-than-complete picture of agencies' cybersecurity.

Regardless of the reason behind the decrease in agencies' compliance scores, the metrics aren't all rosy. Only half of the agencies measured reached the fiscal 2013 goal for automated asset management, and a third of agencies reported actual decreases in automated vulnerability management, for example.

The report also tracks compliance with a requirement that employees and contractors use Personal Identity Verification (PIV) cards to access federal IT systems. Most agencies fall short of this requirement. The DOD and General Services Administration are heavy users of PIV cards, but at half of the agencies surveyed, only 2% of employees were using the cards to access agency IT systems.

The White House report said that the Office of Management and Budget and the White House's National Security Staff will work with agencies that appear to risk failing to meet White House cybersecurity performance standards, either through metrics-heavy CyberStat meetings with top agency IT staff or by "other appropriate action."

Overall, the picture appears mixed for federal agencies. For example, agencies appear to be meeting or close to meeting minimum targets on continuous monitoring, strong authentication and the Trusted Internet Connections network connection consolidation effort. The White House projects that agencies will far outstrip initial goals by early next in fiscal 2014.

The government in recent years has been aggressively pushing to improve cybersecurity and to make sure that the military is ready for disruptive cyber attacks. Although the White House and DOD reports indicate less-than-complete progress toward those goals, they also by their very nature inch the government closer to meeting those goals.

Still, the reports show that much work is left to be done to bring agencies fully into line with White House goals, and perhaps more work is left to ensure that the military is able to adequately defend the nation in cyberspace.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lgarey@techweb.com
50%
50%
lgarey@techweb.com,
User Rank: Apprentice
3/8/2013 | 1:43:28 PM
re: U.S. Cybersecurity Status Weak, Reports Charge
That's discouraging, but I guess not surprising, as Deirdre says.
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
3/8/2013 | 1:15:50 PM
re: U.S. Cybersecurity Status Weak, Reports Charge
Lorna,

Sadly, bipartisan support for broader cybersecurity legislation has been hard to come by, and that has been the problem. Both the House and Senate have sought to improve cybersecurity in the DOD and modernize the legislation governing civilian agencies' cybersecurity. However, the Senate has sought to resolve cybersecurity issues comprehensively in one bill, and on other points there are significant differences between the parties.
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
3/7/2013 | 8:31:43 PM
re: U.S. Cybersecurity Status Weak, Reports Charge
I'd personally count on executive order for any action -- there is no such thing as "bipartisan" in the U.S. these days.
lgarey@techweb.com
50%
50%
lgarey@techweb.com,
User Rank: Apprentice
3/7/2013 | 6:49:25 PM
re: U.S. Cybersecurity Status Weak, Reports Charge
Nick, It seems like improving cyber security should be one place the administration can get bipartisan support. Is that the case? If so, do you see legislative action forthcoming, or will change happen mostly by executive order? Lorna Garey, IW Reports
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.