Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/24/2015
10:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Defense Secretary Outlines New Cybersecurity Strategy

Russian hackers were caught infiltrating unclassified military networks earlier this year, he said.

San Francisco -- While the security industry gathered in San Francisco for the massive RSA Conference, just down the road at Stanford University in Palo Alto, Defense Secretary Ash Carter described in a speech there the Department of Defense's updated cybersecurity strategy that includes more transparency about its mission and operations and a "renewed partnership" with the technology industry.

"As Secretary of Defense, I believe that we in the Pentagon – to stay ahead – need to change and to change we need to be open, as I say, we have to think outside of our five-sided box," Carter said in a speech at Stanford yesterday.

At the heart of the DoD's cyber defense strategy is deterrence, stopping malicious behavior before it occurs, and identifying from where the attack came.  "In some ways, what we’re doing about this threat is similar to what we do about more conventional threats.  We like to deter malicious action before it happens, and we like to be able to defend against incoming attacks – as well as pinpoint where an attack came from," he said. "We’ve gotten better at that because of strong partnerships across the government, and because of private-sector security researchers like FireEye, Crowdstrike, HP – when they out a group of malicious cyber attackers, we take notice and share that information."

But the deterrence strategy doesn't mean DoD won't take other actions when needed, he said. "And when we do take action – defensive or otherwise, conventionally or in cyberspace – we operate under rules of engagement that comply with international and domestic law."

"We must continue to respect, and protect, the freedoms of expression, association, and privacy that reflect who we are as a nation. To do this right, we again have to work together.  And as a military, we have to embrace openness," Carter said. "Today dozens of militaries are developing cyber forces, and because stability depends on avoiding miscalculation that could lead to escalation, militaries must talk to each other and understand each other’s abilities.  And DoD must do its part to shed more light on cyber capabilities that have previously been developed in the shadows."

Carter shared a story about an attack earlier this year on DoD's unclassified military networks by Russian hackers. "It's never been publicly reported," he said of the incident.

"Earlier this year, the sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks.  They’d discovered an old vulnerability in one of our legacy networks that hadn’t been patched," he noted.

The department detected the compromise and a team of incident responders was on the case within 24 hours, he said. "After learning valuable information about their tactics, we analyzed their network activity, associated it with Russia, and then quickly kicked them off the network, in a way that minimized their chances of returning."

Carter said the department also has a goal to better defend DoD information networks, lock down data, and protect military missions from cyberattack. "We do this in part through deterrence by denial, in line with today’s best-in-class cybersecurity practices – building a single security architecture that’s both more easily defendable, and able to adapt and evolve to mitigate both current and future cyber threats.  This to replace the hundreds of networks – separate networks – that we now operate in the Department of Defense," he said.

"We have to strengthen our network defense command and control to synchronize across thousands of these disparate networks, and conduct exercises in resiliency…so that if a cyberattack degrades our usual capabilities, we can still mobilize, deploy, and operate our forces in other domains – air, land, and sea – despite the attack," he said.

Carter this week ordered the consolidation of IT services in DoD and in the Washington, DC capital region, he said, for better defenses and cost savings.

Carter said DoD will work more closely with the FBI, DHS, and other law enforcement to strengthen its cyber operations. "There are clear lines of authority in our government about who can work where, so as adversaries jump from foreign to U.S. networks, we need our coordination with our government to operate seamlessly."

DoD's new cyber strategy information is available here

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/30/2015 | 11:34:08 PM
Re: Dont Let Bureaucracy Hinder Progress
...not that the federal government is known for adhering to its own self-imposed tech guidelines (see, e.g., IPv6 compliance).
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
4/24/2015 | 2:55:21 PM
Dont Let Bureaucracy Hinder Progress
I finally read the whole DoD cyber strategy.  Of particular interest (and a section I feel should have its own extensive document) is STRATEGIC GOAL III: BE PREPARED TO DEFEND THE U.S. HOMELAND AND U.S. VITAL INTERESTS FROM DISRUPTIVE OR DESTRUCTIVE CYBERATTACKS OF SIGNIFICANT CONSEQUENCE.

One point made within that section is:

* "Assess DoD's cyber deterrence posture and strategy. - Building off of the Defense Science Board's Task Force on Cyber Deterrence, U.S. Strategic Command (USSTRATCOM), in coordination with the Joint Staff and the Office of the Secretary of Defense, will assess the Department of Defense's ability to deter specific state and non-state actors from conducting cyberattacks of significant consequence on the U.S. homeland and against U.S. interests, to include loss of life, significant destruction of property, or significant impact on U.S. foreign and economic policy interests." 

  - "In conducting its analysis, USSTRATCOM must determine whether DoD is building the capabilities required for attributing and deterring key threats from conducting such attacks and  recommend specific actions that DoD can take to improve its cyber deterrence posture. Careful attention should be devoted also to deterring non-state actors that may fall outside of   traditional deterrence frameworks but which could pose a considerable threat to U.S. interests."

As with all bureaucracy, action is hindered by deep audits and analysis - the verbiage here concerns me in that I translate this to be a multi-year effort.  I'd be interested in seeing actual timelines and whether there is an escalation process in place to reach the recommendations phase so that implementation could begin more quickly.  This initiative to me is the most critical, time-sensitive and policy-shaping for future work in information security technologies.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.