[ISN] DOD's 'Manhattan Project'

InfoSec News isn at c4i.org
Thu Sep 8 02:36:26 EDT 2005

Forwarded from: matthew patton <pattonme at yahoo.com>

> Unless DOD changes how it operates and learns to defend its cyber
> networks, many military experts say it will not be able to wage an
> effective battle in the cyberwar that is emerging as the 21st
> century's biggest challenge.

I don't go much for this bit about cyberwar this and that. Bombs, guns
and boots on the ground is what ultimately matters. But if an
adversary can jam and interfere with communications, then yes it
affects the delivery of the above. I do think DoD has to take a look
at their comm systems and their comm demands and figure out if the
equipment they have or intend to rely upon, will be available when
push comes to shove. Frequency hopping and line encryption is no
longer the exlusive domain of tier-1 militaries. But I'm sure people
far smarter than me have looked into that by now.

> The Pentagon is at a crossroads, said Air Force Lt. Gen. Charles
> Croom, the new director of the Defense Information Systems Agency
> and commander of the Joint Task Force for Global Network Operations
> (JTF-GNO). "Networks are too important to the warfighter to not have
> them when the warfight begins," he said.

So does this mean DoD/OSD firewalls are going to change to deny
everything and then explicitly allow, and be VERY careful and
deliberate about what they allow? The Pentagon's primary problem is
pandering - pandering to senior officers and officials. How many E3's
let alone junior officers and contractors who are theoretically
following or at least trying to follow STIGs are going to refuse to
back down when the O6 or UnderSecretary is bellowing that "by god I
will have my fill_in_the_blank"? Something as mindless as forcing the
screen to lock out after 10/15min of inactivity can nearly cause a
revolt. Where are the senior managers who instead of signing some lame
waver throw the people out of their office and tell them in no
uncertain terms to figure out how to do something in a secure fashion?

If the proper and secure solution is not convenient, then it's just
too damn bad. Do it the right way or don't do it at all. No more of
this tolerating substandard contractors and staff alike who refuse to
spend any effort on doing things the secure way. It's not good enough
to have a 'firewall' and then continue to be just as sloppy on the

The military is used to operating in top-down mode. So how come there
isn't a IAP-wide ban on telnet, cleartext ftp, RPC, NFS etc?
Everything that is not designed or implemented correctly gets turned
off. Period. No exceptions. Sure there will be a lot of silly
screaming and temper tamptrums, but the SecDEF on down need to get the
message that sloppiness impacts the mission and costs lives. If a
content creator can't upload to the web staging server because the "no
clear ftp" rule is in effect, it's not time to browbeat or sidestep
the policy, but rather time to get jumping ugly with the sysadmins who
host the web content server to get their act together already.

If the 'brass' won't even play by the rules and lay a heavy hand on
their staff who don't want to either, then the General is wasting his
breath. (Un)fortunately this is not just a problem in the military.
Plenty of Fortune 100's on down who have legal, regulatory, and
business critical justifications to clean up their act, are no more
interested in fixing their messes either.

> Croom said DOD approaches computer network defense by emphasizing
> convenience to users, but the department's future information
> assurance strategy should tilt toward adding security.

I'd frankly settle for competence on the part of system admins instead
of what we have now which is lazyness, lack of basic skills and
knowledge, and an attitude of security doesn't matter. Security is
hard and inconvenient. And since it is, they don't want to do it.
Those organizations that have staffers who care, routinely cut
themselves off from the rest of the Pentagon and take matters into
their own hands. Part of the justification is defense-in-depth. But a
big reason is that Pentagon/DoD network security simply can't be
relied upon.

I don't care if the other 30,000 computers in the building are owned
by the military, they have no business being able to see or connect to
my machines and neither do my machines have any business messing with
anybody else. It is up to me to protect my users, and to protect the
rest of the world *from* my users. That is my job. Few of my peers see
it that way though.

> "The threat is great," Croom said. "It requires constant vigilance."

well, how "great" does it have to get before the boot comes stamping
down hard on 20 years of institutionalized carelessness? Organizations
hate to change. Do we have to blow up the building a second time?
Who's going to put the screws to the service CIO's and bring them to
account? Who will in turn roll that snowball down the hill?

DoD had a decent rating/tracking system for patch management and if an
organization failed to keep abreast, it was plain to see. Granted it
worked on the honor system and public humiliation, but why not put
some real teeth in it and tie salaries to network security metrics? If
say the OSD CIO was forced to take an 50% pay cut, and the rest of the
managers on down the line, I think we'd find some boots firmly planted
in some butts. All of a sudden, all those excuses why security
couldn't be done or why NT4 can't be turned off would evaporate like
the morning mist. DITSCAP and other accredidation initiatives were a
good idea. But what is useful about documenting the often glaring
security deficiencies (assuming they were even recognized and
identified as such) and getting somebody who won't be held accountable
to sign off on them? Why aren't organizations forced to go back and
FIX the problems?

> DOD turned to procurement to support these policies and develop new
> kinds of defenses for cyberattacks. First, the department chose
> Retina from eEye Digital Security to scan computers for
> vulnerabilities.  Then, DOD selected Hercules from Citadel to patch
> computers. Next, the department built a new multimillion-dollar
> command center to monitor global network operations and picked
> PestPatrol, antispyware from Computer Associates International. DOD
> will soon begin testing Pest Patrol before introducing it later in
> the year.

This technology is all fine and good. But Security is not a technology
problem. It's a people problem. No amount of
Hercules/PestPatrol/NortonAV is going to fix, fundamental network
engineering mistakes. The services don't necessarily have a massive
patch management problem (though there are some that need motivating),
they have a network architecture and mindset problem.

I've got an Nokia IPSO sitting on a rack. It's been there for 3 years.
OSD tossed it at us and I guess figured we'd do something with it.
Well, it's been acting as a doorstop and dust collector all this time.
Nobody here knew what to do with it or had the necessary motivation
(personal or organizational) to figure it out and engineer the network
to make use of it. Within hours of arrving and being informed of my
mission I asked where our firewall was and discovered our all too
typical state.

> "This is the equivalent of the Manhattan Project," Lentz said. "I
> will say we are at that level of seriousness of securing this
> massive network."
> Every four hours, he said, the equivalent of the entire Library of
> Congress' archives travels on DOD networks. To wage network-centric
> warfare, he said, the department's 4 million users must trust the
> confidentiality of the information that crosses GIG and be assured
> of its availability.

The amount of packets or the number of interconnects is not important.
Security done right all the way to the lowest levels makes a large,
complex problem quite manageable. And that is where most organizations
(incl the gov't) fall flat on their face. When the department doesn't
bother to practice good security, then it makes the division's job
considerably more difficult. It's up to the division to cut the
department off until they get their act straight. And on up the food
chain. But if there are no marching orders and feet held to real
fires, then nobody has incentive to put the screws hard to the people
under their command. In the Army, god help the Lt. who has a member of
his squad lose a case of ammo on an exercise. Is doing computer
security that unimportant?

> "The risk of losing the engagement because the systems were hacked
> grows explosively," Paller said. President Bush has pledged to
> defend Taiwan if China attacks. And DOD has said the new local
> warfighting strategy of China's People's Liberation Army is to use
> computer network operations to seize the initiative and gain
> electromagnetic dominance early.

I can appreciate the vital significance of communications and data
feeds in dealing with the fog of war. But we have mobile comm groups
for a reason. Yes, it would be inconvenient not to be able to use the
Taiwan phone system to interconnect battalians in the field with
tactical HQ. But something tells me the Chinese will 'win' in Taiwan
and it has nothing to do with their h4x0r skills or Taiwan's
lackadaisical attitude toward infrastructure security. Then again is
it Taiwan's fault or more the telco provider itself who could care
less about the security of the product (hardware and especially
software) it sells? Homeland Security has been beating their drum for
a while now. Look what Cisco pulled at BlackHat. If we're all in this
together, how come commercial entities continue to downplay their
"social obligations"?

This latest worm knocked out what, several banks, an auto plant and
probably lots of other lesser targets. I'll bet some pointed questions
have been asked by now. But did anybody learn a lesson? Or are we just
doomed to repeat the same idiocy the next time around?

More information about the ISN mailing list