[ISN] Fortifying DOD's network defenses

InfoSec News isn at c4i.org
Tue Sep 27 02:09:33 EDT 2005


By Frank Tiboni
Sept. 26, 2005 

Defense Department officials can implement a mixture of technologies
and procedures to fortify the department's computer networks, but real
protection requires designing a new generation of systems and security
tools, a leading computer scientist said.

Eugene Spafford, a computer sciences professor at Purdue University
who has testified before Congress on cybersecurity, questions whether
it's possible to develop new systems without investing in long-term

Attacks on DOD computer networks are on the rise as adversaries
attempt to bypass the United States' formidable defenses and launch
attacks from the inside out, experts say.

Defending DOD's networks will require a combination of efforts,
Spafford said.

He outlined six steps DOD could take to strengthen the department's
network defenses. They are:

* Buying systems based on security features rather than cost.

* Limiting access to systems.

* Removing systems from networks unless those systems are absolutely

* Restricting who can add hardware and software to networks.

* Requiring proper training and supervision for network managers and
  computer users.

* Establishing careful network-monitoring practices.

But Spafford said incremental changes will not strengthen existing
networks and a whole new approach is needed.

"Unfortunately, the government is not funding much research in
cybersecurity and almost none in long-range research," said Spafford,
who is also executive director of Purdue's Center for Education and
Research in Information Assurance and Security. He cited President
Bush's decision in June to let the President's Information Technology
Advisory Committee expire without reappointing current members or
selecting new ones.

Spafford said the threat to DOD networks is varied and complex. "In
large part, the systems used are based on commercial products that
were never written for high-security environments," he added.

Spafford said misconfigured or misapplied patches create
vulnerabilities that are exacerbated by having systems linked

"It means that any weak point can be accessed from all sorts of places
and can in turn reach out to damage lots of other military systems,"  
he said.

Clint Kreitner, president and chief executive officer of the Center
for Internet Security, a nonprofit organization that helps government
and industry officials better manage computer security risks, said DOD
should limit access to certain networks.

Alan Paller, director of research at the SANS Institute, said
government and industry should avoid using new information assurance
technologies that vendors claim are impervious to attacks. Instead, he
said, they should anticipate new threats 18 months in advance and
develop technologies and policies to address them.

A Defense Information Systems Agency official said DOD relies on a
sophisticated approach to information assurance. The official added
that the department is changing how it builds systems by moving to a
service-oriented architecture that will make IT services widely
available on the network and improve data sharing governmentwide.

"We are doing this in order to make more and better data available to
more people in DOD and to our partners, and as a way of increasing our
agility and our ability to innovate in the development of warfighting
processes based on these services," the DISA official said.

DOD also changed its approach to network operations. The official said
the department has moved to a structure that puts the Joint Task
Force-Global Network Operations in charge of operating, managing and
defending DOD's information infrastructure, with organizations in the
military services reporting to the joint task force.

DOD relies on its global networks and IT to achieve its mission, and
the country's adversaries recognize DOD's dependence on networks and
electronic information, the DISA official said.

"The DOD networks are very large," the official said. "So we have many
challenges in synchronizing the many IT efforts and security for these
across this vast infrastructure."

More information about the ISN mailing list