[Infowarrior] - Navy Next-Gen Network Looks Highly Vulnerable To Cyber Attack

Richard Forno rforno at infowarrior.org
Tue Jan 26 18:55:23 UTC 2010 

(Having done security reviews on NMCI years ago, I don't see the  
NextGen navy network faring any better than NMCI on the infosec  
front.  I was not impressed back then with how infosec, among other  
things, were handled on NMCI --rick)

LexingtonInstitute.org
January 26, 2010

Navy Next-Gen Network Looks Highly Vulnerable To Cyber Attack
Author: Loren B. Thompson, Ph.D.

http://www.lexingtoninstitute.org/navy-next-gen-network-looks-highly-vulnerable-to-cyber-attack?a=1&c=1171

The Navy Marine Corps Intranet (NMCI) is the biggest intranet in the  
world.
With 800,000 users, some people say the only network that's bigger is  
the
Internet itself. But NMCI has spawned more than its share of  
controversy,
because the Navy awarded a huge contract to Electronic Data Systems to  
run
every facet of the program for ten years. The contractor's role was so
expansive that it even owned the computers sailors used to access the
intranet. EDS made a lot of money on the program, but because it was
responsible for everything, it also got blamed for everything -- even  
when
problems were the inevitable result of the way the sea services  
operate. So
now that the ten-year contracting period is drawing to a close, the Navy
wants to take a different approach.

The Navy wants to unbundle various pieces of its intranet and parcel  
them
out to best-of-breed suppliers. Thus, the company running the help desk
might be completely different from the company providing the software.  
The
Navy would integrate the whole system, thereby eliminating the  
overbearing
influence of EDS (which, incidentally, is now part of tech giant Hewlett
Packard). It calls the new approach the Next Generation Enterprise  
Network,
or NGEN, and it plans to transition from NMCI to the successor system  
over
the next few years. Unfortunately, NGEN is a cyber disaster waiting to
happen.

The basic defect of the NGEN architecture is that every time you add  
another
contractor to the mix of suppliers, you introduce seams and  
discontinuities
into the system that can be exploited by intruders. Standards and  
practices
will vary from company to company, and clever hackers can figure out  
how to
leverage those difference to corrupt the system. For example, the  
company
operating the NGEN servers might ban portable storage devices or social
networking portals from its work environment, while the company  
running the
help desk might allow them. But a clever hacker could use a single  
cracked
door anywhere in the system to thoroughly penetrate the whole network.  
And
once they're in the system, rooting them out will be made harder by the
diversity of companies supporting NGEN.

Of course, the Navy has all sort of smart ideas for how to maintain  
security
across a system of system suppliers. But the simple truth is that the  
more
players there are, the harder it will be to enforce standards and  
prevent
intrusions. That's just common sense. For all of its supposed faults,  
the
current Navy Marine Corps Intranet is a remarkably secure network, and  
that
security is undoubtedly traceable in part to the fact that one company
oversees the whole enterprise. Breaking it up and parceling out the  
pieces
seems like a foolish idea at a time when everyone else in the  
government is
preoccupied with making information networks less vulnerable to  
intrusion.

More information about the Infowarrior mailing list