[Infowarrior] - Cyber-Fu Panda

[Richard Forno]

Cyber-Fu Panda
Posted by Bill Sweetman at 7/15/2011 6:52 AM CDT 	
	                                 		
http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckScript=blogScript&plckElementId=blogDest&plckBlogPage=BlogViewPost&plckPostId=Blog%3A27ec4a53-dcc8-42d0-bd3a-01329aef79a7Post%3A23107949-f170-4435-a09c-2b919a890b61
		
Only five or six years (but who's counting) after the Advanced Persistent Threat was first detected, jimmying away at every portal in the US defense and defense-industry database, the Pentagon has a cyber-strategy, unveiled on Thursday. 

It's focused on defense and is crafted to sound inoffensive - in part to allay fears that the US wants to militarize cyberspace. The strategy's "overriding emphasis is on denying the benefits of an attack", says deputy defense secretary William Lynn, spokesman for the new approach. 

That's a great idea, in theory. It's rather like using civil defense as a major element of nuclear deterrence. As Lynn and I are both old enough to remember, that was a much ridiculed approach back in the 1980s. And, as of now, it doesn't seem to be working at all. 

Back in March, Lynn says, a foreign intelligence agency hit a major defense contractor and exfiltrated 24,000 files concerning a developmental system. The Pentagon is still reviewing whether the system (which Lynn did not identify) will need to be redesigned, and to what extent.

That can be necessary if the compromised information would not only help the intruder to develop similar systems, but to develop methods of attack and defense against US systems. Classic example: the CIA's infiltration of Russia's Phasotron radar development bureau. After it was discovered (courtesy of the turncoat Edward Howard) the Soviet Union was forced to redesign the radar systems of the MiG-29 and MiG-31 fighters.

Big difference: The CIA's agent, Adolf Tolkachev, was arrested and unfortunately expired while assisting the KGB with their enquiries. The US is not even publicly identifying the nation involved in the March exploit (and terabytes of others) but here is a clue:

(insert pic of cute panda munching on bamboo shoot  --rick)

As Lynn says, "we have complex economic and military ties" to many nations. However, it's possible that the policy of refusing to identify "the panda in the living room" could lead to the implementation of blanket security policies designed to protect everything against everybody, where more targeted measures might be more effective.

Something of the sort may be under way under the Defense Industrial Base Cyber Pilot program, which was first unveiled in June. Under that program, classified threat intelligence is shared with defense companies and their internet service providers to allow them to strengthen their defenses.

But DIB Cyber Pilot is just beginning to address the problem, with fewer than a couple of dozen major contractors involved. Decisions as to whether it could be expanded vertically (into the supply chain) or horizontally (into non-defense infrastructure) remain to be taken. It's also a temporary, 90-day effort, partly because nobody has quite decided who will pay for upgraded security. For 90 days, Lynn says "people are willing to hold their breath and wait to know who pays for it." 

Two more observations. One is from yesterday's roll-out of the new policy at the National Defense University:  How is the Pentagon/DC culture of suits, ties and white-haired Kennedy bouffants, where everyone stands as the bosses enter the room, and 20-year R&D programs are called successful, going to keep pace with hackers, who - according to their attack fingerprints - are often criminals under contract to governments?

The other question:  Which program was compromised in March? All I can say is that if I was a curious panda, my first targets would not be MRAPs or GCVs - I would be looking at missile defense, or JSF. And which of those just had its Defense Acquisition Board review delayed at the last minute?