Previously classified: malware's role in Pentagon attack
In a day which started with news about a rogue robot helicopter buzzing the Washington, DC air defense identification zone (ADIZ), today's confirmation about the intent of the Pentagon malware loaded from a USB drive brings a startling reality home: whether or not we all believe in cyberwarfare, others on this blue-green world do. More important, our corporate network interconnectivity may make our partners vulnerable ñ and make us more vulnerable through our partners.
Right now, more than 100 foreign intelligence organizations are trying to hack into the digital networks that undergird U.S. military operations.
This quote comes from the Deputy Secretary of Defense (SecDef) as clarity regarding malware's role was unclassified:
WASHINGTON – The Pentagon says a foreign spy agency pulled off the most serious breach of Defense Department computer networks ever by inserting a flash drive into a U.S. military laptop.
The previously classified incident took place in 2008 in the Middle East and was disclosed in a magazine article by Deputy Defense Secretary William J. Lynn and released by the Pentagon Wednesday. The Pentagon did not say what nation's spy agency was involved.
He said a “malicious code” on the flash drive spread undetected on both classified and unclassified Pentagon systems, “establishing what amounted to a digital beachhead,” for stealing military secrets. He did not say what, if any, information was taken.
Surprise: Cybercrime and cybercriminals play a significant role in this threat to national security. In a speech made last year, Deputy SecDef Lynn made these statements framing where this country is today.
This is not some future threat. This cyberthreat is here today. It is here now. In fact, the cyberthreat to the Department of Defense represents an unprecedented challenge to our national security by virtue of its source, its speed and its scope.
There's the source. The power to disrupt and destroy, once the sole province of nations, now also rests with small groups and individuals, from terrorist groups to organized crime, from hacker activists to teenage hackers, from industrial spies to foreign intelligence services.
- We know that foreign governments are developing offensive cybercapabilities and that more than 100 foreign intelligence organizations are trying to hack into U.S. networks.
- We know that organized criminal groups and individual hackers are building global networks of compromised computers, botnets and zombies, and then selling or renting them to the highest bidder, in essence becoming 21st-century cybermercenaries.
With all this espionage perspective today, I can't really say that NSA monitoring of companies who are in business with the DoD is a BAD thing.
The new program would apply to the companies that make up the Defense Industrial Base (DIB) and only to the parts of those companies that indigenously store and use sensitive information. Classified information is not supposed to be stored on any dot.mil subdomain that is accessible to outside computer networks.
Of course, there are other concerns regarding the NSA proposal:
It may not be legal to force companies to submit to NSA monitoring, or even to ask them to voluntarily agree to it, and it might not be politically feasible for companies to accept NSA sensors without disclosing their existence for liability and optical reasons.
Five ways out of darkness: Military
Deputy SecDef Lynn gives five doctrinal guidelines about how the Department of Defense intends to treat cyberwarfare.
In his article, Lynn outlines five pillars of the department's emerging cybersecurity policy:
- Cyber must be recognized as a warfare domain equal to land, sea, and air;
- Any defensive posture must go beyond “good hygiene” to include sophisticated and accurate operations that allow rapid response;
- Cyber defenses must reach beyond the department's dot-mil world into commercial networks, as governed by Homeland Security;
- Cyber defenses must be pursued with international allies for an effective “shared warning” of threats; and
- The Defense Department must help to maintain and leverage U.S. technological dominance and improve the acquisitions process to keep up with the speed and agility of the information technology industry.
Three ways: CIO and IT
The pathway to success for breaches have often been through partners, or partners of partners, who have interconnected network security. Three risks which most IT managers and CIOs should be aware of are interesting.
- Be careful of the insider threat, but consider that the "insider" may be someone else's employee.
- If you are partnered with the government and don't reduce and contain your sensitive digital content, someone else (the NSA) may be assigned to watch it for you.
- Stay clean, stay lean. Keep your malware detection updated and disable autorun on all your systems. To assist with this, ESET will be providing a free utility shortly called AutoNone and our remote administrator allows global autorun accessibility.