The U.S. government still lacks a consensus about how to ward off and retaliate against cyberattacks, analysts said after a week in which the world's largest defense contractor and other companies acknowledged their computer networks had been infiltrated.
"Although Lockheed [Martin] nipped this attack in the bud, it's pretty obvious that the federal government isn't prepared to cope with the kind of cyber onslaught that it's facing," said Loren Thompson of the Lexington Institute, Arlington, Va.
Each government agency - and even the military services within the Defense Department - has a different picture of what cyber is and how it contributes to the mission, according to Charles Dodd, a cybersecurity consultant in Washington who has advised Congress and other government agencies.
"The biggest problem is they look at the data security and the way forward only as it pertains to their mission," Dodd said. "What they miss is that cyber isn't different. It doesn't change just because your mission does. How you use it does."
U.S. government computer networks are attacked about 1.8 billion times per month, according to a recent Center for New American Security (CNAS) report, and Dodd said the weeks since U.S. forces killed Osama bin Laden have seen an uptick.
So-called hacktivists tend to "stretch their cyber legs" following major world events - and state-sponsored entities are starting to behave similarly, he said.
"The techniques of both these groups are kind of the same," he said.
Lockheed Martin, the largest supplier of weapons to the U.S. military, acknowledged last week that its network had been breached.
In a May 29 statement, company officials said the May 21 attack was detected "almost immediately," and that no customer, program or employee data had been compromised.
The FBI is leading an investigation into the intrusion, according to Robert Butler, the Pentagon's deputy assistant secretary for cyber policy.
"The analysis on these activities ... is challenging, it's diffuse, and lots of different pieces have got to be put together," said Butler, who spoke June 2 as part of a panel at a CNAS conference.
Coordination Efforts
The CNAS report said deterring and preventing cyberattacks will require "stronger and more proactive leadership" by the federal government. It suggested the White House create an office of cyber policy.The Obama administration is striving to get government agencies on the same page. In May, the White House sent a package of proposed cybersecurity legislation to Capitol Hill, largely dealing with securing networks and defining the Department of Homeland Security's role.
But federal officials and analysts said that more legislation is needed; in particular, stricter laws to deter cyber offenders.
"The penalty for cyber criminals [is] not adequate at this point in time," Rand Beers, DHS's undersecretary for its national protection and programs directorate, said at the CNAS conference. "We're going to have to fix that."
Dodd said those who use bullets or bombs face far greater, or at least clearer, consequences than online attackers.
"These groups are attacking these networks, and there's just no fear of retaliation," he said. "I think that that's going to start bringing these other more guerilla-style tactics from groups we haven't seen in the past."
The CNAS report agreed, recommending the government lay out a declaratory policy that explains how it will retaliate, at least in certain situations.
In coming weeks, the Defense Department is expected to release its own strategy for cyber warfighting. That document will create a framework for training and equipping forces, as well as call for more international cooperation in this evolving domain, Mary Beth Morgan, Pentagon director for cyber strategy, said in March.
Dodd said the fruits of the effort would likely become apparent only after a major cyber attack.
"There has to be a uniformed way to move forward pertaining to the threat, not how we use the network and not how we defensively posture ourselves, because these [attackers] are looking at things offensively," he said.
The CNAS report also recommends the U.S. strengthen its international cybersecurity agenda.
Butler concurred.
"We can make the greatest inroads on the international side with working to develop norms, understanding ways that we can help each other to think about a safe and secure, reliable cyberspace," he said.
Thompson said that since many of the attacks appear to originate in countries such as China and Russia, the U.S. should treat them as a national security challenge rather than a law enforcement one.
He questioned DHS's ability to adequately defend U.S.-based networks from cyberattacks, and opined that the U.S. National Security Agency might be better positioned for the task.
But Dodd said NSA lacks the resources to protect such a large number of systems.
Cyber tools, both defensive and offensive, remain among the most classified systems in the U.S. arsenal. DoD and industry officials frequently remain tight-lipped on attacks and their success, or lack thereof, that an intruder has achieved.
"We have a wide range of physical, electronic, computing and personnel policies/ practices to investigate suspected issues," said Boeing spokesman Dan Beck. "Boeing takes the security of its people, products and information very seriously, and we have systems in place for detection and prevention."
Similarly, Northrop Grumman spokesman Randy Belote said his company "continuously monitors and proactively strengthens the security of our networks, and is vigilant to protect our employee, customer and program data and systems."
But Dodd, the cybersecurity consultant, said he believes the defense industry has been "completely arrogant" about the capabilities it possesses and is not fully prepared to combat a state-sponsored entity.
"This is not the stage for arrogance," he said. "You've brought a stick to a gunfight, and you're arrogant about your capabilities?"
Thompson said, "Lockheed probably has the most sophisticated network defenses of any company in the United States, bar none … and even they had a problem. So what does that tell you?"
No comments:
Post a Comment