Cybersecurity Archives

Just in case anyone has forgotten the pressing need for cybersecurity, the Defense Department hammered the point home today with a new website that literally screams "Cybersecurity" in a blazing red motif.

The site features recent cyber-prouncements from top Defense leaders, policy documents and links to various cyber commands. For folks who always like the historical perspective, it also includes the 2003 national cyber strategy.

The comprehensive cyber site reflects a lot of hard back end work, and anyone interested in the field should bookmark it, but I do wish they had chosen another thematic color than fire engine red.

Lt. Gen. William Lord, the Air Force chief information officer, said cyberattackers have shifted their tactics from trying to breach firewalls to penetrating applications and said the service has serious application vulnerabilities.

Lord said unspecified cyber enemies used to be banging away at our firewalls. They're not any longer. "The enemy is banging away at our applications," the Air Force News Service reported on Wednesday.

Lord, speaking to a business group at the Electronic Systems Center at Hanscom Air Force Base, Mass., said the service's applications have been shown vulnerable to such attacks. The Air Force has more than 19,000 information technology applications, Lord said. The center's IT Center of Excellence at Maxwell Air Force Base-Gunter Annex in Alabama examined about 200 of those apps and found "all of them had over 50 vulnerabilities," he said.

Lord said the Air Force needs to focus on IT security but not at the expense of usefulness. "Security without utility is of little value; and utility without security is far too dangerous," he said, emphasizing the service needs to strike the correct balance between the two.

It's a rule of thumb that insiders pose the greatest threat to classified information systems -- a rule sadly reinforced by the public release of 91,000 classified, purloined Defense Department documents by Wikileaks.

Defense has zeroed in on Army Pfc. Bradley Manning as the source of the documents Wikileaks released, because it already has him in custody for allegedly leaking other documents to Wikileaks this year.

While the Pentagon has been all over the news in its reaction to potential damage caused by this massive leak, it has been strangely silent on any new plans to counter insider threats -- or how, as the New York Times put it, a private was able to "exploit a loophole in Defense Department security to copy thousands of files onto compact discs over a six-month period. In at least one instance, according to people familiar with the inquiry, Private Manning smuggled highly classified data out of his intelligence unit on a disc made to look like a music CD by Lady Gaga."

This may have something to do with the fact that in fiscal 2010, the Defense Information Systems Agency budgeted a mere $814,000 for insider threat detection systems and asked for a $2.2 million budget for insider detection tools in fiscal 2011. That's out of an overall information systems security operations and maintenance budget request of $288.6 million.

Since insiders account for 75 percent of leaks, why does DISA allocate such a small amount of its budget to countering the biggest part of the information security problem?

Earlier this year, I reported that the Air Force planned to pony up $104 million from its 2011 budget to fund development of the new headquarters of the U.S. Cyber Command at Ft. Meade, Md.

I thought that was rather generous of the Air Force, since the service had lost out on its two year fight to own the cyber mission.

But the Air Force may be off the hook for the Cyber Command HQ if language in the conference report on the House version of the 2011 Military Construction/Veterans Affairs appropriations bill makes it through the legislative mill.

That bill says the Air Force had allocated $564 million in its budget for new facilities for the U.S. Strategic Command - which runs the Cyber Command - as well as "an unspecified but probably large requirement to provide new facilities " for the Cyber Command.

The House report said the Air Force should not have to bear this burden on its own, and urged the Defense Department to provide the funds for the new headquarters from its overall budget.

Meanwhile, the Air Fore still get points for playing nice with the other children, which may have been the purpose of its generosity to begin with.

The Navy is looking for a few good veterans to staff its cyber force, offering openings at Pearl Harbor, Hawaii, and Norfolk, Va.

The folks over at the Navy chief information officer shop said they want to hire up to 300 veterans with IT experience to work on the cyber front lines. If you are qualified and interested, you can find more info here: http://www.doncio.navy.mil/ContentView.aspx?ID=1682

If I was not already over-employed, I'd opt for a Pearl Harbor job.

Oh my, when will they ever learn at the Veterans Affairs Department?

I have heard from well placed sources that an employee at the VA medical center in Atlanta downloaded patient clinical data to a personal laptop, and an investigation may be pending.

Details are sparse on this breaking story, but I was told the employee -- a physician assistant nurse practitioner -- downloaded 18 years worth of clinical data on an unknown number of patients to conduct research.

If this all sounds eerily familiar, it is. In 2006 a VA data analyst downloaded information on 26.5 million records -- or practically every living veteran -- onto the hard drive on his personal laptop, which was later stolen.

The good news in the current situation is that the laptop was not stolen. The bad news is that none of the downloaded data in 2006 included clinical information, while all the current case involved a whole mess of medical data.

The timing on this could not be worse. The Obama administration is trying to sell the American public on the need for a national electronic health record system. That's a tough sell if folks find out that their supposedly private electronic records are subject to downloads for research.

Does VA have policies and procedures that bar the download of veteran data to personal laptops? You bet. But the best policies and procedures don't do much in the face of human ignorance.

The U.S. Strategic Command says that military units in Afghanistan soon will start receiving thumb drive kits that meet its >new flash media policy for Defense Department networks and computers.

STRATCOM said on Feb. 18 that flash media such as thumb drives should be used only as a "last resort" to meet operational requirements -- and Afghanistan, where network bandwidth is at a premium, sure meets that last resort requirement.

But it's hard to get an answer from STRATCOM on what exactly is in a flash media kit because it has not publicly released details, a STRATCOM spokesman told me.

Meanwhile, legions of PR folks continue to flood my e-mail with pitches for companies that make stuff they think meets the Defense requirements, even though STRATCOM is mum on the subject.

I think these folks get paid by the number of e-mails they send out.

I woke up today with what can only be described as a bombardment of e-mails from PR folks who had clients panting to give me their views on the U.S. Strategic Command lifting its ban on thumb drives and other flash media, a notion they picked up from stories in Inside Defense, Wired and Government Computer News, which based its story on the Wired and Inside Defense reports.

But, as it turned out, STRATCOM did not repeal its November 2008 ban. Instead, it decided to permit use of flash media only as a "last resort for operational mission requirements," according to Vice Adm. Carl Mauney, STRATCOM deputy commander.

Navy Cmdr. Steve Curry and Air Force Master Sgt. Kevin Allen at the STRATCOM public affairs shop both deserve kudos for turning around a query I submitted on Thursday and providing me with a factual statement overnight that debunked many assumptions about flash media that flooded my inbox this morning.

As Joe Friday, the famed Los Angeles Police Department detective, said in the 1950s, "Just the facts, ma'am."

The New York Times rather breathlessly reported during the past weekend that in 2007 the head of British intelligence warned businesses in England that Chinese intelligence agencies were engaged in a wide ranging effort to hack into their computers.

The Times reported that anonymous sources confirmed the existence of that report, which seems like a needless exercise to me as I reported almost two years ago that our Defense Department highlighted this Brit warning in its annual brief to Congress on mischievous behavior by China in March 2008.

How many days a week do we need Chinese cyber stories? No one would have paid much attention to Paul Revere if he made his ride every day.

The computers onboard Boeing Co.'s newest version of its largest commercial aircraft, the 747-8, could be hacked, according to a little noticed item published in the Federal Register by the Federal Aviation Administration on Jan. 15.

FAA said the 747-8, slated to make its first flight on a yet-to-be-specified date this month, has a network and architecture that could allow external sources to access aircraft systems.

The 747-8 has a network that supports control systems, another that supports safe operations and maintenance and another for passenger information systems.

FAA said the airliner's system architecture "may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems, and networks critical to the safety and maintenance of the airplane."

FAA said that before it certifies the 747-8 for operation, Boeing:

• must ensure electronic system security protection for the aircraft control domain and airline information domain from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
• ensure that electronic system security threats from external sources are identified and assessed, and that effective electronic system security protection strategies are used to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.

Boeing launched development of the 747-8 in 2005 with orders for 10 freighters from Cargolux of Luxembourg and eight from Nippon Cargo Airlines of Japan. Lufthansa placed an order for 20 400-seat passenger versions in 2006, and in December 2009 Korean Air ordered five passenger versions.

I'm not ready to fly on any 747-8 - even as cargo - until Boeing resolves potential hacking problems.