By Bob Brewin
July 27, 2007
Defense Net Attacks Should Be Countered With 'Disproportionate Response'
That's the advice contained in a little-noticed report, "The Defense
Science Board (DSB) 2006 Summer Study on Information Management for
Net-Centric Operations," which was released in April.
"Adversaries need to be assured that their attacks against U.S.
information systems will be detected, that U.S. functionality will be
restored," according to the report. "... and an adversary needs to know
that the U.S. possesses powerful hard and soft-kill (cyberwarfare) means
for attacking adversary information and command and support systems at
Attacks against U.S. information systems should be countered with
"disproportionate response," the report said, adding that "every
potential adversary, from nation states to rogue individuals, could be
targets of an integrated offensive capability."
Any attack against a U.S. information system should be met with a
counterattack that results in "highly undesirable consequences" for the
I have a feeling this means more than cutting off access to MySpace or
The Network's 'Soft Underbelly'
One reason for Defense to take such an aggressive response is that
adversaries have recognized the increasing importance to the U.S.
military of networks and information systems, which are built on
commercial hardware, software and the Internet -- all of which are
easily exploited, the DSB report goes on to say.
"There is ample evidence that U.S. adversaries have recognized this
potential vulnerability and are aggressively developing doctrine,
tactics and technology to attack this soft underbelly," the report
The current state of network and information system defense is so poor
that it "will be considerably outmatched by a sophisticated, well
resourced and motivated opponent," according to the report. Considering
this, network and information system defense presents a "daunting"
challenge, and "innovative application of offensive techniques to
support defensive objectives shows great promise," the report said.
It's no surprise that, over the past few months, both the Army and Air
Force have taken their offensive information warfare capabilities
The Offshore Problem
The United States doesn't manufacture much stuff, or even software,
anymore. That's all done offshore, which creates another set of network
vulnerabilities, the DSB report said.
Defense networks and information systems are patched together from
commercial hardware and software "whose provenance is increasingly
foreign," according to the report. "The complexity of both the
microelectronic and software components is enormous. Consequently, the
challenge of discovering malicious constructs introduced by an adversary
through life-cycle opportunities is exceedingly difficult."
In plain English, this means that our reliance on low-cost software
written in India and computers made in China threatens our national
security. But, hey, this approach underpins myriad Silicon Valley
I know most reports written in Washington end up quickly filed and
forgotten. This one needs to be read and acted on.
But We Still Do It in the Clear
Despite the threats to Defense networks outlined by the DSB, military
end users still don't take simple steps to protect the integrity of
information sent over military systems, according to a briefing that
Luanne Overstreet, acting director of the Joint Interoperability Test
Command, presented last month to Air Force Lt. Gen. Charles Croom,
director of the Defense Information Systems Agency.
Overstreet told Croom in a set of briefing slides, which magically made
their way here to What's Brewin' Central, that in recent combatant
command exercises, high-risk Internet services such as Telnet and file
transfer were done in clear text and were easily intercepted.
Sometimes the best defense is not a good offense; rather, the best
defense is ensuring that good defensive policies and procedures are
followed. That probably includes making sure I don't get internal DISA
Honey, We Shrunk the Navy
A high-level and "For Official Use Only" set of Navy briefing slides
that inadvertently made it to the Internet shows that the service plans
to shrink its active-duty force from 341,000 today to 322,000 by 2013.
But that's OK, as high-tech ships of the future will only require half
the crews of today's ships.
The slides show that the guided missile cruiser of 2023, the CG(X)71,
will only require a crew of 150 versus the crew of 350 for one of
today's cruisers, the USS Cape St. George.
The planned CG(X)71 will have sensor systems with a range of 500 miles
and weapons systems with a range of 1,000 miles compared with a 256-mile
range for the Cape St. George's sensors and 800 miles for its weapons
The slides don't provide cost estimates for the CG(X)71, but as
shipbuilding costs continue to spiral into the megabillion-dollar range,
the Navy might be able to afford only one or two newfangled cruisers,
unless it finds a way to control costs.
Health Data Sharing: It's the Politics
The President's Commission on Care for America's Returning Wounded
Warriors wants the Military Health System and the Veterans Health
Administration to develop within 12 months a Web-based portal that
provides, at a glance, patients' health care and benefits information
from the two departments' information systems.
I called a bunch of the likely inside-the-Beltway vendors to get their
take on the complexity of the task, and ran into a wall. The technology
part is not hard, I was told. The politics and battles between Defense
and VA are the challenge. Therefore, no one wants to go on the record on
what is viewed as a relatively easy bit of work.
Does this surprise anyone?
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com