So politicians and policymakers should be paying special attention to areas where the nation is not prepared today. But are they? Consider this passage on "information assurance" from the 2011 annual report of the Pentagon's Director of Operational Test and Evaluation:
"With sufficient time, Red Teams routinely managed to penetrate networks and systems. Detection rates of network intrusions remained low, and the ability of network defenders to detect subsequent exploitations of network data was minimal; most assessments witnessed large exfiltrations of operationally significant data...
"The assessments showed a decrease in the use of backup files and systems, proper audit logging and reviews, logical access controls, incident planning and vulnerability management. There was an overall increase in high-risk vulnerabilities observed (indicating a decrease in effective patch management), as well as a decrease in effective use of anti-virus tools and software (including failures to routinely update virus signatures)."
The report went on to note that although information security systems are being installed on military networks to counter threats, a majority of the systems "were found to be incorrectly or ineffectively configured." Does this sound like a force that is ready to deal with a really effective cyber adversary? Not at all. The Air Force recently disclosed that when an intruder penetrates one of its networks, the service typically takes 45 days to figure out what happened. In wartime, it will be lucky to have 45 seconds.
Not that the joint force is alone in its lack of cyber preparedness. NASA's inspector general told Congress on February 29 that an unencrypted laptop computer recently stolen from one of the space agency's employees contained the control codes for the International Space Station. It turns out that only one-percent of NASA's laptops and other portable computing devices are encrypted -- which may help explain why 13 of the 47 "advanced persistent threats" the agency encountered in cyberspace last year succeeded in compromising its computers. Actually, there may have been more such threats in 2011, because the agency depends on employees to self-report the theft or compromise of their network devices.
That's still better than in the private sector, where the Department of Homeland Security doesn't have the authority to compel such reporting -- even if the network attacked controls vital infrastructure such as power grids. DHS is trying to obtain firmer legal authority for enforcing cybersecurity standards in the private sector, but proponents of small government in Congress are blocking efforts to impose more burdens on business. When you see a political system that obtuse about the looming cyber threat, you know it's just a matter of time before something really bad happens. Like ending up with no ability to process financial transactions or transport water to Manhattan. Unlike 9-11, though, this is one danger all the experts can see coming. We just won't be willing to listen to them until it is too late.
Loren B. Thompson, Ph.D.
http://www.defpro.com/
