The U.S. Defense Department is considering allowing its computer security system to be extended to critical private sector systems, like utilities and banks.
"Operators of critical infrastructure could opt-in to a government-sponsored security regime," said William J. Lynn, the deputy defense secretary, during a speech at the Stratcom Cyber Symposium in Omaha, Neb. "This type of secure.com approach could build on the collaboration between DoD and the defense industry."
Here are some of Lynn’s key ideas: "DoD analysis shows four over overlapping cyber threats."
- "The first is to our military networks themselves. This threat was recognized fairly early, and we have made a concerted effort over the last five years to construct substantial defenses. We are not invulnerable at this point. But the level of protection is higher than you will find on any other IT systems.
- "The second threat is to the nation's critical infrastructure. Computer-induced failures of our power grids, transportation system, or financial sector could lead to physical damage and economic disruption on a massive scale.
- "The third and in many ways least-discussed threat is to our intellectual property. Earlier this year key parts of Google's source code were ex-filtrated in a sophisticated operation that also targeted dozens of other companies. The defense industry has similarly been targeted. Designs for key weapons systems have been stolen.
- "The risk of tampering in our supply chain is the fourth and final threat. Rogue code, including so-called "logic bombs," can be inserted into software as it is being developed, allowing outside actors to manipulate systems from afar. Hardware is also at risk. Remotely operated "kill-switches" and hidden backdoors can be written into the chips and physical buses used in military hardware. The risk of compromise in the manufacturing process is very real, and in many respects is the threat we least understand. Tampering is difficult to detect, and even harder to prevent."
To respond to the array of cyber threats that confront us, the Pentagon is taking action on several fronts. Lynn described three lines of defense:
- "Our first line of cyber-defense is ordinary hygiene — keeping systems and software up to date. The Internet is teeming with so many viruses and bonnets that an unprotected computer can be infected within minutes of being placed online. To remain secure, any network that has contact with the Internet must constantly refresh malware signatures and install security patches.
- "Perimeter security forms our next line of defense. To monitor traffic flowing into and out of our networks, we narrowed the number of ports at which our systems accesses the commercial Internet. We also deployed host-based security services and intrusion detection systems on our servers and routers. These sensors are linked to network mapping and visualization software that help identify breaches. We believe perimeter defenses block another 30% to 40% of attempted intrusions.
- "In cyber, offense is dominant. A fortress mentality will not work. We cannot retreat behind a Maginot line of firewalls. In this way cyber is much like maneuver warfare, in which speed and counterattack matter most. If we stand still for a minute, our adversaries will overtake us. Given the dominance of offense, our defenses need to be dynamic. We need to respond to attacks at network speed, as they happen or even before they arrive."
