Seeking Independence from Being Hacked


While it was far from being the “shot heard ‘round the world” of Revolutionary War fame, the cyber attack on the Pacific Northwest National Laboratory over July 4th weekend this year did represent a significant first blow in the search for liberty for that organization – specifically, liberty from being hacked.

As reported in InformationWeek, PNNL, a Richland, WA-based R&D lab under contract to the Department of Energy:

“discovered what it described as a 'sophisticated' targeted attack on its systems the Friday before the holiday, compelling the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. PNNL also blocked internal traffic while investigating and mitigating the attack. The lab says no classified or sensitive information was accessed in the attack.”

In the weeks following the attack, PNNL revealed that the attack had been a two-pronged cyber-assault on its systems. The perpetrators first “exploited an undisclosed bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines.”

The attack was one of literally hundreds perpetrated upon government agencies and their contractors this year. It came only days before the Department of Defense revealed one of its private contractors had been the victim of the largest cyber theft of sensitive files – 24,000 – in the government’s history.

The issue for the government remains, how does it defend itself from these attacks and proclaim its independence from hackers?

We Hold These Truths Self-Evident

Former Fed CIO Vivek Kundra identified at least part of the problem with the government’s cyber-security plans prior to his stepping down in August. He said the problem was not lacking for potential solutions, but rather lacking in the implementation of them. He even went so far as to charge his successor with less planning for IT and more focus on its execution. Of this he said,

"My advice would be to be aware of entropy and make sure that you’re really, really focused on execution, not just on policies. You need to roll up your sleeves and get some work done."

By his own admission, US government IT under Kundra had serious shortcomings in bringing projects to fruition, including data center consolidation, cloud computing and continuous security monitoring.

The GAO went one step further in its investigation into the government’s preparedness for cyber attacks and openly questioned the DoD’s ability to keep up with the threats of cyberspace. Among the chief issues identified by the GAO were the multiple and often contradictory government publications that discuss how to handle cyber threats. These documents cannot even come to a consensus regarding terminology and job responsibilities.

Our Lives, Our Fortunes, and Our Sacred Honor

That the cyber attack on the PNNL labs revealed yet another software vulnerability is not insignificant, nor is it lost on the government, fortunately. The action plan the Department of Homeland Security unveiled in July is among the first to acknowledge that internal IT systems and not just external relationships are one of the keys to cyber defense.

The DHS recognizes the fact that any cyber security policy needs to include automated structural analysis of application software. By identifying areas where the applications in use may not live up to optimal software quality standards, the government can work toward plugging the holes and give cyber infiltration efforts fewer points to breach.

Software is just one small part of the plan. The lion’s share looks toward diplomatic and external measures as well as procedural items. Nevertheless, if the software being used by the government lacks in terms of structural quality, hackers – independent or supported by foreign governments – will find a way to exploit it. By identifying those holes in the software, though, it gives the government the chance to identify potential breach points and close vulnerabilities that serve as entry points to future hackers.

So while the Department of Defense--and its contractors, such as PNNL--may not yet be prepared to withstand a cyber attack, by beginning to address the structural quality of their application software they may indeed begin to declare their independence from hackers.

Filed in: Technical Debt
  This report describes the effects of different industrial factors on  structural quality. Structural quality differed across technologies with COBOL  applications generally having the lowest densities of critical weaknesses,  while JAVA-EE had the highest densities. While structural quality differed  slightly across industry segments, there was almost no effect from whether the  application was in- or outsourced, or whether it was produced on- or off-shore.  Large variations in the densities in critical weaknesses across applications  suggested the major factors in structural quality are more related to  conditions specific to each application. CRASH Report 2020: CAST Research on  the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item