We woke today to the news that back in March a Pentagon defense contractor was the subject of a cyberattack by an unidentified nation state that resulted in 24,000 sensitive files being stolen.
According to the Washington Post:
"William Lynn, the deputy secretary of defense, said in a speech outlining the strategy that 24,000 files containing Pentagon data were stolen from a defense industry computer network in a single intrusion in March. He offered no details about what was taken but said the Pentagon believes the attacker was a foreign government. He didn’t say which nation."
That this country’s defense institution could be vulnerable to cyberattack is not a new revelation. The Washington Post article noted that new Defense Secretary Leon Panetta, who obviously had been informed of the March cyberattack, commented on the nation's vulnerability during his confirmation hearings, stating:
"At his Senate confirmation hearing last month, new Defense Secretary Leon Panetta cited “a strong likelihood that the next Pearl Harbor” could well be a cyberattack that cripples the U.S. power grid and financial and government systems. He said last weekend that cybersecurity will be one of the main focuses of his tenure at the Pentagon."
What is surprising is that the steps to shore up cybersecurity outlined in the Department of Defense's new "Strategy for Operating in Cyberspace" have been broken into five, largely external initiatives:
- Strategic Initiative 1: Treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential
- Strategic Initiative 2: Employ new defense operating concepts to protect DoD networks and systems
- Strategic Initiative 3: Partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy
- Strategic Initiative 4: Build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity
- Strategic Initiative 5: Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation
What seems to be missing is a focus on the vulnerabilities in application software.
There’s an old African proverb that states, “When there is no enemy within, the enemies outside cannot hurt you.” The Department of Defense should take heed of this notion.
The external strategic initiatives it proposes in its plan are all well and good – increased training, improved international relationships and collaboration between departments are never bad things. But as we've seen at Sony, Sega, RSA, Citi, and the plethora of security breaches that have occurred this year, it was an application software vulnerability that led to the breach.
This is why the key element in the DoD's initiatives lies within initiative number 5:
...improved security measures will be taken with all of the systems that DoD buys, including software and hardware. No backdoor can be left open to infiltration; no test module can be left active
This is a wise move for our defense institution. If the backdoor used by the hacker in March had been identified prior to the application being deployed, the cyberattack would likely have failed and those 24,000 sensitive files would still be classified and safe. Identifying the "enemy within" - poor structural quality of existing application software - will go a long way toward thwarting the "enemy outside."