By Phil Stewart, Diane Bartz, Jim Wolf and Jeff Mason
WASHINGTON (Reuters) – The Pentagon is about to roll out an expanded effort to safeguard its contractors from hackers and is building a virtual firing range in cyberspace to test new technologies, according to officials familiar with the plans, as a recent wave of cyber attacks boosts concerns about U.S. vulnerability to digital warfare.
The twin efforts show how President Barack Obama’s administration is racing on multiple fronts to plug the holes in U.S. cyber defenses.
Notwithstanding the military’s efforts, however, the overall gap appears to be widening, as adversaries and criminals move faster than government and corporations, and technologies such as mobile applications for smart phones proliferate more rapidly than policymakers can respond, officials and analysts said.
A Reuters examination of American cyber readiness produced the following findings:
* Spin-offs of the malicious code dubbed “agent.btz” used to attack the military’s U.S. Central Command in 2008 are still roiling U.S. networks today. People inside and outside the U.S. government strongly suspect Russia was behind the attack, which was the most significant known breach of military networks.
* There are serious questions about the security of “cloud computing,” even as the U.S. government prepares to embrace that technology in a big way for its cost savings.
* The U.S. electrical grid and other critical nodes are still vulnerable to cyber attack, 13 years after then-President Bill Clinton declared that protecting critical infrastructure was a national priority.
* While some progress has been made in coordinating among government agencies with different missions, and across the public-private sector gap, much remains to be done.
* Government officials say one of the things they fear most is a so-called “zero-day attack,” exploiting a vulnerability unknown to the software developer until the strike hits.
That’s the technique that was used by the Stuxnet worm that snarled Iran’s enriched uranium-producing centrifuges last summer, and which many experts say may have been created by the United States or Israel. A mere 12 months later, would-be hackers can readily find digital tool kits for building Stuxnet-like weapons on the Internet, according to a private-sector expert who requested anonymity.
“We’re much better off (technologically) than we were a few years ago, but we have not kept pace with opponents,” said Jim Lewis, a cyber expert with the Center for Strategic and International Studies think tank. “The network is so deeply flawed that it can’t be secured.”
“IT’S LIKE AN INSECT INFESTATION”
In recent months hackers have broken into the SecurID tokens used by millions of people, targeting data from defense contractors Lockheed Martin, L3 and almost certainly others; launched a sophisticated strike on the International Monetary Fund; and breached digital barriers to grab account information from Sony, Google, Citigroup and a long list of others.
The latest high-profile victims were the public websites of the CIA and the U.S. Senate – whose committees are drafting legislation to improve coordination of cyber defenses.
Terabytes of data are flying out the door, and billions of dollars are lost in remediation costs and reputational harm, government and private security experts said in interviews. The head of the U.S. military’s Cyber Command, General Keith Alexander, has estimated that Pentagon computer systems are probed by would-be assailants 250,000 times each hour.
Cyber intrusions are now a fact of life, and a widely accepted cost of doing business.
“We don’t treat it as if it’s here today, gone tomorrow,” said Jay Opperman, Comcast Corp.’s senior director of security and privacy. “It’s like an insect infestation. Once you’ve got it, you never get rid of it.”
The private-sector expert who requested anonymity said a top official at a major Internet service provider told him that he knew his network had been infiltrated by elite hackers. He could digitally kick them out – but that would risk provoking a debilitating counter-attack.
“THE THING … THAT KEEPS ME UP AT NIGHT”
The idea behind the soon-to-be-announced Pentagon program for defense contractors is to boost information-sharing with the Defense Department on cyber threats. It also aims to speed reporting of attacks on firms that make up what the Pentagon calls the Defense Industrial Base.
The DIB, as it is sometimes known, provides the Defense Department some $400 billion a year in arms, supplies and other services. The new program is voluntary and builds on a smaller pilot, reflecting the persistent challenge of regulating private firms that traditionally shield proprietary data and often downplay cyber setbacks.
Ultimately, the new program may lead to agreement to put at least some Pentagon contractors behind military-grade network perimeter defenses, such as those that protect the Pentagon’s own classified networks.
On another front, the Pentagon’s far-out research arm, the Defense Advanced Research Projects Agency, is expected to launch by mid-2012 the National Cyber Range, a kind of replica of the Internet costing an estimated $130 million that would be used to test cutting-edge cyber defense technologies and help train cyber warriors.
The Obama administration has made cyber security a national priority, and tried to fashion an “all-government response” that imposes order on the competing domains and priorities of the Pentagon, FBI, Department of Homeland Security, the super-secret National Security Agency and the private sector.
“We’re far better prepared than we’ve ever been before,” said White House cybersecurity coordinator Howard Schmidt.
“Notwithstanding all the threats that we see out there, the things that are making news on a regular basis about a company that’s been intruded upon … (look at) how much the system still runs,” Schmidt told Reuters in an interview.
The key, Schmidt said, is resiliency, “to make sure that we’re better prepared, to make sure that the disruptions when they do occur are minimum – we’re able to recover from them.”
Still, he said major worries remain. “The thing that I worry about that keeps me up at night is the unknown vulnerability that may exist out there.”
Some officials are even less sanguine.
The Pentagon’s computer systems are widely considered to be better protected than other U.S. government agencies’, and far safer than the private sector’s. Still, a U.S. defense official told Reuters he would give the Pentagon just a “C+” grade overall for its cyber defenses. “We’re not impervious to attack by any stretch, but nor are we ‘open kimono’,” the official said. He added: “And we’re getting better.”
WHAT IS ‘CYBER’?
Experts say that one of the toughest challenges of cyber defense is, oddly, definitions. What constitutes “cyber”? Computers and digital networks, certainly. But how about digitized pictures or video streams from a pilotless Predator drone flying over Pakistan?
Who is responsible for protecting what? Where does national security begin and privacy end?
“The other big problem is lack of policy,” said one former U.S. official. “(We) lack policy because we lack consensus. We lack consensus because we haven’t had an informed debate. We lack an informed debate because we don’t have a common pool of data. And we don’t have a common pool of data because we don’t share it.”
Nowhere is the problem more acute than in thinking about cyber warfare. What constitutes an act of war in cyberspace? And how do you determine who it was that fired the shot?
U.S. military officials, eager to talk about how the Pentagon has boosted computer defenses, clam up when the topic turns to offensive capabilities.
The Pentagon has put together a classified list of its cyber capabilities so policymakers know their options – just as it does for more conventional weapons.
Offensive actions against foreign systems would require White House authorization. But the Pentagon does not need special approval to do the kind of cyber surveillance work that can identify vulnerabilities in foreign networks, a U.S. official told Reuters, speaking on condition of anonymity.
That includes leaving hidden digital “beacons” inside adversaries’ networks that could be used to pinpoint future targets. The beacons can phone home to tell U.S. military computers that they are still operational, the official said.
While the United States is trying to apply conventional military logic to the cyber realm, there is no global consensus about the rules of cyber war. A Pentagon report due out toward the end of the month is not expected to articulate case-by-case possibilities of when a cyber war could turn into a real one.
INTO THE CLOUD
Even as such policy debates rage, the technological landscape is being remade, seemingly by the month, posing new challenges – and opportunities. Tens of thousands of mobile applications for smartphones and tablet computers represent new vectors for hacks and attacks.
“The quick answer is we haven’t been doing enough and we’re semi-late to the game” on protecting mobile applications, said Rear Admiral Mike Brown, a senior Department of Homeland Security cyber security official.
U.S. government agencies are working with major commercial vendors “to start looking together at how to address the issues of mobile vulnerabilities,” Brown said at a symposium sponsored by Symantec Corp.
Meanwhile, the U.S. federal government is planning to move in a big way into “cloud computing,” in which off-site providers offer network and storage resources accessible remotely from a variety of computing platforms.
Potential cost savings are significant. Handled correctly, computing clouds could offer added security, specialists say. But there are also risks.
A study released in April by CA Technologies and the Michigan-based Ponemon Institute contained alarming findings. Based on a survey of 103 U.S. and 24 European cloud computing providers, it found that a majority did not view security of their services as a competitive advantage, and believed that security was their customers’ responsibility, not theirs.
Most did not have dedicated security personnel on staff.
Deputy Defense Secretary William Lynn met Google executives in California in mid-February to discuss cloud computing. On May 19, Lynn instructed the Pentagon’s Defense Science Board to study the benefits and risks of cloud computing, “paying particular attention to attacks on communications that would destroy or delay delivery of services and information for time-critical uses.”
Lynn told Reuters that “cloud computing has the potential to offer greater capability at equal or lesser costs.” He added: “I want to make sure we are taking full advantage of these advanced technologies.”
The Pentagon is preparing a cloud computing strategy, which it expects to complete by the end of the summer, a U.S. defense official told Reuters.
“We’re trying to get to the place where warfighters or any of us can get to our information from anywhere on the planet, with any device,” the official said.
Schmidt, the White House coordinator, said as many as 170 security controls are being built into government cloud computing projects from the start. “It’s not deploying something and securing it later. We’re setting the requirements at the outset.”
“I’M NOT CONFIDENT THAT WE WOULD KNOW…”
So how safe are the computer networks of the United States, which perhaps more than any nation relies on them for banking, electric power and other basics of modern civilization?
In May 1998, then-President Clinton signed Presidential Decision Directive 63, calling for a “reliable, interconnected, and secure” network by 2003, and establishing a national coordinator for protecting critical infrastructure.
The Department of Homeland Security now has lead responsibility for protecting the power grid. Yet, as with almost everything involving cyber, it’s not quite that simple.
If there were a cyber attack on the power grid today, “I’m not confident that we would know what parts of the government should respond,” said one former U.S. official, who asked not to be identified. “Who jumps in there? DHS, DoD, Cyber Command, NSA, the intelligence community?”
“So nothing’s really happened.” said former Pentagon general counsel Judith Miller, talking about grid vulnerability at a cyber event in Washington this month.
“This is a discussion we had in the 1990s. We’re having it right now. Nothing really has changed, although perhaps the ability of attackers, whether they’re nation states or just kids, has grown apace,” she said.
A central conundrum is that the Pentagon’s National Security Agency, which specializes in electronic eavesdropping, has personnel with the best cyber skills, but has been until recently mostly shut out of protecting domestic networks. That’s due to the highly classified nature of the NSA’s work, and fears that it will stray into domestic spying.
Another complicating factor: the 1878 Posse Comitatus Act, which generally bars federal military personnel from acting in a law-enforcement capacity within the United States, except where expressly authorized by Congress.
“NSA has a long history in cyber security, on both the offensive and the defensive sides. It has great resources and expertise. But it makes privacy advocates nervous,” said Stewart Baker, a former DHS official now at the law firm Steptoe and Johnson LLP.
Last October, the Defense Department and Homeland Security – responsible for protecting civilian U.S. government networks – signed a memorandum to cooperate, with the NSA sharing technology and the agencies swapping personnel.
The effort has gotten mixed reviews. Schmidt said that early reports of inter-agency tension have dissipated, and Representative James Langevin, a member of the House intelligence committee, said DHS is improving. “I don’t think that they’re there yet but we’re moving in the right direction,” he said.
However other experts, who would not be quoted for the record, said the gap between the two agencies remains wide.
Even if the NSA, DHS and other agencies worked together seamlessly, the problem remains of coaxing industries in critical infrastructure to accept more government regulation.
“There’s absolutely no question that the power companies and indeed state regulators have been unenthusiastic about a federal role,” Baker said. He added this warning: “The regulation that would pass after a disaster is a lot worse than they would get right now.”
And then there’s the Stuxnet-like “zero day” attack, exploiting a flaw no one knew existed, perhaps tucked into some off-the-shelf software like that purchased daily by federal agencies.
“Our largest fear … is the zero day attack,” said Sherrill Nicely, the CIA’s deputy chief information officer. “It’s very, very, very difficult to protect oneself from an attack that you did not know was coming or the vulnerability that you did not know existed.”
(Additional reporting by Jeremy Pelofsky and Warren Strobel; Writing by Warren Strobel; Editing by Kristin Roberts and Claudia Parsons)