The U.S. Army this week received a sobering assessment of the steps necessary to defend against the current and emerging generations of cybersecurity attacks, including everything from abandoning bring-your-own device policies to standardizing and simplifying its entire IT infrastructure.
“You have to fundamentally reduce the attack surface,” said Jim Young, the Army account executive for Google Enterprise Transformation. “The average number of bugs per 1,000 lines of code really has not changed. Each and every line of code can and will be used against you, to include the security code you’re using to protect your systems,” Young said, speaking at the Association of the United States Army annual conference in Washington, D.C. “And with the new system of systems architecture, it becomes even more complicated to find a deep-rooted problem internally.”
One of the fundamental ways to reduce the number of vulnerabilities is to standardize the infrastructure and require vendors to deliver securely configured hardware and software, Young said.
“What if you could order your hardware and software that didn’t have the attack surface to begin with?” Young asked. This would not only increase security but would lead to cost savings from not having to first strip the general purpose systems of their unnecessary functionality before deployment, he said.
The Defense Department is currently working to reduce its IT footprint and potential avenues of cyber-attack, said Maj. Gen. Alan Lynn, vice director of the Defense Information Systems Agency, the Pentagon’s network provider known by its acronym, DISA. That effort, known as the Joint Information Environment, involves the consolidation of more than 15,000 networks and 1,850 data centers.
“The JIE starts with developing a single security architecture that goes across all of DOD,” Lynn said. It will reduce the attack surface across all of DOD by creating a single enterprise environment equipped with core data centers, security suites, standardized identity management and built-in sensors, he said.
The Pentagon European Command was the first to begin deployment of JIE capabilities in July, he said. But ultimately, JIE will encompass all of DOD.
“We’re looking to drop from about 1,850 data centers down to about 100 and from 15,000 networks to 3,000 networks,” Lynn said.
Even with the consolidation of networks and data centers, security will need to be automated, said former DISA director Lt. Gen. Charles Croom, who retired from the Air Force in 2008 and now serves as vice president of cybersecurity solutions at Lockheed Martin.
“We have to get people out of the loop and automate what we should already know how to do,” Croom said, referring to basic things such as configuration management, patching and standard cybersecurity hygiene. “How do we automate these mundane tasks? It will take advanced research because we don’t do it well today.”
According to Croom, signature-based defenses have really “hit the wall” and are not capable of defending enterprises from advanced persistent threats – attacks in which hackers use sophisticated malware to gain access to the network and remain undetected for months or even years.
“Only a machine can handle this type of information with speed,” Croom said.
But Young also argued it might be impossible in the current environment, even with massive computing clusters actively searching for vulnerabilities, to secure the myriad number of devices that are now connecting to government networks. Young suggested a radical approach to dealing with this problem.
“In Google’s opinion, [BYOD] is not a good idea,” Young said. “Currently, it is too tough to defend each device as it runs as a native client [on the network]. You simply cannot hire enough people. You should have some preapproved devices. But you cannot possibly think of each and every attack vector and each and every mobile device today and defend it at the enterprise level.”
Young’s approach could prove to be a critical factor in the military’s ability to combat the threat posed by trusted insiders. Preventing the next Edward Snowden, the former defense contractor responsible for the National Security Agency leaks, or Pfc. Bradley Manning (now Chelsea Elizabeth Manning), the former soldier who leaked thousands of military and State Department documents to WikiLeaks, is a high priority for the Army and the Pentagon as a whole.
The Army’s plan for combating insider threats is contained in its vision for its future network, called Army Network 2020. That network will incorporate behavior-based analytics to detect insider threats automatically, Lynn said. It will do that by logging each user’s activity and building a behavior profile it can monitor against, he said.
“It will follow your pattern. If you change your behavior and do something completely different [like download a lot of information from an internal site] that automatically does a red flag [to security],” Lynn said. Such a capability would also be useful beyond detecting insider threats, allowing security analysts to identify external attackers that may have taken over a legitimate user’s computer.
Croom, however, warned there are no “game-changing” technologies on the horizon that will suddenly create a more secure cyber-environment for the military. “This is not a win-it overnight” scenario, he said.
To the surprise of many in the audience, Young pointed out the vast majority of security innovation is currently coming out of the consumer device market.
“In the consumer space, devices are coming that are actually better than what you have in the enterprise and in the military,” Young said. “The top three selling devices … actually never allow persistent malware, they never allow an advanced persistent threat or executable. I think you’ll naturally see the military embrace commercial technology that is actually leading in many ways for endpoint security.”