DOD Kicks Up Cybersecurity Efforts
codingOgre writes "The US Army will try to secure an entire computer network against a team led by the NSA. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. I would have to think that this would be a lot of fun! I would like to see what the NSA and friends could throw at my network, although one would think they wouldn't reveal all their cards...like the backdoor into any Windows box :)" In a related story, jkinney3 writes: "The feds are wising up to the needs for a verifiable, secure code base for all of the DOD stuff, according to Government Computing News. A proposed solution 'would create a single executive organization responsible for software integrity and information assurance.' Joe Jarzombek, deputy director for software assurance in DOD's Information Assurance Directorate, said 'DOD possesses so many millions of lines of code in countless thousands of packages, that it would take years of effort and millions of dollars just to identify what was developed where.' I'm envisioning a lot of Bugzilla installations."
Unfortunately exercises like this show how our conventional approach to warfare (cyber- or human-) is doomed in the world of increasing unconventional war tactics.
With a network or a piece of land, actively defending against a known enemy in a known timeframe is fairly easy. You know the rules for engagement, you can easily account for all the possible outcomes.
Putting processes in place to defend against undeterminable attackers in an indefinite timeframe approaches the impossible. In a network, all it takes for hostile code to infiltrate is one human error (i.e.: a race condition when a firewall ACL changes). Same with terrorism: all it takes is a few people with flight training and box-cutters to do some serious damage. There are no rules of engagement.
Put another way, conventional warfare (again, cyber- or human-) is like a chess tournament. Predictable rules. For the unconventional, imagine someone winning a chess tournament by pulling out a gun and shooting the opposing player.
_______
2B1ASK1
If I had moderator points, you would be at -1 right now instead of 0.
This is the best way to learn security, by applying the "book learned" concepts to the real world. In fact, this is exactly what we did for the final project in the Computer Security course that I took as part of my MS in Computing program at Marquette.
It also reinforced a very important concept -- people are the weakest link. We got the other group to send us passwords by faking an email in the instructor's name!