Pentagon Cyber Defense Bill Comes To $100M For 6 Months

coondoggie writes "Protecting defense departments networks cost taxpayers more than $100 million over the past six months, US Strategic Command officials said yesterday. The motives of those attacking the networks go from just plain vandalism to theft of money or information to espionage. Protecting the networks is a huge challenge for the command, Air Force Gen. Kevin P. Chilton told a cyber security conference in Omaha, Neb., this week. 'Pay me now or pay me later,' Davis said. 'In the last six months, we spent more than $100 million reacting to things on our networks after the fact. It would be nice to spend that money proactively to put things in place so we'd be more active and proactive in posture rather than cleaning up after the fact.'"

frist post!

How much pentagon 'cyber' defense is protecting windows?

ban ding!

Re:frist post!

[joocemann]

Funny, but probably a LOT.

Re:frist post!

[EbeneezerSquid]

Yes, it is a lot.

- however, primarily these are client machines, and the forms of attack that military systems endure are, if not OS-independent (ddos, etc), then perpetrated by individuals who will adapt for whichever OS is being run (espionage, etc).

Moving from Windows to another OS would provide relatively little additional security for client machines while incurring a HUGE cost in user re-training.

Servers, on the other hand, are, ummmm. . . Let's just say the server world is a LITTLE different from the client world.

Re:frist post!

[bleh-of-the-huns]

Of course alot of it is windows, whether or not we like it, Windows is the current standard for the desktop and the easiest to support currently. On the other hand, there are 2 to 3 completely separate networks, 1 of those is the public net, the others are isolated and secure. Most of the cleanup work takes place on the non secured networks.

On the bright side, since I happen to work as a IA/IT security consultant, people using windows keeps me employed :)

Re:frist post!

[rtb61]

Retraining costs a neither here nor there as they are a one of cost versus continuing licence and security costs, basically going on forever. Quite simply they should go for parallel networks and external high risk network with strictly limited access and an internal network with no external access for all security work.

Re:frist post!

[bhiestand]

Retraining costs a neither here nor there as they are a one of cost versus continuing licence and security costs, basically going on forever. Quite simply they should go for parallel networks and external high risk network with strictly limited access and an internal network with no external access for all security work.

How are retraining costs neither a here nor there? Like it or not, that cost is huge and absolutely factors in. It's not easy to train millions of people to use a new OS, but it's doable. Teaching millions of people, who are generally already busy doing other things, how to use a PowerPoint, Outlook, and Word replacement is very expensive. Getting all of your internal solutions, custom apps, scripts, etc. recreated under the new environment is nearly impossible.

If the problem was a high percentage of zombie and infected PCs on DoD's networks, I might agree with you that there's a reason to do it. Since that doesn't appear to be the case, the cost/benefit analysis looks a bit like this: really expensive/very little return.

Re:frist post!

[badkarmadayaccount]

Uhhh, dude, there exists a utility for making such migrations gradual, it's called WINE, you might have heard about it. Seriously, set up a testing rig, and start tweaking WINE 'till it works OOTB for all the internal apps/scripts/etc (no pun intended).

Re:frist post!

[bhiestand]

Uhhh, dude, there exists a utility for making such migrations gradual, it's called WINE, you might have heard about it. Seriously, set up a testing rig, and start tweaking WINE 'till it works OOTB for all the internal apps/scripts/etc (no pun intended).

Uhhh, dude, I've used wine, and codeweavers, and VMs, and lots of other goodies. I don't think you understand the magnitude of the DoD's IT infrastructure. We're probably talking at least a million PCs, tens of thousands of custom apps, databases, programs, interfaces, protocols, front ends ... spread across hundreds (thousands?) of installations, supported by multiple separate IT organizations. And you would have all of this reworked to solve a problem that does not exist?

I like open source as much as the next guy, but the point still remains: Cost/Benefit = really expensive/very little return.

Re:frist post!

[rtb61]

Consider the long term, a student can be taught open source software once in their life and use that knowledge for the next forty years, versus minimum 40 closed source proprietary software licence renewals (more likely up near the 200 mark), with re-eduction for changed interfaces, so new manuals can be sold and excuses can be made for upgrading, so neither here there, as the initial education can be done at school for exactly the same price (excluding of course 16 years of proprietary licence fees during the full education period, say another 40 odd closed source proprietary licence fees). So hey, that is something near fifty years of closed source proprietary licence fees for every person, something like fifty thousand dollars.

TCO?

So how does this bill factor into the TCO of Windows?

I don't claim that the $100M would go to zero if Windows were eliminated in favor of more secure servers and desktops, but it would be a lot lower.

Re:TCO?

[wasted]

So how does this bill factor into the TCO of Windows?
I don't claim that the $100M would go to zero if Windows were eliminated in favor of more secure servers and desktops, but it would be a lot lower.

While working for the USAF, I was required to do some online training. To run the training, ActiveX had to be enabled and IE basicially set to "slut mode", that is, accept and run everything. That really didn't give me a good feeling about their security.

Re:TCO?

[cbiltcliffe]

You should have been able to fix this yourself.

Don't allow slut mode for everything.
Figure out what sites they use for the training, and add them to the trusted sites list.

I've seen this before in various places, and always disregarded the instructions for setting it up, and figure out what sites to add, instead.
They end up a lot more secure when I've finished setting them up, than if the instructions were followed.

Re:TCO?

[wasted]

Don't allow slut mode for everything.
Figure out what sites they use for the training, and add them to the trusted sites list.

I didn't have administrator access and wasn't employed to do IT, and thus couldn't have done a proper set up for everyone, anyway, so I took the easy way out - just setting slut mode to do training, then turning everything off when finished. As far as I am aware, everyone else in my office (and on that base, for all I knew) had slut mode set full time so they could do training when required,. As the training wasn't base-specific, it wouldn't surprise me to find out that the average Windows installation on non-sensitive systems USAF-wide is set with similar lax settings with the base firewalls being the main idea of security.

Hopefully, someone from the USAF will jump on and tell me that things have changed since then and/or that base must have been an exception.

Re:TCO?

Maybe things haven't changed as of yet, but the cadets in AFROTC (and in most colleges) now are mostly using Firefox as their default browser. So give it a few years, and the culture will change.

Re:TCO?

USAF here.
I don't recall having to change any settings to do training... but this is why there is diffrent levels of networks.
You can have every virus and trojen known to man on your NIPER computer and it won't affect the mission at all since they can't touch the SIPER or JWICS computer networks.

Re:TCO?

[EbeneezerSquid]

NIPR isn't any more secure than your home PC: and it doesn't have to be.

The only security considerations done on NIPR is Virus control so that the users can get their work done, and attack analysis, to see what the enemy/troublemakers are up to.

Nothing important is put on the unclassified military network, NIPR.

If you WERE putting something important on it, I suggest you go run and hide now.

Re:TCO?

[BitZtream]

If you could set it to 'slut' mode as you like to call it, you could have also added the site to the trusted sites list and only allowed those sites to do so.

Ignorance and being lazy is no excuse, especially for an airman.

Re:TCO?

[iivel]

Old news: http://www.techworld.com/opsys/news/index.cfm?newsid=2666 Secure windows versions w/ the NSA and US DoD working together have been the norm since just before Vista. The NSA actually has no specific guidance on any specialized config necessary to come up with a basic security profile for Vista/Win 7 (other than patches) More info can be found by googling USAF SDC

Re:TCO?

[wasted]

Ignorance and being lazy is no excuse, especially for an airman.

I was a contractor, not an airman. Even if I was gung-ho and did things properly, the person logging on after me with everything set to slut mode would still allow the "Click Here - You're a Winner" pop-ups and such to be self-installed.

Re:TCO?

Nope, no change as of yet. Also, many .mil sites use certificates that are not recognized by the default IE install at my base. The first time you visit any of these sites you are presented with a popup and must manually accept the certificate.

Re:TCO?

[cbiltcliffe]

Why the heck doesn't the military have their own CA, and import the CA cert into the image of all their machines?

I know, I know.....military intelligence....

Re:TCO?

Hopefully, someone from the USAF will jump on and tell me that things have changed since then and/or that base must have been an exception.

They haven't, and it isn't.

Re:TCO?

[bhiestand]

You can have every virus and trojen known to man on your NIPER computer and it won't affect the mission at all since they can't touch the SIPER or JWICS computer networks.

I have no idea where you work, but if everything your unit does on NIPR was instantly lost without warning and NIPR was never available to you again, I'm quite sure it would affect your mission. If not, you should look around you at the way other units operate, or need to operate, and realize that it would affect them.

Re:TCO?

[bhiestand]

They do have their own Root CA. Either AC is talking out of his ass, or the images using at his base are all kinds of jacked up. Frankly, from my experience with AF IT, it wouldn't surprise me if both were true.

Re:TCO?

I can't really think of how...
The only people in my unit who use NIPER for anything work releated are our admin people. While depending on how wide a 'NIPER outage' is maybe I couldn't update mypay and there would probably be some problems with assignments and the other things they do. But the fact is the planes would still fly, the reports would still get pushed, and the bombs would still hit their targets.

Re:TCO?

[bhiestand]

Last I saw, NIPR was vital for weather to get their reports, airspace frequently had to be coordinated with multiple agencies on NIPR, NOTAMSs were checked on NIPR, government charge cards were issued/tracked/paid on NIPR, and logistics ordered a lot of vital things on... NIPR.

There are separate networks because you can't have classified information floating around on NIPR, not because NIPR isn't needed.

Re:TCO?

There is a diffrence between needing something and simply useing something.
If NIPR was gone would the supply guys still not be able to pick up a phone and order whatever? Could NOTAMs simply not be transmitted on another network with a higher classifcation? Wheather is avalible on all network levels and on the TV if you are desperate.

Now if SIPR was down and I have a classifed satellite image to send you...
Or need to put infomation on to any of the battle managment systems...
Or need to get any infomation about what the planes are doing that date (I'm not sure what airspace coordination you had in mind but all the ATOs I see are secert)...

There's a big diffrence between having to fill out a couple of hard copies for your charge card because you can't do it online and not knowing north korea just launched an ICBM because JWICS is down.

Would it be a pain in the ass without NIPR? Of course. But we'd still be able to fight at 99% but if the classified networks get taken out it would be a much bigger blow.

Public domain?

[concernedadmin]

Are all the lessons learned in the public domain since the Pentagon is a government agency? I'm sure there are many others like myself curious to see how supposedly top-secret issues are kept safe from prying eyes. Failure intrigues me more than success because it's through failure that we learn.

Re:Public domain?

[plague911]

The in short no. Chances are just about every lesson they learned is top secret. The fact attacks have been occurring at all was probably secret for some time

Re:Public domain?

What's the "in-long"?

Re:Public domain?

[Brett+Buck]

It's certainly NOT Top Secret, in fact it's probably not classified. I would assume its FOUO, meaning that it can't be publicly released nor is it available through the FOIA.

        Brett

Re:Public domain?

[Entropius]

Our military does not exist for the benefit of our citizens, and has not for a long time.

Re:Public domain?

Our military does not exist for the benefit of our citizens, and has not for a long time.

It never did - at least not in American history.

Originally it was:
Militia = Civil defense
Military = Federal Defense

Now:
Militia = Domestic Terrorists
Military = Military Industrial Complex defense

Or maybe I am just having a bad day.

Re:Public domain?

[artor3]

Since when does everything a government does belong in the public domain? While the national security card is over played by most administrations (the previous one, in particular), it IS a valid reason to keep things secret.

Re:Public domain?

Are all the lessons learned in the public domain since the Pentagon is a government agency? I'm sure there are many others like myself curious to see how supposedly top-secret issues are kept safe from prying eyes. Failure intrigues me more than success because it's through failure that we learn.

The TS/SCI networks are 100% physically separated from the Internet, and they are monitored. As a cleared government employee, I was working on a TS/SCI machine and had a typo in a URL for their intranet... I retried it several times until I realized the mistake. About a minute later, my internal phone rang and the IT department wanted to know what I was trying to do. And this was in 2000.

Re:Public domain?

[fluffy99]

Actually, some of it probably is classified. If a compromise or vulnerability involves a classified network, then any of the info would be classified. Even if its an unclassified internet connected system current vulnerabilities would be classified. Investigations of ongoing compromises could be classified simply because you don't want to tip your hand to the adversary that you even know he's there - you're just watching to figure out how they got there, their techniques, and what they're after.

A large portion of the lessons learned, recommended configurations, etc are freely available. Check the DISA or NSA sites, or google for DOD all-hands messages and directives.

Re:Public domain?

[RockWolf]

you're just watching to figure out how they got there, their techniques, and what they're after.

I'd just like to congratulate you on the gramatically correct use of there, their and they're in the same sentence - it's a rare thing to see in these parts.

/~Rockwolf

Re:Public domain?

[BountyX]

Failure intrigues me more than success because it's through failure that we learn.

Not exactly. You must be over the age of 12.

Re:Public domain?

[DrugCheese]

Well, technically, they are OUR employees. The government is for the benefit of the people, not the government. Shall our protectors remove our liberties to protect us? Claiming anything national security, while having wide open borders, is a farce.

Re:Public domain?

[bleh-of-the-huns]

While some of what you stated is correct, the problem is more that people working at these secure locations are the problem. The secure networks (SIPR NET [http://en.wikipedia.org/wiki/SIPRNET] and JWICS [http://en.wikipedia.org/wiki/JWICS]) are extremely secure. The problem with secrets leaking out is with the way people handle them, those with clearances are supposed to know how to handle the information, but in many cases, simply due to the difficulties of moving that information around in official capacities, that information ends up on the NIPR NET [http://en.wikipedia.org/wiki/NIPRNET], which is essentially the normal internet/network access for users in secured facilities.

The networks above are isolated from each other, but that won't stop people from manually moving data from secure networks to non secure networks for ease of use.

I have had the opportunity to use the secured networks, and the workstations on those networks are locked down, hard, it is impossible to do almost anything but look at the web portals on those networks, and send email, and a few of the more specialized client/server applications that run on those networks.

Re:Public domain?

[EbeneezerSquid]

You are just having a bad day.

Militia (National Guard) = Homeland defense, disaster recovery & relief, Search & Rescue.

Military = Protection of US interests abroad (Projection of Power, Police actions, and Trade Route Protection)

As an aside, the rise of Piracy in the South China Sea and Indian Oceans came about when the Soviet Union Collapsed (thus removing their ships from trade route protection) and the US Navy began downsizing in response (Remove a large portion of the US Navy from Trade Route Protection).

Piracy will always be a problem unless there is someone willing to expend the resources to protect the trade routes. In the 19th Century it was Britain, and in the 20th, it was the USA.

Re:Public domain?

[bleh-of-the-huns]

The classified networks (SIPR and JWICS) are well isolated and while the chances of a vulnerability being exploited on those networks is slim, it has happened before. Mostly due to older workstations on those networks where stupid admins and people multi home their systems on the secure and non secure NIPRNET, which is against policy, and very much a no no, but it does happen....

Re:Public domain?

[bleh-of-the-huns]

Unfortunately, while it is supposed to be physically isolated, there have been times (and I have witnessed this) where stupid admins, or rather admins under extreme pressure from higher ups to get something done, have ended up connecting machines on SIPR and JWICS to NIPR, and then forgetting to disconnect after whatever they did was done, so you end up bridging the networks, oh, there are are for some reason still plenty of analogue modem lines on some of those secured networks (although some are secured with crypto cards)

Re:Public domain?

[fluffy99]

They're not as isolated as you would think or DOD would hope. They are still vulnerable to indirect denial of service attacks, and a few other *ahem* attacks involving user stupidity as you mentioned. Looking at other recent instances of damage to isolated networks gives you some examples. Viruses carried by thumb drives into an isolated nuclear powerplant network brought the system down. Circuits carrying your wan connections are vulnerable once they leave you facility regardless of encryption, and you've no real guarantee that Verizon won't be attacked and your Business wan circuits impacted.

Re:Public domain?

As an aside, the rise of Piracy in the South China Sea and Indian Oceans came about when the Soviet Union Collapsed (thus removing their ships from trade route protection) and the US Navy began downsizing in response (Remove a large portion of the US Navy from Trade Route Protection).

Piracy will always be a problem unless there is someone willing to expend the resources to protect the trade routes. In the 19th Century it was Britain, and in the 20th, it was the USA.

So what your saying is, we need to go after filesharers even harder? Ah ha! I know lets spend 100M every 6 months to do it! That'll teach them to download Britneys latest and greatest CD! They are afterall, Pirates

Re:Public domain?

The National Guard has been active in Iraq and Afghanistan for a while now.

Re:Public domain?

[BlueNoteMKVI]

Unfortunately the line between the Guard and the US military is very blurry and becoming moreso every day. A large number of the troops currently deployed in Iraq and Afghanistan are National Guard. When I deployed back in 2005 for hurricane relief (after Katrina+Rita) we were on state orders for a few days, but it wasn't long before the federal government picked up the tab (which meant a few extra benefits for us). The various state National Guard budgets receive quite a bit of money from the Federal budget every year and report to the National Guard Bureau.

Not to turn this into a gun control discussion, but I don't think that today's version of the National Guard is really what the founding fathers had in mind as a "well-regulated militia." There are many varying interpretations of that bit of text, but none describe a branch of the military funded and controlled (albeit remotely) by the Federal government.

Re:Public domain?

[bhiestand]

Well, technically, they are OUR employees. The government is for the benefit of the people, not the government. Shall our protectors remove our liberties to protect us? Claiming anything national security, while having wide open borders, is a farce.

I demand to know all of your personal secrets, sexual and medical history, and anything I may be able to use against you. Claiming anything privacy, while posting on Slashdot, is a farce.

Re:Public domain?

[DrugCheese]

sexual history? On Slashdot?! :p

I hope the execution is good.

[fuzzyfuzzyfungus]

In principle, the notion of securing defence networks is pretty much unobjectionable. And, if you are going to do so, doing it right the first time, rather than playing cleanup, is obviously superior.

I only hope that the project isn't going to become an endless money pit, at which various incompetent-but-well-connected contractors feed endlessly. A DoD remake of the FBI/SAIC farce would just be nauseous.

Re:I hope the execution is good.

[PhxBlue]

In principle, the notion of securing defence networks is pretty much unobjectionable. And, if you are going to do so, doing it right the first time, rather than playing cleanup, is obviously superior.

Except that we're talking about the Pentagon. The execution will be sloppy, and it will only get worse for two or three years until it becomes such a mess that the secretary of defense personally has to step in, smack some bitches and get it cleaned up. Then it will be okay, at least for a year or two.

Think I'm kidding? Look at the whole debacle with Darleen Druyun a few years back, or the more recent mess surrounding the Air Force's contract for a new tanker. In fact, I can't think of a single DOD acquisition program that has come in on budget recently, at least not among the high-ticket items symptomatic of what Secretary Gates called "next war-itis." My impression -- as a servicemember 1,400 miles outside the Beltway -- is that the Pentagon doesn't give a shit about cost overruns because it knows Congress will gladly pony up more taxpayer money at the drop of a hat to keep the military-industrial complex running smoothly.

You see, there's a precedent for the bank bailouts we just bent over to pay for: the American public has been "bailing out" Lockheed Martin and Boeing for decades.

Re:I hope the execution is good.

[Freaky+Spook]

In principle, the notion of securing defence networks is pretty much unobjectionable. And, if you are going to do so, doing it right the first time, rather than playing cleanup, is obviously superior.

Network security is a pretty constantly evolving thing, and something done right the first time, can still be completley undone in a couple of years if maintenance and upgrades are not tightly followed. As security threats emerge, systems have to be able to adapt to new threats, and this can be pretty costly, even for the most well developed systems.

The biggest cost to them is probably policy enforcement, when you think about how many Users the DoD has, and how many different levels of security clearance has to be enforced and maintained, the checking, reporting and acting on identified risks and threats would use an incredibly large amount of resources.

Re:I hope the execution is good.

[db32]

You know...the greatest irony of this is that it was a REPUBLICAN that warned of this. Eisenhower had a great many things to say on the subject of the military industrial complex and war in general. Unfortunately everyone associates the latest string of Republican fuckups with all Republican behavior. I'm not a big fan of some of Eisenhower's religious bent, but as far as understanding the threat of the military industrial complex and his understanding of war I will forgive him. He has a really great speech warning about the threats of the military industrial complex and making war a profitable endeavor.

Some choice quotes...please take the time to compare to our latest Republican "leader"

Don't join the book burners. Do not think you are going to conceal thoughts by concealing evidence that they ever existed.
Every gun that is made, every warship launched, every rocket fired, signifies in the final sense a theft from those who hunger and are not fed, those who are cold and are not clothed.
Here in America we are descended in blood and in spirit from revolutionists and rebels - men and women who dare to dissent from accepted doctrine. As their heirs, may we never confuse honest dissent with disloyal subversion.
How far you can go without destroying from within what you are trying to defend from without?
I despise people who go to the gutter on either the right or the left and hurl rocks at those in the center.
I hate war as only a soldier who has lived it can, only as one who has seen its brutality, its futility, its stupidity.
I would rather try to persuade a man to go along, because once I have persuaded him, he will stick. If I scare him, he will stay just as long as he is scared, and then he is gone.
If men can develop weapons that are so terrifying as to make the thought of global war include almost a sentence for suicide, you would think that man's intelligence and his comprehension... would include also his ability to find a peaceful solution.
If the United Nations once admits that international disputes can be settled by using force, then we will have destroyed the foundation of the organization and our best hope of establishing a world order.
If you want total security, go to prison. There you're fed, clothed, given medical care and so on. The only thing lacking... is freedom.
In most communities it is illegal to cry "fire" in a crowded assembly. Should it not be considered serious international misconduct to manufacture a general war scare in an effort to achieve local political aims?

In short...he is the antithesis to modern Republican behavior, an excellent leader, and a true soldier. He was also human and made mistakes...but FAR better than the "leaders" we have had over the last few decades.

Re:I hope the execution is good.

[EbeneezerSquid]

The problem you are both referring to is called "The Lowest Bidder

it goes like this:

1)Open call for Bids- the Lowest bid that claims to solve the problem/provide the required wins.

2)Everyone underbids, in order to win the contract

3)When they have the contract in hand, they feel no compunction about going over-budget, because the US Government will happily pay.

By the way, When they bid on the contract, they are bidding on "this is how much we think it will cost and this is how much profit we are willing to take." Even if the cost goes runaway, the contract states that they still get their profit.

Don't you wish all contracts we like that?

No?

Re:I hope the execution is good.

The irony is that idiots like you still label them 'republican' and 'democrat' as if that matters.

What team they play for doesn't change who the person is, our country will do a lot better when you idiots stop voting for your team and start voting for the guy that makes most sense for the job.

Re:I hope the execution is good.

[bhiestand]

The irony is that idiots like you still label them 'republican' and 'democrat' as if that matters.

What team they play for doesn't change who the person is, our country will do a lot better when you idiots stop voting for your team and start voting for the guy that makes most sense for the job.

Go local sports team!!!

Call me when you see humans shunning group mentality, exclusion, and blind dogmatism.

Nice to know

[mc1138]

That even the Pentagon is spending a lot of time playing catch-up rather than staying on top of things. Not that it's really a good thing per-se, but its nice to know they're just as human as the rest of us.

Re:Nice to know

[Foofoobar]

You mean just as human as you, meat bag. WE cylons don't have the weakness of being swaying by lobbyists and ...OOOH! A PIECE OF CANDY!

Re:Nice to know

[clarkkent09]

Pentagon or generally military efficiency is a myth, or rather propaganda. It's really no different than any other government organization in that it is highly bureaucratic, politicized (as in office politics, petty infighting over promotions etc, not democrat v. republican type of politics) and staffed mostly with second rate people who couldn't get a better paid job in the private sector. Apologies to exceptions who do it for patriotic reasons or whatever but that was my experience in working with military bureaucracy.

Re:Nice to know

[troll8901]

Hi there, Cylon Number Six. If I give you candy, will you give me ... ?

Cylons do it with candy in their mouths!

Re:Nice to know

[Foofoobar]

I'VE COME TO KICK ASS AND EAT JUJUBEES... and I have a WHOLE pocket full of JuJuBees! And I'm gonna force feed you the BLACK ONES! That's just how badass I am, human scum!

It didn't have to come to this.

[PhxBlue]

That even the Pentagon is spending a lot of time playing catch-up rather than staying on top of things.

The sad thing is, it didn't have to come to this. General Chilton's sharp, but his real area of expertise is space, and his command is behind the curve on cyberspace. Two recent events demonstrate this nicely.

First, and most recently, he commented on the vulnerability of the electrical grids -- that hackers, including possibly agents of foreign governments, have been able to break into power systems that are connected to the Internet. Computer security experts outside the government -- including people on SlashDot -- brought this issue up in 2001 or 2002, if not earlier. And Washington is just now aware of the problem? Now, to be fair, they might have been aware of it for years, in which case they might have recently declassified it with the intention of getting more money from Congress to "fix" the problem.

Second, and somewhat older news, is the brouhaha that is Agent.btz -- a worm that was spread onto the Secure Internet Protocol Router Network, most likely by someone who used a USB storage device to transfer data from an infected computer connected to the NIPRNet. But for the attack to succeed, the SIPRNet computers either couldn't have had antivirus software installed or had antivirus definitions that were at least six months out of date.

Now, all this is speculation on my part -- I don't have access to any information, classified or otherwise, that could corroborate this ... but given that we know how the virus spreads, it's a pretty easy conclusion to draw. But the course of events is pretty damning, given how heavily the U.S. military relies on its computer networks.

Do we need to step up security across our networks? Hells yes. But I'd rather see an Internet "militia," if you will, comprising experts from every part of the computer industry (including open source) who could collaborate with the military and with other government and non-government agencies to secure their networks from attack. It wouldn't be perfect, but it would work a lot better in my mind than trusting the security of our networks to either (A) a six-year-old checklist in the hands of an E-2 or (B) an overpaid contractor who's taking kickbacks from Microsoft, Cisco, et al, to promote one particular and proprietary solution.

Re:It didn't have to come to this.

[Chmcginn]

But for the attack to succeed, the SIPRNet computers either couldn't have had antivirus software installed or had antivirus definitions that were at least six months out of date.

Software (even patches) for a non-secure DOD computer requires a review before it can be installed or updated. I would imagine that the requirements for SIPRNET are more strict, certainly not less. It's likely that the review was not as high a priority as it should have been.

Re:It didn't have to come to this.

[EbeneezerSquid]

Actually the problem was the autoplay on USB keys re-infecting machines every time the virus was wiped out.

Autoplay is supposed to be disabled on all Military machines but it appears that some unit's IT departments were. . . Lax.

Re:It didn't have to come to this.

[bleh-of-the-huns]

Do we need to step up security across our networks? Hells yes. But I'd rather see an Internet "militia," if you will, comprising experts from every part of the computer industry (including open source) who could collaborate with the military and with other government and non-government agencies to secure their networks from attack.

Actually, this already exists, google for GFIST and NCRCG. I have participated in both. NCRCG to a lesser extent is primarily a reactive group, which has members from the 13 or so DOD, Federal Law Enforcement agencies and Federal Civilian agencies which are considered critical to the US infrastructure. GFIRST, is a larger group, consisting of CERT type groups and security personnel from all walks of life, banking, medical, federal law enforcement and federal civilian, local and state gov, utilities, etc, who meet (used to be at least once a month, not sure any more as I am no longer involved) and discuss the current problems facing the security of those networks. Some of those meetings require clearances, some do not, and they are usually hosted by random gov entities who donate conference space. Many of the things discussed in these meetings will never see the light of day public ally, but be aware that the issues reported on here are not new, only recently declassified.

It wouldn't be perfect, but it would work a lot better in my mind than trusting the security of our networks to either (A) a six-year-old checklist in the hands of an E-2 or (B) an overpaid contractor who's taking kickbacks from Microsoft, Cisco, et al, to promote one particular and proprietary solution.

I sort of take offense at this, I happen to be one of those contractors, and certainly not overpaid (I wish I was). In my capacity as a senior security engineer, and as a consultant, I have never (and neither have any of my co workers, across 3 very large well known companies) taken pressure to push a solution that a vendor has pushed on us. We have always taken the clients needs, and devised a solution that best fits the client, and the personnel that the client employs (you don't want to push a solution that would take 6 months to staff or retrain staff).

Re:It didn't have to come to this.

[bhiestand]

Actually the problem was the autoplay on USB keys re-infecting machines every time the virus was wiped out.

Autoplay is supposed to be disabled on all Military machines but it appears that some unit's IT departments were. . . Lax.

When I was in, I brought it up to my IT guys... they didn't seem to know what I was talking about. But don't worry, they banned thumb drives a long time ago, so the problem has been solved.

That's all?

[davidwr]

Call me cynical, but at Pentagon Pricing(TM), that sounds like a bargain.

Put a large, inward facing firewall around china.

[BlueBoxSW.com]

Problem Solved.

Who is Davis?

[Fierlo]

I read the summary, and I read the article. Both contain only the name 'Davis' for the quotes. Maybe I'm missing something, but who is this person? I kind of doubt Davis is short for Air Force Gen. Kevin P. Chilton, the only other name mentioned in the article.

Re:Who is Davis?

[Quantos]

I only hope it's not in reference to Ziff Davis.

the internet

[OrangeTide]

our government should just pull the plug on this whole internet thing and stop using it. seems too costly.

NSA wants to control cybersecurity

[JoeBuck]

And that's why you're seeing stories like this one, plus the other one claiming Chinese penetration of software controlling power plants. Fear, fear, fear. Only the spooks can save us. Turn over the internet to people who will stamp "classified" on what they do.

Re:NSA wants to control cybersecurity

[Moridin42]

If the NSA wanted to control cybersecurity, parading a 100 million USD expenditure over the past 6 months in front of people probably isn't going to do much of.. well.. anything.
How many trillions of dollars of expenditures are in or have been in the news in the past 6 months? 100 million is pocket change. Looks damnably reasonable, in comparison.

Re:NSA wants to control cybersecurity

[wstrucke]

yeah... i'd be willing to bet the NSA spends at least five times that much on digital security, though i would not be surprised if this was a student to get more funding, transfer the funding, or something else along those lines.

Perspective

[Joebert]

That's roughly $6.34 each second.

If you tried to put together a single 9 man team consisting of the , it wouldn't be enough to pay them to finish the season.

Re:Perspective

[Joebert]

Crap, I screwed up the link somehow. That's "...consisting of the highest paid players in baseball,..."

Re:Put a large, inward facing firewall around chin

Woo-hoo! Now *China* will be outsourcing!

Seems a bit low actually

[TeamGracie]

100M over 6mo sounds pretty low imo. This same conference, the speakers mentioned it costs ~6M per security incident to clean up the mess. The panel also mentioned there are thousands of attempts a day on govmt cyberspace infrastructure.

Here's an idea...

[wstrucke]

How about we just disconnected the government from the internet?

Seriously though -- save $100 million and run a separate network. The idea that if I had the right combination of addresses and credentials I could launch a nuke right now is ludicrus. Is it really necessary to have systems that could compromise our national security connected to the internet? In this day and age? Really?

Re:Here's an idea...

[im_thatoneguy]

Something tells me the nuke launch systems aren't on the same network as the rest of the DOD.

Re:Here's an idea...

[troll8901]

Seriously though -- save $100 million and run a separate network.

Do me a favor - go read up on military networks in Wikipedia. You can start with the 25-year old MILNET network.

You can also bet that there's networks that nobody in the public (or low-to-medium levels of military) knows.

---

The idea that if I had the right combination of addresses and credentials I could launch a nuke right now is ludicrus.

You're right, it's ludicrous. That's why the idea is never pursued, except possibly for honeypots/misinformation.

Man, I just wasted 15 minutes trying to enlighten you!

Re:Here's an idea...

[bhiestand]

Seriously though -- save $100 million and run a separate network.

Do me a favor - go read up on military networks in Wikipedia. You can start with the 25-year old MILNET network.

You can also bet that there's networks that nobody in the public (or low-to-medium levels of military) knows.

---

The idea that if I had the right combination of addresses and credentials I could launch a nuke right now is ludicrus.

You're right, it's ludicrous. That's why the idea is never pursued, except possibly for honeypots/misinformation.

Man, I just wasted 15 minutes trying to enlighten you!

You need a new moniker. Or are you trying to be funny, like the guy who is 7 feet tall and nicknamed "Small"?

Re:Here's an idea...

[troll8901]

You need a new moniker. Or are you trying to be funny, like the guy who is 7 feet tall and nicknamed "Small"?

I was trying to be funny, but over the past few months, some of my messages were marked "-1, Troll/Redundant/Off-topic", and quite rightly too. I learned a lot by being marked down.

My parent message might be modded "3, Insightful", but the last line "I just wasted 15 minutes on you" is pure flame, and I should have STFU. "My tongue weighs so little, yet I can't hold it."

I will change my moniker or create a new one, when I can write well, default to 1, and get modded 3 to 5 all the time. Especially "Funny".

Did they really mean...

[shermo]

Seems likely the reporter misplaced a B with an M.

Oh and here's a somewhat related xkcd comic. http://xkcd.com/558/

Simple: Pull the plug on the Internet

[blanchae]

Why they need Internet access is beyond me. They should have their own network - whoops wasn't the Internet designed by the DnD?

Re:Simple: Pull the plug on the Internet

[bleh-of-the-huns]

They do, google NIPRNET SIPRNET and JWICS

SIPR and JWICS are isolated secure networks, NIPR is the non secure network that interfaces with the public internet. This is where most of the problems occur.

Stratcom is down - Watch for falling space junk.

[PaulLoveless]

http://www.stratcom.mil/ has been /.

what is a coservative? how big is the tent?

In short...he is the antithesis to modern Republican behavior, an excellent leader, and a true soldier. He was also human and made mistakes...but FAR better than the "leaders" we have had over the last few decades.

There are many Republicans and self-identified conservatives who were completely against what Bush et al. were doing, and spoke up publicly about it. Jerry Pournelle is one that comes to mind.

Windows can be secured quite easily & well

"I don't claim that the $100M would go to zero if Windows were eliminated in favor of more secure servers and desktops, but it would be a lot lower. - by Anonymous Coward on Wednesday April 08, @08:39PM (#27512281)

Would it be? I state that, because even SeLinux can use SOME work for "security-hardening" & the tool that can show that much to anyone, is the multiplatform CIS Tool...

(Which a benchmark of security basically, based on industry "best practices" for Linux variants, BSD variants, Windows variants, & other *NIX variants also)

Once CIS Tool's points are applied to Windows (to the tune of a 99/100 score being possible)?

It helps a great deal & makes 'security-hardening' Windows, either professional/workstation class OR server versions of Windows, easier & the end-result is a Windows setup that IS, much more secure.

Case-in-Point/Example (of a user who had applied it in early 2008, & he is running malware infestation FREE, to the current date):

(From an End-User's perspective)

----

"Its 2009 - still trouble free!

I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point.

So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008.

Great stuff!

My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads.

APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)"

THRONKA @ -> http://www.xtremepccentral.com/forums/showthread.php?s=6f9097928745786bab6ab447b252b33e&t=28430&page=3

----

Thus, as you can see? Securing Windows IS fairly easily possible, & especially via the CIS Tool + its guidance... it works! The guide he used IS part of that thread in which he made his statement, in that very posting there, & his results are very good thusfar.

APK

P.S.=> Also - The guide goes "above & beyond" CIS Tool, in many ways, also, in order to help secure Windows NT-based OS' of modern variety (such as 2000/XP/Server 2003, & to an extent, the principles in that guide apply to VISTA &/or Windows 7 as well (I just wish they'd put back PORT FILTERING gui controls into them, AND, allow 0 as a valid blocking IP address in the HOSTS file in VISTA &/or Windows 7 also - the removal of port filtering adversely affects the concept of "layered security" in them, & only allowing 0.0.0.0 or 127.0.0.1 as blocking IP addresses in HOSTS files only promote inefficient bloat))... apk

Defense Intelligence Agency (Windows Only)

http://diajobs.dia.mil/

Says it all!

Re:Defense Intelligence Agency (Windows Only)

[bhiestand]

http://diajobs.dia.mil/

Says it all!

You just made me vomit and laugh simultaneously.

Re:Put a large, inward facing firewall around chin

i thought they already did that for us.