Pentagon Cyber Defense Bill Comes To $100M For 6 Months

coondoggie writes "Protecting defense departments networks cost taxpayers more than $100 million over the past six months, US Strategic Command officials said yesterday. The motives of those attacking the networks go from just plain vandalism to theft of money or information to espionage. Protecting the networks is a huge challenge for the command, Air Force Gen. Kevin P. Chilton told a cyber security conference in Omaha, Neb., this week. 'Pay me now or pay me later,' Davis said. 'In the last six months, we spent more than $100 million reacting to things on our networks after the fact. It would be nice to spend that money proactively to put things in place so we'd be more active and proactive in posture rather than cleaning up after the fact.'"

It didn't have to come to this.

[PhxBlue]

That even the Pentagon is spending a lot of time playing catch-up rather than staying on top of things.

The sad thing is, it didn't have to come to this. General Chilton's sharp, but his real area of expertise is space, and his command is behind the curve on cyberspace. Two recent events demonstrate this nicely.

First, and most recently, he commented on the vulnerability of the electrical grids -- that hackers, including possibly agents of foreign governments, have been able to break into power systems that are connected to the Internet. Computer security experts outside the government -- including people on SlashDot -- brought this issue up in 2001 or 2002, if not earlier. And Washington is just now aware of the problem? Now, to be fair, they might have been aware of it for years, in which case they might have recently declassified it with the intention of getting more money from Congress to "fix" the problem.

Second, and somewhat older news, is the brouhaha that is Agent.btz -- a worm that was spread onto the Secure Internet Protocol Router Network, most likely by someone who used a USB storage device to transfer data from an infected computer connected to the NIPRNet. But for the attack to succeed, the SIPRNet computers either couldn't have had antivirus software installed or had antivirus definitions that were at least six months out of date.

Now, all this is speculation on my part -- I don't have access to any information, classified or otherwise, that could corroborate this ... but given that we know how the virus spreads, it's a pretty easy conclusion to draw. But the course of events is pretty damning, given how heavily the U.S. military relies on its computer networks.

Do we need to step up security across our networks? Hells yes. But I'd rather see an Internet "militia," if you will, comprising experts from every part of the computer industry (including open source) who could collaborate with the military and with other government and non-government agencies to secure their networks from attack. It wouldn't be perfect, but it would work a lot better in my mind than trusting the security of our networks to either (A) a six-year-old checklist in the hands of an E-2 or (B) an overpaid contractor who's taking kickbacks from Microsoft, Cisco, et al, to promote one particular and proprietary solution.

Re:Nice to know

[clarkkent09]

Pentagon or generally military efficiency is a myth, or rather propaganda. It's really no different than any other government organization in that it is highly bureaucratic, politicized (as in office politics, petty infighting over promotions etc, not democrat v. republican type of politics) and staffed mostly with second rate people who couldn't get a better paid job in the private sector. Apologies to exceptions who do it for patriotic reasons or whatever but that was my experience in working with military bureaucracy.

Re:Public domain?

[fluffy99]

Actually, some of it probably is classified. If a compromise or vulnerability involves a classified network, then any of the info would be classified. Even if its an unclassified internet connected system current vulnerabilities would be classified. Investigations of ongoing compromises could be classified simply because you don't want to tip your hand to the adversary that you even know he's there - you're just watching to figure out how they got there, their techniques, and what they're after.

A large portion of the lessons learned, recommended configurations, etc are freely available. Check the DISA or NSA sites, or google for DOD all-hands messages and directives.

Re:TCO?

USAF here.
I don't recall having to change any settings to do training... but this is why there is diffrent levels of networks.
You can have every virus and trojen known to man on your NIPER computer and it won't affect the mission at all since they can't touch the SIPER or JWICS computer networks.