Pentagon Cyber Defense Bill Comes To $100M For 6 Months

coondoggie writes "Protecting defense departments networks cost taxpayers more than $100 million over the past six months, US Strategic Command officials said yesterday. The motives of those attacking the networks go from just plain vandalism to theft of money or information to espionage. Protecting the networks is a huge challenge for the command, Air Force Gen. Kevin P. Chilton told a cyber security conference in Omaha, Neb., this week. 'Pay me now or pay me later,' Davis said. 'In the last six months, we spent more than $100 million reacting to things on our networks after the fact. It would be nice to spend that money proactively to put things in place so we'd be more active and proactive in posture rather than cleaning up after the fact.'"

frist post!

How much pentagon 'cyber' defense is protecting windows?

ban ding!

Public domain?

[concernedadmin]

Are all the lessons learned in the public domain since the Pentagon is a government agency? I'm sure there are many others like myself curious to see how supposedly top-secret issues are kept safe from prying eyes. Failure intrigues me more than success because it's through failure that we learn.

Re:Public domain?

Our military does not exist for the benefit of our citizens, and has not for a long time.

It never did - at least not in American history.

Originally it was:
Militia = Civil defense
Military = Federal Defense

Now:
Militia = Domestic Terrorists
Military = Military Industrial Complex defense

Or maybe I am just having a bad day.

Re:Public domain?

Are all the lessons learned in the public domain since the Pentagon is a government agency? I'm sure there are many others like myself curious to see how supposedly top-secret issues are kept safe from prying eyes. Failure intrigues me more than success because it's through failure that we learn.

The TS/SCI networks are 100% physically separated from the Internet, and they are monitored. As a cleared government employee, I was working on a TS/SCI machine and had a typo in a URL for their intranet... I retried it several times until I realized the mistake. About a minute later, my internal phone rang and the IT department wanted to know what I was trying to do. And this was in 2000.

Re:Public domain?

[fluffy99]

Actually, some of it probably is classified. If a compromise or vulnerability involves a classified network, then any of the info would be classified. Even if its an unclassified internet connected system current vulnerabilities would be classified. Investigations of ongoing compromises could be classified simply because you don't want to tip your hand to the adversary that you even know he's there - you're just watching to figure out how they got there, their techniques, and what they're after.

A large portion of the lessons learned, recommended configurations, etc are freely available. Check the DISA or NSA sites, or google for DOD all-hands messages and directives.

Re:Public domain?

[RockWolf]

you're just watching to figure out how they got there, their techniques, and what they're after.

I'd just like to congratulate you on the gramatically correct use of there, their and they're in the same sentence - it's a rare thing to see in these parts.

/~Rockwolf

I hope the execution is good.

[fuzzyfuzzyfungus]

In principle, the notion of securing defence networks is pretty much unobjectionable. And, if you are going to do so, doing it right the first time, rather than playing cleanup, is obviously superior.

I only hope that the project isn't going to become an endless money pit, at which various incompetent-but-well-connected contractors feed endlessly. A DoD remake of the FBI/SAIC farce would just be nauseous.

Re:I hope the execution is good.

[PhxBlue]

In principle, the notion of securing defence networks is pretty much unobjectionable. And, if you are going to do so, doing it right the first time, rather than playing cleanup, is obviously superior.

Except that we're talking about the Pentagon. The execution will be sloppy, and it will only get worse for two or three years until it becomes such a mess that the secretary of defense personally has to step in, smack some bitches and get it cleaned up. Then it will be okay, at least for a year or two.

Think I'm kidding? Look at the whole debacle with Darleen Druyun a few years back, or the more recent mess surrounding the Air Force's contract for a new tanker. In fact, I can't think of a single DOD acquisition program that has come in on budget recently, at least not among the high-ticket items symptomatic of what Secretary Gates called "next war-itis." My impression -- as a servicemember 1,400 miles outside the Beltway -- is that the Pentagon doesn't give a shit about cost overruns because it knows Congress will gladly pony up more taxpayer money at the drop of a hat to keep the military-industrial complex running smoothly.

You see, there's a precedent for the bank bailouts we just bent over to pay for: the American public has been "bailing out" Lockheed Martin and Boeing for decades.

Re:I hope the execution is good.

[db32]

You know...the greatest irony of this is that it was a REPUBLICAN that warned of this. Eisenhower had a great many things to say on the subject of the military industrial complex and war in general. Unfortunately everyone associates the latest string of Republican fuckups with all Republican behavior. I'm not a big fan of some of Eisenhower's religious bent, but as far as understanding the threat of the military industrial complex and his understanding of war I will forgive him. He has a really great speech warning about the threats of the military industrial complex and making war a profitable endeavor.

Some choice quotes...please take the time to compare to our latest Republican "leader"

Don't join the book burners. Do not think you are going to conceal thoughts by concealing evidence that they ever existed.
Every gun that is made, every warship launched, every rocket fired, signifies in the final sense a theft from those who hunger and are not fed, those who are cold and are not clothed.
Here in America we are descended in blood and in spirit from revolutionists and rebels - men and women who dare to dissent from accepted doctrine. As their heirs, may we never confuse honest dissent with disloyal subversion.
How far you can go without destroying from within what you are trying to defend from without?
I despise people who go to the gutter on either the right or the left and hurl rocks at those in the center.
I hate war as only a soldier who has lived it can, only as one who has seen its brutality, its futility, its stupidity.
I would rather try to persuade a man to go along, because once I have persuaded him, he will stick. If I scare him, he will stay just as long as he is scared, and then he is gone.
If men can develop weapons that are so terrifying as to make the thought of global war include almost a sentence for suicide, you would think that man's intelligence and his comprehension... would include also his ability to find a peaceful solution.
If the United Nations once admits that international disputes can be settled by using force, then we will have destroyed the foundation of the organization and our best hope of establishing a world order.
If you want total security, go to prison. There you're fed, clothed, given medical care and so on. The only thing lacking... is freedom.
In most communities it is illegal to cry "fire" in a crowded assembly. Should it not be considered serious international misconduct to manufacture a general war scare in an effort to achieve local political aims?

In short...he is the antithesis to modern Republican behavior, an excellent leader, and a true soldier. He was also human and made mistakes...but FAR better than the "leaders" we have had over the last few decades.

It didn't have to come to this.

[PhxBlue]

That even the Pentagon is spending a lot of time playing catch-up rather than staying on top of things.

The sad thing is, it didn't have to come to this. General Chilton's sharp, but his real area of expertise is space, and his command is behind the curve on cyberspace. Two recent events demonstrate this nicely.

First, and most recently, he commented on the vulnerability of the electrical grids -- that hackers, including possibly agents of foreign governments, have been able to break into power systems that are connected to the Internet. Computer security experts outside the government -- including people on SlashDot -- brought this issue up in 2001 or 2002, if not earlier. And Washington is just now aware of the problem? Now, to be fair, they might have been aware of it for years, in which case they might have recently declassified it with the intention of getting more money from Congress to "fix" the problem.

Second, and somewhat older news, is the brouhaha that is Agent.btz -- a worm that was spread onto the Secure Internet Protocol Router Network, most likely by someone who used a USB storage device to transfer data from an infected computer connected to the NIPRNet. But for the attack to succeed, the SIPRNet computers either couldn't have had antivirus software installed or had antivirus definitions that were at least six months out of date.

Now, all this is speculation on my part -- I don't have access to any information, classified or otherwise, that could corroborate this ... but given that we know how the virus spreads, it's a pretty easy conclusion to draw. But the course of events is pretty damning, given how heavily the U.S. military relies on its computer networks.

Do we need to step up security across our networks? Hells yes. But I'd rather see an Internet "militia," if you will, comprising experts from every part of the computer industry (including open source) who could collaborate with the military and with other government and non-government agencies to secure their networks from attack. It wouldn't be perfect, but it would work a lot better in my mind than trusting the security of our networks to either (A) a six-year-old checklist in the hands of an E-2 or (B) an overpaid contractor who's taking kickbacks from Microsoft, Cisco, et al, to promote one particular and proprietary solution.

Re:It didn't have to come to this.

[Chmcginn]

But for the attack to succeed, the SIPRNet computers either couldn't have had antivirus software installed or had antivirus definitions that were at least six months out of date.

Software (even patches) for a non-secure DOD computer requires a review before it can be installed or updated. I would imagine that the requirements for SIPRNET are more strict, certainly not less. It's likely that the review was not as high a priority as it should have been.

Re:TCO?

[wasted]

So how does this bill factor into the TCO of Windows?
I don't claim that the $100M would go to zero if Windows were eliminated in favor of more secure servers and desktops, but it would be a lot lower.

While working for the USAF, I was required to do some online training. To run the training, ActiveX had to be enabled and IE basicially set to "slut mode", that is, accept and run everything. That really didn't give me a good feeling about their security.

Put a large, inward facing firewall around china.

[BlueBoxSW.com]

Problem Solved.

Perspective

[Joebert]

That's roughly $6.34 each second.

If you tried to put together a single 9 man team consisting of the , it wouldn't be enough to pay them to finish the season.

Re:TCO?

[cbiltcliffe]

You should have been able to fix this yourself.

Don't allow slut mode for everything.
Figure out what sites they use for the training, and add them to the trusted sites list.

I've seen this before in various places, and always disregarded the instructions for setting it up, and figure out what sites to add, instead.
They end up a lot more secure when I've finished setting them up, than if the instructions were followed.