Defense Department officials can implement a mixture of technologies and procedures to fortify the department's computer networks, but real protection requires designing a new generation of systems and security tools, a leading computer scientist said.
Eugene Spafford, a computer sciences professor at Purdue University who has testified before Congress on cybersecurity, questions whether it's possible to develop new systems without investing in long-term research.
Attacks on DOD computer networks are on the rise as adversaries attempt to bypass the United States' formidable defenses and launch attacks from the inside out, experts say.
Defending DOD's networks will require a combination of efforts, Spafford said.
He outlined six steps DOD could take to strengthen the department's network defenses. They are:
- Buying systems based on security features rather than cost.
- Limiting access to systems.
- Removing systems from networks unless those systems are absolutely necessary.
- Restricting who can add hardware and software to networks.
- Requiring proper training and supervision for network managers and computer users.
- Establishing careful network-monitoring practices.
But Spafford said incremental changes will not strengthen existing networks and a whole new approach is needed.
"Unfortunately, the government is not funding much research in cybersecurity and almost none in long-range research," said Spafford, who is also executive director of Purdue's Center for Education and Research in Information Assurance and Security. He cited President Bush's decision in June to let the President's Information Technology Advisory Committee expire without reappointing current members or selecting new ones.
Spafford said the threat to DOD networks is varied and complex. "In large part, the systems used are based on commercial products that were never written for high-security environments," he added.
Spafford said misconfigured or misapplied patches create vulnerabilities that are exacerbated by having systems linked together.
"It means that any weak point can be accessed from all sorts of places and can in turn reach out to damage lots of other military systems," he said.
Clint Kreitner, president and chief executive officer of the Center for Internet Security, a nonprofit organization that helps government and industry officials better manage computer security risks, said DOD should limit access to certain networks.
Alan Paller, director of research at the SANS Institute, said government and industry should avoid using new information assurance technologies that vendors claim are impervious to attacks. Instead, he said, they should anticipate new threats 18 months in advance and develop technologies and policies to address them.
A Defense Information Systems Agency official said DOD relies on a sophisticated approach to information assurance.
The official added that the department is changing how it builds systems by moving to a service-oriented architecture that will make IT services widely available on the network and improve data sharing governmentwide.
"We are doing this in order to make more and better data available to more people in DOD and to our partners, and as a way of increasing our agility and our ability to innovate in the development of warfighting processes based on these services," the DISA official said.
DOD also changed its approach to network operations. The official said the department has moved to a structure that puts the Joint Task Force-Global Network Operations in charge of operating, managing and defending DOD's information infrastructure, with organizations in the military services reporting to the joint task force.
DOD relies on its global networks and IT to achieve its mission, and the country's adversaries recognize DOD's dependence on networks and electronic information, the DISA official said.
"The DOD networks are very large," the official said. "So we have many challenges in synchronizing the many IT efforts and security for these across this vast infrastructure."
