Article Entry
21 Apr 2009
Comments:19
BREAKING NEWS: Fighter-Jet Project Breached by Cyberspies
Added by USGIF Category: Daily Intelligence Brief
This morning, the Wall Street Journal broke this story about computer spies breaking into the Pentagon’s $300 billion Joint Strike Fighter project – DoD’s costliest weapons program to date. According to the article, the intruders were able to copy and siphon data related to design and electronics systems, making it potentially easier to defend against the plane. The good news is that they could not access the most sensitive data kept on computers not connected to the Internet.
This news further reinforces the many calls the Obama administration name a czar to lead a cyber security overhaul. If our most sensitive, and costly, defense programs can be compromised, then this issue is deadly serious. Could it be a bunch of young hackers in Russia just trying to stir things up? Or, could it be a rogue nation bent on exploiting this information for more significant and deadlier means? We will most likely not know in this particular case. But the bottom line is that more needs to be done by government and industry to address this issue. Period. Welcome your thoughts.
Tags: Computer Spies, cyber attack, Cyber spies, cyberspies, Department of Defense, GEOINT, Joint Strike Fighter project, Pentagon, United States Geospatial Intelligence Foundation, USGIF
Linked-In comment:
I would suggest that the Cyber Spying could not be preventable.
Any cyber space or open networks is vulnerable and accessible.
The only way to prevent such spying is to use dedicated local area networks (LANs) fully isolated from wide area networks (WANs) using old-fashioned data exchange between the LANs.
Obviously, this would severely impact on data exchange speed and efficiency, but we’ll need to decide what is more important: speed or confidentiality.
From Linked-In:
Why do we continue to be surprised by security breaches? We all know they happen in some way or form on a daily basis and that they only true safe computer is the one buried in a hole in the backyard. Why hasn’t the government placed a private infrastructure in place that doesn’t ride over publicly accessible networks for projects and information with such a secret nature as these? I know the cost is a great deterrent, but with the value of intellectual property, wouldn’t it be worth the overhead to keep our secret government data secure?
From Linked-In:
Yes we are in a Cyber War and we need the finest, non political Cyber Security Team…Problem is the alphabet companies do not want noses from the white house and congess under their tents!
Big Problem – political control and fighting – result we are vulnerable!
The real issue is that the political fighting over shadows all other concerns, until the next diaster that it will be finger pointing time.
I believe we are headed for a real diaster and soon, if they (washington) don’t wake up and grow up….Scary!
From Linked-In:
I was discussing this with a friend of mine and maybe someone here knows the answer to this. Isn’t there a security protocol that defines what level of computer CAN have an internet connection? I thought it was something like C2 level computers could not have a direct connection to any computer on the internet. The reflexive of this protocol was also something like C2 and greater data could not be transferred to a computer with an internet connection.
Does anyone here KNOW the actual specifics on these protocols? I’d be curious to read the facts on this.
the answer is almost as Michael said, it has to be disconnected from the public network and have no method of data transfer. i.e: no ports, disk media, wireless media, and the case cannot be opened to remove the hard drives (which would have to be encrypted!)
That would be a mostly safe and useless computer.
From Linked-In:
Given that the recent Verizon Business Threat Review found that 30% of the 2008 security breaches was done by ‘trusted partners’, security is no better than our trust enforcement levels. ‘Mules’ in trusted partner companies in large development ecosystem projects like JSF is a fact of life that will become more glaring as the economic crisis is prolonged.
From Linked-In:
We need a change in computer processor technology and network encryption layers for both the front and back doors <(which I have theories for and will not discuss on this forum). The current encryption algorithms used in network security are vunrable in many respects due to our dependancy on binary/octal math in use today. Every encryption algorithm known today has many discoverable key sets and weaknesses. Beyond this, hardware layers are exposed at many levels. I agree with Michael Berry that military and defense networks are too dependent on publicly accessible network infrastructure. The defense network needs to be completely isolated from both the internet and publicly accessible networks and carry new encryption technology only available to those with TS/SBI clearance or higher.
From Linked-In:
My view point is that cyber security is generally treated as the red-headed step child inside corporate America. The Feds appear to place cyber security on a higher level – at least in theory and on paper.
The answer, again in my view, is education beyond IT cubicals.
Secure networks must be addressed with the same priority level as product quality, marketing, or customer service for example. In my 17 years of experience, network, or data security rates at a level three, or less, on the priority list of must corporations. A serious and consistant proactive approach to cyber security would be optimal. However, we remain in a consistant, head-in-the-sand, reactive mode.
From Linked-In:
Sure, but not with proper policies and security. Let’s face it, security is a penalty. You either pay that penalty every day on every task you need to accomplish, which results in these type of breaches, or you put in place an operations and product release team. I’m guessing that with the numerous organizational boundaries across companies, there was no operational product release team who did a final security check.
From Linked-In:
Given the capability of the DoD/ ECA PKI, CAC, and FiXs, if properly deployed with strong mutual authentication and validation to exercise adequate privilege management workflow, there is no excuse.
From Linked-In:
I disagree. The concept of cyberwarfare is to disable, disrupt, or degrade the military IT infrastructure in advance of a conventional attack. This is targeted cyber-crime and cyber-espionage, and it very likely is state-sponsored. However, this is still in line with the known methods and objectives of modern hackers.
Fundamentally, hackers are lazy, and target the low-hanging fruit. Having worked for several defense contractors, I can state with authority that these firms cannot eat their own dog food. They claim that they can secure government agencies, but their internal security is lacking. A good example is the contractor that allowed P2P software in their internal LAN, which allowed the blueprints of the helicopter used as Marine One to be discovered on a server in Tehran.
A good resource for what is and is not cyberwarfare is Marcus J. Ranum’s presentation: CyberWar is Bull&%#@, and a video of the presentation can be found at http://www.dojosec.com.
From Linked-In:
This happens due the lack of qualified people to manage these systems. In fact these companies are not investing money to protect they system as should.
I don’t understand how a billion project could be so exposed. Come on.. this is a project from US DoD…
Sure this could be prevented. Why the files of the project were available in systems connected in the Internet? Besides… Why those file were not encrypted…
Sorry… but the guys responsible to protect these files (and network) should be fired… Oh.. fire also the project manager…
All these data should be at least encrypted with AES 512b keys.
And.. regarding if there is a Cyber War… I’m sure that these data will end in a table of some scientists and engineers from other countries..
Two words to those companies that were “hacked”: hire me!
From Linked-In:
From what I read in the Journal they said the hackers malware entered DoD via a hole in contractor network. The malware then sent encrypted confidential data outbound. Whatever network security devices they/DoD were using were blind to the encryption. A classic ‘data leakage’ problem. It seems to me that DOD and all contractors should be required to correctly deploy DLP that can decrypt and inspect suspect outbound data, i.e. data coming from a server that contains sensitive info.
There are many companies out their with DLP products that are capable of decrypting data and then inspecting the information before it is allowed to leave the internal network. DLP setup is tiresome but for confidential data such as advanced weapons systems this should be an absolute requirement. A compliance requirement.
The article also mentioned that the really sensitive data resides on a computer that is not connected to a network.
From Linked-In:
Accountability fostered by strong mutual authentication and associated governance. As we continue to lower the bar the risk of breaches is increased dramatically. If those trusted with protection are not effectively audited accountable we will never fix the problem with any protection mechanism conceived. Holes created by the “good guys” is a by-product of this lack of accountability. Trust by verify.
From Linked-In:
The blunt answer is “No” The very fact files need to be stored on a computer somewhere that is networked explains it.
Technology used to secure other technology is inherently insecure. What you need to concentrate on is to make it as difficult as possible (Defence in depth) for would be cyber-criminals to make away with such sensitive information.
From Linked-In:
There is a general consensus in government, especially acquisition programs, that IA is nothing but a paperwork drill and an impediment.
I believe to a certain extent, they are right. However, only because Program Managers made it that way. If it actually occurred to them, and they actually cared, about safeguarding our nation’s secrets, this would not have happened.
The only way a Cyber Security Czar affects this issue is by providing executive authority to hold responsible those that do not follow the established guidelines.
I say this with the assumption that the breach occurred through known and probably identified attack vectors. I have not seen any technical details posted, but in government, its a safe assumption.
Regardless of the attack, why did they not see it was happening? I read that the breach happened over a long period of time. If so, why wasn’t it noticed? There are so many log and system monitoring tools out there, it’s unacceptable that it went on for as long as it did (2 years?) without it being noticed. Come on people, I will echo another person’s comment: Why are we surprised that breaches happen? They will happen, no matter how well we protect networks. We need to step up the effort to know how to recognize that a breach is or has occurred so we can mitigate the risk.
This could have been a state sponsored cyber attack but another consideration is that there are many people hit by the economic downturn around the world. These people are looking for a way to make money. This would also mean that these attacks could very well be growing until the economic crisis starts to end.
Whoever is responsible be it China, Russia or Hacker of the Day there will be more and hopefully the new Military CyberSecurity Command will get the support and funding they next to address the issues at hand. the next few weeks should be interesting
Thanks
From Linked-In:
Agreed, some of these issues are created when IT Professionals report to layered bureaucracy , and serious issues are delayed due to ROI or cost based purchasing. When IT Professionals are held with the same esteem as IT ignorant CFOs, and middle managment is not pushing sales statistics and advertisement budjets ahead of infrastructure design and implementation these issues will become resolved sooner than later. In addition, it is imperative we all have the ability to clarify the value of security before a catastrophe such as this strikes.
I work in an Aerospace company is Europe and I can assure you that the security levels here are way too low. In our environment, you can easily find and access civil and defence design data (even just by reading reports left on your colleagues desks when they exit the office in the evening). Even worse, the office is full of non EU and non NATO nationals (Chinese, Indians, Russians…). Trusting all the time their good faith instead of implementing tight security policies seems to me really irresponsible.