Agreed, some of these issues are created when IT Professionals report to layered bureaucracy , and serious issues are delayed due to ROI or cost based purchasing. When IT Professionals are held with the same esteem as IT ignorant CFOs, and middle managment is not pushing sales statistics and advertisement budjets ahead of infrastructure design and implementation these issues will become resolved sooner than later. In addition, it is imperative we all have the ability to clarify the value of security before a catastrophe such as this strikes.

There is a general consensus in government, especially acquisition programs, that IA is nothing but a paperwork drill and an impediment.

I believe to a certain extent, they are right. However, only because Program Managers made it that way. If it actually occurred to them, and they actually cared, about safeguarding our nation’s secrets, this would not have happened.

The only way a Cyber Security Czar affects this issue is by providing executive authority to hold responsible those that do not follow the established guidelines.

I say this with the assumption that the breach occurred through known and probably identified attack vectors. I have not seen any technical details posted, but in government, its a safe assumption.

The blunt answer is “No” The very fact files need to be stored on a computer somewhere that is networked explains it.

Technology used to secure other technology is inherently insecure. What you need to concentrate on is to make it as difficult as possible (Defence in depth) for would be cyber-criminals to make away with such sensitive information.

Accountability fostered by strong mutual authentication and associated governance. As we continue to lower the bar the risk of breaches is increased dramatically. If those trusted with protection are not effectively audited accountable we will never fix the problem with any protection mechanism conceived. Holes created by the “good guys” is a by-product of this lack of accountability. Trust by verify.

From what I read in the Journal they said the hackers malware entered DoD via a hole in contractor network. The malware then sent encrypted confidential data outbound. Whatever network security devices they/DoD were using were blind to the encryption. A classic ‘data leakage’ problem. It seems to me that DOD and all contractors should be required to correctly deploy DLP that can decrypt and inspect suspect outbound data, i.e. data coming from a server that contains sensitive info.

There are many companies out their with DLP products that are capable of decrypting data and then inspecting the information before it is allowed to leave the internal network. DLP setup is tiresome but for confidential data such as advanced weapons systems this should be an absolute requirement. A compliance requirement.

The article also mentioned that the really sensitive data resides on a computer that is not connected to a network.

This happens due the lack of qualified people to manage these systems. In fact these companies are not investing money to protect they system as should.
I don’t understand how a billion project could be so exposed. Come on.. this is a project from US DoD…
Sure this could be prevented. Why the files of the project were available in systems connected in the Internet? Besides… Why those file were not encrypted…
Sorry… but the guys responsible to protect these files (and network) should be fired… Oh.. fire also the project manager…
All these data should be at least encrypted with AES 512b keys.
And.. regarding if there is a Cyber War… I’m sure that these data will end in a table of some scientists and engineers from other countries..
Two words to those companies that were “hacked”: hire me!

I disagree. The concept of cyberwarfare is to disable, disrupt, or degrade the military IT infrastructure in advance of a conventional attack. This is targeted cyber-crime and cyber-espionage, and it very likely is state-sponsored. However, this is still in line with the known methods and objectives of modern hackers.

Fundamentally, hackers are lazy, and target the low-hanging fruit. Having worked for several defense contractors, I can state with authority that these firms cannot eat their own dog food. They claim that they can secure government agencies, but their internal security is lacking. A good example is the contractor that allowed P2P software in their internal LAN, which allowed the blueprints of the helicopter used as Marine One to be discovered on a server in Tehran.

A good resource for what is and is not cyberwarfare is Marcus J. Ranum’s presentation: CyberWar is Bull&%#@, and a video of the presentation can be found at http://www.dojosec.com.