PENTAGON CYBERSECURITY LACKING
A defense official told Congress this week that Pentagon security efforts against hackers and other threats remain weak.
Kaigham J. Gabriel, acting director of the Defense Advanced Research Projects Agency, told a Senate hearing Tuesday that the Pentagon is “capability-limited in cyber, both defensively and offensively.” “We need to change that,” Mr. Gabriel said. He noted that most details of cybersecurity threats and efforts to counter them can only be disclosed at the “special-access level,” the most secret security classification.
However, in both public and prepared statements to the Senate Armed Services subcommittee on emerging threats, Mr. Gabriel issued unusually blunt criticism of Pentagon cyberwarfare programs, both offensive and defensive.
As for cyberdefenses, Mr. Gabriel revealed that “attackers can penetrate our networks.”
“In just three days and at a cost of only $18,000, the Host-based Security System was penetrated,” he said.
Also, password security remains a “weak link.” For example, in security tests, 53,000 passwords were given to simulated hackers and, within 48 hours, 38,000 passwords were cracked. Also, the defense supply chain is “at risk,” Mr. Gabriel said. “More than two-thirds of electronics in U.S. advanced fighter aircraft are fabricated in off-shore foundries,” he said.
Additionally, physical systems can be penetrated easily by hackers. In one case, a smartphone hundreds of miles away took control of a car’s drive system through a security hole in its wireless interface.
“The United States continues to spend on cybersecurity with limited increase in security,” Mr. Gabriel said. “The federal government expended billions of dollars in 2010, but the number of malicious cyberintrusions has increased.”
Mr. Gabriel said the Pentagon has used a layered approach to protecting networks from attack that is not well-suited to dealing with evolving cyberthreats.
“Malicious cyberattacks are not merely an existential threat to [Defense Department] bits and bytes. They are a real threat to physical systems, including military systems, and to U.S. warfighters,” he said. “The United States will not prevail against these threats simply by scaling our current approaches.”
Regarding offensive cyberwarfare operations, Mr. Gabriel said the Pentagon “must have the capability to conduct offensive operations in cyberspace to defend our nation, allies and interests.”
The Pentagon needs a full range of cybertools for offensive attacks to secure national interests.
“Modern operations will demand the effective use of cyber, kinetic, and combined cyber and kinetic means,” Mr. Gabriel said. He said the shelf life for such weapons may be “days” as defenses are devised or offensive attacks thwarted.
Cyberwarfare tools also can be adapted from intelligence-gathering methods, he said.
“Rather, [cyberwarfare] options are needed that can be executed at the speed, scale and pace of our military kinetic options with comparable predicted outcomes,” he said.
In criticism of current U.S. government squabbling over controls and structure, Mr. Gabriel said a better question to be asked once lines of authority are clarified is: “What now?”
“The lack of capability is the overwhelming issue,” he said. “Further oversight strategies must be updated and be at pace with the threat.”