The U.S. Department of Defense (DOD) and Department of Homeland Security (DHS) have established a pilot program with leading private defense contractors and ISPs called DIB Cyber Pilot in an attempt to strengthen each others’ knowledge base regarding growing security threats in cyberspace, a high-ranking DOD official told a gathering of global security experts this week.
“[F]or all the military capability that information technology enables, it also introduces vulnerabilities,” said Deputy Secretary of Defense William J. Lynn,speaking at the 28th Annual International Workshop on Global Security in Paris on Thursday. “We learned this lesson in 2008 when a foreign intelligence agency used a thumb drive to penetrate our classified computer systems—something we thought was impossible. It was our worst fear: a rogue program operating silently on our system, poised to deliver operational plans into the hands of an enemy.
“The cyber threat continues to grow, posing new dangers to our security that far exceed the 2008 breach of our classified systems.”
The Defense Industrial Base (DIB) Cyber Pilot program was started last month, Lynn said. The voluntary program involves sharing the DOD’s classified threat intelligence with defense contractors and their private Internet service providers (ISPs), “along with the know-how to employ it in network defense.”
He said DIB Cyber Pilot does not involve “monitoring, intercepting, or storing any private sector communications” by the DOD and DHS.
Lynn broke down the types of new threats emerging into three categories: Suspected government-backed hacks of military and private sector networks, crude but disruptive attacks on networks from hacking groups such as Anonymous, and destructive attacks targeting critical infrastructure and military networks.
Among the recent high-profile cyberattacks in the first category he cited were security breaches that were possibly orchestrated by government agencies at the International Monetary Fund, Lockheed Martin, Google, NASDAQ, and Citibank. Lynn also said the French Finance Ministry and European Commission “had suffered major intrusions in recent months.”
“This kind of cyber exploitation does not have the dramatic impact of a conventional military attack,” he said. “But over the long term it has a corrosive effect that in some ways is more damaging. It blunts our edge in military technology and saps our competitiveness in the global economy.”
Lynn also mentioned distributed denial of service attacks (DDoS) in recent years that have disrupted Internet service in Estonia and Georgia, as well as the commercial networks of private firms like eBay and PayPal, and are generally thought to be the handiwork of loosely organized hacking groupspursuing political goals or even simply engaging in destruction for their own amusement.
“To this point, the disruptive attacks we have seen are relatively unsophisticated in nature, largely reversible, and short in duration,” Lynn said. “But in the future, more capable adversaries could potentially immobilize networks on an even wider scale, for longer periods of time.”
Interestingly, Lynn did not cite an example of a destructive attack on a military network or critical infrastructure, “[t]he third and most dangerous cyber threat.”
The most high-profile example of such a destructive attack is the Stuxnet worm, which used a Microsoft Windows Shortcut LNK/PIF vulnerability and other zero-day exploits to target Siemens supervisory control and data acquisition (SCADA) systems at Iran’s Bushehr nuclear plant last year.
Some believe Stuxnet was created by either a U.S. or Israeli government agency, or possibly in conjunction with each other. Another worm, Stars, reportedly wreaked havoc with Iran’s nuclear facility in April.
Such attacks are seen as the most dangerous by IT security experts because, unlike the traditional data breaches and phishing expeditions cited in Lynn’s first threat category, they theoretically would seek to destroy the functionality of weapons systems and critical infrastructure like the networked IT that prevents nuclear meltdowns or manages sewage treatment.
And unlike the relatively simple DDoS attacks and SQL injections by Anonymous, LulzSec and others, Stuxnet-type attacks are extremely sophisticated and difficult to counter quickly.
