GUEST ESSAY: Pentagon’s security flaws highlighted in GAO audit — and recent data breach

By Sherban Naum

Being the obvious target that it is, the U.S. Department of Defense presumably has expended vast resources this century on defending its digital assets from perennial cyber attacks.

Related: Why carpet bombing email campaigns endure

And yet two recent disclosures highlight just how brittle the military’s cyber defenses remain in critical areas. By extension these developments are yet another reminder of why constantly monitoring and proactively defending business networks must be a prime directive at all large organizations, public and private.

A U.S.  Government Accountability Office audit last week found that the defense department is playing catch up when it comes to securing weapons systems from cyberattacks.  At an earlier Senate hearing,  GAO auditors described how DoD has failed to adequately address numerous warnings about how the rising use of automation and connectivity in weapons systems also tend to result in a fresh tier of critical vulnerabilities.

And then last Friday, as if to serve as a reminder that even routine security best practices may  not be getting the emphasis they deserve, the Pentagon disclosed how attackers manipulated the account of a third-party vendor to access DoD travel records.

The result: personal information and credit card data of at least 30,000 U.S. military and civilian personnel were compromised.  Don’t be surprised if the number of victims climbs higher, as we learned from the 2015 hack of 21.5 million personnel records from the U.S. Office of Personnel Management.

Supply chain gaps

The hacking of DoD travel records raises an important nuance. Five years after hackers broke into Target via its HVAC vendor, it remains as crucial as ever to stay on top of trust decisions about who can gain access to a supply chain, and under what criteria.

Naum

One has to assume that DoD specified certain security controls at the time the contract was awarded to the travel services vendor. However, over time, an adversary was smart enough to look and see if the vendor relied on lesser  cyber protection, thereby presenting a softer target.

Seasoned attackers know, of course, that it is typical for federal government suppliers to hold transactional data, and that some even possess technical data, schematics and program details that would be hard to access through a direct offensive attack on a hardened military target.

Timely trust decisions

Targeting the soft underbelly of commercial entities supporting the U.S. government — where trust decisions are being made out of the limelight — vastly improves the attackers’ chance for success.

This reflects the core challenge of legacy systems being built with “trust decisions at buy time,” rather than taking the modern approach of “trust at run time.”

Traditionally, systems were designed, built and operated based on architectural and technical limitation decisions years ago, and as such, trust was decided upon contract award. A modern architecture must reflect the ability to make trust decisions at the time processes are executed, limiting trust to fine grained execution at run time, built upon a dynamic root of trust rather than static.  Software defined hardware is not a new concept, yet systems were hard coded with a limited ability to adjust to real time threats. 

This gap comes into play on many levels. Senators have been informed about security lapses found by GAO auditors that enabled them to take over some systems using simple tools and techniques. In one instance, a two-person team was able to get initial access to a weapon system in one hour and full access within a day.

Dynamic defenses needed

The US government has a massive budget for defense spending, yet somehow that isn’t reflected in security provisions implementing trust decisions in real time, a must for weapons systems, communications infrastructure and related supply chain needs. If the government doesn’t make cybersecurity a priority from the offset, this leaves critical architectural vulnerabilities that need to be addressed immediately.

If the GAO is raising the issue, then nation states and cybercriminals know of them already, leveraging yet to be known net-new vulnerabilities. It’s important the defense department layered dynamic defenses at the beginning, building in security protocols and protections as the government systems are being operated, allowing to modulate trust in real time, staying ahead of aggressors and adversaries.

A vulnerability being exposed at the federal level is so much costlier than at the enterprise level. We can replace credit card records or restore customer loyalty. We can’t undo a rival nation state potentially roaming undetected inside weapons systems because there were insufficient security investments in modular, run-time security.

It’s time for the federal government to make cybersecurity a national priority, and ensure it is treated as such during the development of systems outlined in the GAO report.

About the essayist: Sherban Naum is Senior Vice President for Corporate Strategy and Technology at Bromium, which supplies security systems for web browsers and applications.

 


 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone