US Military Clamping Down on InfoSec

Amid growing concern about hacker infiltrations into military computers, the top commander for the Department of Defense network operations has ordered a crackdown on security.

Lt. General Charles Croom, commander of the Joint Task Force on Global Network Operations and director of the Defense Information Systems Agency (DISA), last week said a sweep is underway of all Defense Department networks to uncover security holes amid a get-tough policy.

"The attacks are coming from everywhere and they’re getting better," said Croom in his keynote address at the Department of Defense Cyber Crime Conference last week. "They’re exploiting weaknesses in our detection tools."

The discovery of a botnet last November inside Defense Department networks -- Jeanson James Ancheta, 20, was arrested by the FBI for allegedly implanting and running the remotely controlled spyware inside the department and elsewhere -- contributed to the decision to clamp down security.

"It started on Nov. 5th with an information assurance stand-down day," Croom told the roughly 500 conference attendees. The military stand-down -- a cessation of regular activities in order to probe security problems -- is ongoing as DISA attempts to verify the tens of thousands of user accounts for Army, Navy and Air Force personnel.

So far, the results are troubling.

"Almost 20 percent of our accounts are unauthorized or had expired," Croom said, noting that military personnel tend to move every two or three years and accounts are sometimes left open. The exact tally of improper accounts won’t be known until March, he said.

In addition, the military is increasingly fending off targeted phishing attempts in which attackers try to spoof victims into giving up passwords.

Back doors left open by not properly shutting down network circuits also are of concern to Croom, who has held the top job in Defense Department network operations since July when he succeeded Lt. Gen. Harry Raduege. Croom said the paperwork for circuits must be in order or the circuit will be shut down.

"Last week we closed down four circuits to users," Croom said, though not identifying the exact locations. "Now I get an e-mail saying the paperwork will be in today." This get-tough approach is needed to put teeth into already-existing policy.

The biggest changes to come may be in the next six months as the JTF-GNO, the organization set up to centralize decisions about security and operations in the Army, Navy, Air Force and Marines, evaluates a possible redesign of its two primary global IP-based military networks.

The NIPRNet (Non-Secure Internet Protocol Router Network) is used for unclassified communications while the SIPRNet (Secret IP Router Network) is used for classified communications. "DISA wants to redesign these networks with security as the up-front criteria," Croom said.

The decades-old NIPRNet is a non-homogeneous combination of more than 1,500 networks, said Gen. Croom, adding that he originally helped wire some of it by hand himself. The SIPRNet has better security at its perimeter, but could benefit from internal partitioning, he said.

One primary difficulty is that the Defense Department has basically no end-to-end network management, he said, adding that he hoped this would be part of the architectural changes under review in the next six months.

In addition to the security crackdown, the Defense Department Cyber Crime Conference highlighted other advances for the department, too.

The Defense Cyber Crime Center, in Baltimore, which provides computer forensics work for the military, announced its lab methodologies and standards earned it the accreditation of the American Society of Crime Laboratory Directors (ASCLD), making it one of only six computer forensics labs in the country to hold that distinction.

"This can give the [Defense Department’s] leadership the confidence that they have experts in their line of work," said Lt. Col. Zatyko, director of the Institute’s Defense Computer Forensics Laboratory.

Steve Shirley, executive director of the Defense Cyber Crime Center, said the ASCLD accreditation is an important step because it is greatly valued by the court system when digital evidence is exhibited in an ongoing criminal case.

The Defense Department and the Department of Justice also are working together to define possible requirements to certify computer forensics examiners because there is no recognized authority for this type of expert, although a handful of universities now have programs for this position.

"In air flight, the first aviators didn’t have a pilot’s license," Shirley said. "Basically speaking, we’re sort of in the same stage of development when it comes to digital forensics examiners."

By Ellen Messmer - Network World (US online)

Copyright © 2006 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)