With short notice, the House Armed Services Committee Panel on Asymmetric and Unconventional Threats will hold a hearing tomorrow to examine cyber security, information assurance and information exploitation issues at the Department of Defense. I say short notice because the witness list for the hearing didn’t appear until today and the hearing’s lead witness, CRA Board member and Purdue professor Eugene Spafford, didn’t receive an invitation to attend until Tuesday. Joining Spaf on the panel are David Grawrock, Principal Engineer and Security Architect at Intel, and Paul Kurtz, Executive Director of the Cyber Security Industry Alliance.
Spaf has already submitted his written testimony (pdf) and it’s excellent (especially given the time constraint). In it, he notes that DOD faces some worrisome trends in defending itself from cyber threats:
- The number of reported attacks of various kinds is generally increasing annually;
- Attacks are becoming more sophisticated and more efficient;
- Few perpetrators are ever caught and prosecuted;
- An unknown (but probably large) number of attacks, frauds and violations are not detected with current defenses;
- A large number of detected attacks are not reported to appropriate authorities;
- The problem is international in scope, both in origin of attacks and in location of victims;
- The majority of the attacks are enabled by faulty software, poor configuration, and operator error.
Exacerbating these trends at DOD are a number of factors:
- An over-dependence on commercial-off-the-shelf products (COTS);
- A lack of metrics measuring the safety, security and quality of IT products in a general and meaningful way;
- A lack of deterrence — vandals and criminals operate with the knowledge that there’s almost no chance of being caught unless they are exceedingly careless;
- A lack of fallback alternatives — no planning for how to proceed with critical mission responsibilities with degraded or disabled IT resources;
- An under-investment in research, especially long-term research at DOD and throughout the federal research portfolio; and
- An ill-informed application of classification by agencies like DARPA that prevent some of the best minds in the country from working on cyber security problems.
Spaf has a number of recommendations of actions to take to reduce the threat to DOD IT systems, but I thought I’d list his primary recommendation here, especially as it echoes recommendations we’ve made many times in the past:
1. Most importantly, increase the priority and funding for scientific research into issues of security and protection of IT systems. This was the conclusion of the PITAC, and of numerous other studies cited in the PITAC report. Too much money is being spent on upgrading patches and not enough is being spent on fundamental research by qualified personnel. There are too few researchers in the country who understand the issues of information security, and too many of them are unable to find funding to support fundamental research. This is the case at our military research labs, commercial labs, and at our university research centers. Increased spending for research is an investment in national defense and national economic competitiveness, and is not in other expenditures for basic and applied research.
The hearing begins at 9 am, October 27th, and will be webcast (click on the microphone icon next to the hearing notice) and archived.
Spaf’s full testimony is here. (pdf)