Thursday, November 13, 2008

New Army Cyber Task Force

New Army Cyber Task Fforce Eyes Supply Chain, Hackers

By SHAUN WATERMAN,
UPI Homeland and National Security Editor
Published: Oct. 27, 2008 at 10:45 AM
Courtesy Of
United Press International

WASHINGTON, Oct. 27 (UPI) -- The U.S. Army has set up a special task force to counter the theft of sensitive data about cutting-edge defense technology by hackers who are breaking into the computer networks of military contractors.

The Defense Industrial Base Cyber Security Task Force was quietly established earlier this year in the face of what an Army document says are continuing large-scale thefts of "controlled unclassified information" from contractor systems.

"Exfiltrations of unclassified data from (military contractor computer) systems have occurred and continue to occur," states the document, "potentially undermining and even neutralizing the technological advantage and combat effectiveness of the future force."

At stake is sensitive data "used in the development of war-fighting systems during the acquisition life-cycle" -- in other words, information about and for weapons programs being developed and produced by private-sector contractors.

The document, produced in August for the undersecretary of defense for acquisition, technology and logistics and first reported last week by the Inside the Army Web site, states the task force also will address the fact that the increasing use of non-U.S. suppliers, "especially of key information technology components, raises the risk that adversaries could insert malicious or counterfeit components into U.S. Army weapons systems."

A report last year from the Defense Science Board said the globalization of the supply chain -- with software for high-technology systems increasingly developed outside the United States -- creates the possibility that unfriendly countries or other U.S. adversaries might insert so-called backdoor access or Trojan horse programs into military equipment, making it vulnerable to failure or takeover at crucial moments in combat.

"Current … efforts largely focus on mitigating risks of compromise to war-fighting technologies as a result of traditional espionage or industrial theft," rather than hacking or other cyber-attacks, the document notes, adding that "hostile actors can exfiltrate large volumes of unclassified program information in a single attack that can potentially net enough information to enable adversaries to narrow a capability gap."

The task force is undertaking a three-pronged effort, according to the document: developing Defense Department-wide policy; assessing the ongoing damage from computer intrusions; and evaluating and managing the risk that the growing use of non-U.S. suppliers might provide adversaries.

On the policy front the task force is leading an effort by all three services to develop "potential permanent solutions" for the problem, including new contract language and changes to the Defense Federal Acquisition Regulations.

The task force also is coordinating an interagency pilot program to assess the impact of past cyber-attacks against contractors "to determine whether there may have been compromises of data on current and future U.S. Army weapons programs, scientific and research projects and war-fighting capabilities that could cause a loss of technological advantage against our adversaries." This process will serve as a model for damage assessments of acquisition programs across the department.

Finally, the task force will develop a procedure to assess the risk "that adversaries might insert corrupted or malicious technology into components … (of) critical systems to later gain unauthorized access" in order to steal or corrupt data.

The effort will focus on companies making technology for "command control communications intelligence surveillance and reconnaissance" systems, the note says.

No one from the Army Public Affairs Office could be reached for comment Sunday, and members of the task force declined to comment to Inside the Army.

Government transparency advocate Steven Aftergood of the Federation of American Scientists, who posted the document on his Secrecy News Web site, noted that it was the third recent official publication to echo those concerns.

A policy memo last month from Pentagon Chief Information Officer John Grimes reiterated "the importance of properly protecting controlled unclassified information (known as CUI) placed on information systems connected to the Internet."

The Defense Department was currently hosting "thousands" of such insecure Web sites, and "far too much CUI data is still publicly available" on them, Grimes said.

Any information posted that might be accessible from the Internet "must be properly cleared for public release before it is posted," Grimes wrote.

And earlier this month, the Defense Department inspector general reported that tens of thousands of contractors -- including foreign nationals -- employed in Iraq and Afghanistan were issued special electronic cards giving them access to Department of Defense facilities and networks, without proper background checks.

Thousands of revoked cards were never recovered, and there was insufficient oversight of the process by which they were issued, the report concluded.
© 2008 United Press International, Inc. All Rights Reserved.

No comments: