More

Pentagon Commander: U.S. Unprepared To Face Cyber Attacks

Cybersecurity

03/16/11 06:49 PM ET   AP

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

WASHINGTON -- The U.S. military does not have the trained personnel or the legal authorities it needs to respond to a computer-based attack on America or its allies, and a crisis would quickly strain the force, the Pentagon's cyber commander said Wednesday.

Gen. Keith Alexander, head of the Defense Department's Cyber Command, told Congress that he would give the military a grade of "C" in its ability to protect Pentagon networks, but said things are much better than they were a few years ago and continue to improve.

"We are finding that we do not have the capacity to do everything we need to accomplish. To put it bluntly, we are very thin, and a crisis would quickly stress our cyber forces," Alexander said. "We cannot afford to allow cyberspace to be a sanctuary where real and potential adversaries can marshal forces and capabilities to use against us and our allies. This is not a hypothetical danger."

The U.S. government has said its networks are probed and attacked millions of times a day, and that cyber criminals, terrorists and other nations are getting more adept at penetrating government and private networks to spy, steal critical data or affect critical infrastructure such as the electrical grid.

Alexander's grim assessment of America's abilities to fend off cyber threats was echoed earlier in the day by homeland security officials and analysts.

"Whatever we are doing now is not working," said James Lewis, a cybersecurity expert and senior fellow at the Washington-based Center for Strategic and International Studies. "We need to rethink our approach." He said if an enemy launched a cyberattack, "we are unprepared to defend ourselves."

Homeland Security Department Undersecretary Phil Reitinger told the House Homeland Security Committee that the ongoing budget deadlock will trigger funding cuts and hurt the agency's effort to install the Einstein 3 program across the federal networks. Einstein 3 is a sophisticated system that will detect and automatically block intrusions.

Alexander and James Miller, the principal defense undersecretary for policy, said the Pentagon is working steadily to better harden its networks and work with the administration to figure out what authorities the military needs in order to respond to cyberattacks against the government and critical infrastructure which is generally owned and operated by private companies.

The Pentagon is preparing a cybersecurity strategy, and observers have said it must answer key questions about how the military will define cyber war, describe its offensive operations in cyberspace and lay out the steps it can take in response to an attack.

Miller told members of the House Armed Services Subcommittee on Emerging Threats and Capabilities, that U.S. officials are making progress working with other countries on an international understanding and guidelines for cyber activities, including Russia. But, he said, "we have not had the same level of conversations with China."

U.S. officials have been cautious when talking about the cyber threat from China, but have generally acknowledged that a number of the network intrusions emanate from there, although it is difficult to tell whether they are endorsed or orchestrated by the Beijing government.

The military, said Alexander, does not have the cyber force it needs to defend its networks or to ensure its ability to plan and operate in cyberspace. And he said that other nations have cyber weapons that can cripple infrastructure as powerfully as bomb blasts do.

He pointed to recent events across the Middle East, which show that governments can easily block Internet access in order to disrupt civilian protests.

Alexander warned that all future conflicts around the world will have a cyber aspect to them. He said the U.S. military is prepared to conduct computer-based attacks to protect critical infrastructure or respond to an assault on the homeland or American allies. But, he said, the administration and Congress need to better define what the military can do under certain circumstances, including how and when it can take steps to protect civilian networks.

FOLLOW HUFFPOST TECH

WASHINGTON -- The U.S. military does not have the trained personnel or the legal authorities it needs to respond to a computer-based attack on America or its allies, and a crisis would quickly strain ...
WASHINGTON -- The U.S. military does not have the trained personnel or the legal authorities it needs to respond to a computer-based attack on America or its allies, and a crisis would quickly strain ...
Related News On Huffington Post:
 

Read more from Huffington Post bloggers:
Sarah Granger

Sarah Granger: White House Unveils Global Cyberspace and Cybersecurity Policies

The next Osama bin Laden may not be one bearded man hiding in a walled fortress but instead a group of highly skilled, faceless men behind computers. Cyberterrorism, while still largely science fiction, lurks around the corner.

Filed by Bianca Bosker  | 

More in Technology...


 
 
  • Comments
  • 31
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2  Next ›  Last »  (2 total)
photo
Jokergirl
No joke actually, humor helps heal
109 Fans
08:38 PM on 05/12/2011
If a 9 year old can hack into the Pentagon then yeah, I'd say their security is still needing a little adjustment. DOH!
Permalink  |
HUFFPOST SUPER USER
Steven Travis
Just killing time
158 Fans
08:27 PM on 03/20/2011
Sounds to me like someone is looking to spend some Tax payer dollars.
Permalink  |
absolument
Debate the policy. But first, LEARN the science.
485 Fans
08:29 PM on 03/20/2011
And, I think, discourage scrutiny of boondoggles such as
http://www.huffingtonpost.com/2011/03/17/online-persona-management_n_837153.html
... by invoking "national security" fears which, as I said just below, are not really supported by any evidence.
Permalink  |
absolument
Debate the policy. But first, LEARN the science.
485 Fans
10:41 AM on 03/18/2011
I've been seeing this headline for years, and the military has not been brought to its knees. Military websites are not defaced with enemy propaganda. And being probed is not a sign of danger, it's just a sign of being on the Internet. This 'Einstein 3' program looks like a boondoggle. Instead of adding more software to scan for access that seems like 'intrusion,' just don't offer remote services and don't allow incoming sessions. These are simple firewall rules in iptables, the Linux standard firewall program. Ask the NSA for help with SELinux instead of testifying to Congress that you need to throw even more money at corporate military contractors, General Keith.
Permalink  |
photo
HUFFPOST SUPER USER
DomainDiva
Aviation SaaS Entrepreneur and Technical SME
103 Fans
 
09:02 AM on 03/18/2011
All of the really talented people belong to Anonymous. Good luck getting the real cream of the crop.
Permalink  |
photo
ohiotechie
Better dead than red...
605 Fans
08:02 AM on 03/18/2011
I know this isn't a popular opinion but I've felt for some time that we need a new branch of the service devoted solely to cyber security - a Cyber Force if you will. I see this as similar to our military before WW2. At the time air power wasn't seen as a central military force or capability on it's own - that's why it was a branch of the Army - the Army Air Corp.

WW2 demonstrated just how important air superiority was and in the wake of this war we established a complete new branch called the Air Force. It had it's own command structure, it's own capabilities and it wasn't tied to other agencies and branches - it could and did act independently.

This needs to happen for cyber security. Our current security landscape is too fragmented and lacks uniformity to fend off any wide scale attacks. We also need to accept the fact that other governments and organizations have developed and continue to refine offensive cyber capabilities and we need to do likewise. To fail to do this in the 21st century would be like disregarding the airplane in the 20th century or the battleship in the 19th...

Imagine the entire eastern seaboard without electrical power for 2 months - this and other scenarios far worse are real possibilities in a sustained, coordinated cyber attack. It's not a question of if it's a question of when and whether or not we are prepared when it happens.
Permalink  |
photo
HUFFPOST SUPER USER
Ramkshrestha
Lumbini-Kapilvastu Day Movement
216 Fans
 
07:08 AM on 03/18/2011
Could be even though US will be alert.
Permalink  |
This user has chosen to opt out of the Badges program
tgiovanni
40 Fans
06:24 AM on 03/18/2011
Maybe the Pentagon should start with something simple, like an Etch-a-Sketch, or an Abacus. The Etch-a-Sketch would give them desktop publishing capabilities to express their ideas with pretty pictures, and the Abacus would allow them to perform advanced arithmetic like subtraction. One of the first arithmetic problem they should start working on immediatley is:

"If I get 1 gazillion dollars, can I spend 1.5 gazillion dollars?"

The Pentagon has a really tough time solving these advanced word problems, so, they really need those abacus.
Permalink  |
photo
HUFFPOST SUPER USER
DomainDiva
Aviation SaaS Entrepreneur and Technical SME
103 Fans
 
09:03 AM on 03/18/2011
You said it all. LOL howling!!!!
Permalink  |
photo
HUFFPOST SUPER USER
Desolati0n
I am the freshest wizard ever.
30 Fans
 
01:01 PM on 03/18/2011
I lol'd.
Permalink  |
photo
SirHenryClinton
88 Fans
06:23 AM on 03/18/2011
I see two major vulnerabilities with our national cyber infrastructure. First, the Boarder Gateway Protocol is insecure. A rewrite of BGP to prevent "spoofing" could fix the problem. Secondly, there are countless PC and servers on the Internet that are inherently insecure due to their poorly designed operating systems and applications. Many have already been compromised and await exploitation by criminals, terrorists, or hostile governments. This could be addressed by switching to open source systems like Linux. Because Linux is open source, it is absolutely free; installing it on defense and critical infrastructure system would cost very little. It would be far more costly to wait until we're attacked to decide to make our systems more secure. If you have an Android device, you're already running Linux.

Richard Clarke points out in his recent book Cyber War that Einstein does not protect private infrastructure like power plants and water treatment plants. Einstein 3 is still under development and most likely will never be deployed due to budget cuts. The current administration, like previous administrations, appears to have little interest in fixing Internet vulnerabilities before an attack that could cripple our ability to respond, possibly as a prelude to a physical attack. As a Linux user for the last fifteen years, I know that hardening American infrastructure to cyber attack is not a matter of cost. Furthermore, a steady migration to Linux will save millions, if not billions, of dollars wasted in response to viruses and malware.
Permalink  |
photo
ohiotechie
Better dead than red...
605 Fans
07:50 AM on 03/18/2011
It's not the operating system costs that would be expensive in switching to Linux - it's the application costs and that would be massive. People have spent hundreds of billions of dollars on their current applications to say nothing of the data that's archived for them, and this would all have to change with a mass migration to Linux. That would be immensely expensive. Retraining costs and changes to processes would also be expensive.

Yes, Android devices have a Linux kernel but for most people it's application environment was a greenfield - there wasn't something existing in place for those apps so it was simple to download what you needed. Migration away from that to something else would not be so simple. Linux malware exists and attacks to multi-platform applications like Acrobat have skyrocketed in the last year or so. Android malware is already starting to propagate - all of this demonstrates that neither Linux nor the various off shoots of Linux are impervious to threats so your contention that this migration would solve our issues is misguided.

Defense in depth can bring the level of security where it needs to be without a massive migration. The problem lies not in the ability but the will. Until this becomes mandatory (like we saw with PCI) it can and will get pushed to the back burner. Any mandatory regulations have to be meaningful so that we can learn from the holes in PCI - it has to be more than simply
Permalink  |
photo
factsaboutchina
146 Fans
 
04:22 AM on 03/18/2011
I have absolutely no qualms with the size of our defense budget. It is where our tax dollars go that I have a problem with. The US needs to heavily invest in cyber defense and offense. On top of that US soldiers must be paid more, a lot more. It is absurd that the US unprepared for a cyber attack from China. The US should have the best defense tech in the world - there are no excuses.
Permalink  |
HUFFPOST SUPER USER
Steven Travis
Just killing time
158 Fans
08:28 PM on 03/20/2011
We can't do any of that - we spent all our money on mercenaries (oops - I meant contractors)
Permalink  |
lodger16x
837 Fans
03:43 AM on 03/18/2011
It is a great paradox that " free market" corporations, who according to our right-wing populists are the very antithesis of government, expect "Big Gummin " to solve their security problems, but they don't want to pay any taxes, of course.
Permalink  |
photo
HUFFPOST SUPER USER
Lindstr7
884 Fans
 
12:45 AM on 03/18/2011
I guess the pentagon should know of such dangers.....Stuxnet is a good example. Good thing it wasn't aimed at OUR nuclear program.
Permalink  |
photo
zoemax
18 Fans
 
11:18 PM on 03/17/2011
DUH! Security in any corporation is the first to go.

Einstein 3 is a sophisticated system that will detect and automatically block intrusions.

The White House did confirm this week that the latest version, called Einstein 3, involves attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency.

Block em to the left, Block em to the Right - Watch the Blind side.
Permalink  |
photo
zoemax
18 Fans
 
11:03 PM on 03/17/2011
WE ARE LEGION!
Permalink  |
photo
HUFFPOST SUPER USER
Danek Greori
149 Fans
10:35 PM on 03/17/2011
The could remedy their problems in just a few steps: (1) Stop prefixing every computer-related event with the word "cyber"; The year is 2011, not 1989. The word "cyber" screams 1990s retro tech (Even hackers are reluctant to use "cyber" in any context). (2) Start learning from your attackers. People think that when law enforcement finds a hacker that suddenly that hacker gets invited to join some govt agency "hacking for good", but that doesn't really ever happen except for a few cases. I won't go in depth; but my experience was nearly serving jail time, and instead getting put on probation and several years of ridiculous restrictions in my day-to-day life. (3) Spend your budget intelligently. They claim the future of warfare is all going to be electronic; if that is the future why do they spend the majority of their hundreds of billions of dollars investing in advanced physical weaponry to use against native peoples with nothing more guns and sticks to fight back.

I don't disagree with their view of the future, or their unpreparedness; but if they are unprepared it's entirely because they seem content to be so.
Permalink  |
photo
HUFFPOST SUPER USER
Lindstr7
884 Fans
 
12:55 AM on 03/18/2011
well said young man!
Permalink  |
This user has chosen to opt out of the Badges program
photo
NHBill
581 Fans
10:19 PM on 03/17/2011
We spend Obscene amounts of money on the pentagon and we are not prepared for Cyber Attacks?
Don't spend more dough.
Start firing people!
Permalink  |
Page: 1 2  Next ›  Last »  (2 total)