DoD Networks Completely Compromised, Experts Say

AZA43 writes "A group of U.S. federal cybersecurity experts recently said the Defense Department's network is totally compromised by foreign spies. The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks."

Best Practice

[jcaldwel]

From TFA:

“We’ve got the wrong model here. I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway."

Its nice to see the DoD finally catching up with basic best software practices.

cut the wire

[the_Bionic_lemming]

Why does the network have to be accessible remotely? It should be isolated and need a meat sack to get the information from the system and relay it to the party that needs the information. Same thing with public utilities and such - why is it wired so that someone remote can tap a few buttons and remotely access controls for water plants?

Scary

[gmuslera]

Surely will convince public opinion that the new measures of surveillance on all internet connections have a good reason and they should give up on privacy forever.

Well it's defense so...

[Anonymous Coward]

Well it's defense so ultimately what this boils down to is: "here's a file that says they're going to kick our ass". Can they do that? "Yes". Well, at least we infiltrated their network so we know our asses are going to get kicked and we can prepare for that. "No we can't, we'd have to move the entire country and kick somebody elses's ass to do it. What's more is our network is infiltrated too so they'd know we were going to do it and what's worse is we don't have much ass kicking capability". So. We're dead meat; but we know it in advance. That showed them!

Re:or it is used as a tool

[erroneus]

There is no shortage of "stupid" at the DoD. As every security expert knows, the weakest link is the user. And it doesn't matter how high or low ranking that user may be... if fact it kind of helps if they are "full of themselves" because they tend to demand that restrictions are relaxed so they can have access more easily. There is LOTS and lots of stupid out there.

And nothing helps more than the fact that running Windows as the standard has. Why? Isn't it obvious? We know from the headlines that every government has been demanding the source code and decryption keys for just about everything. Microsoft, I expect, has been no different when faced with such requirements... we certainly know that's true in the case of RIM. And the source code is now always enough or even completely helpful, but it definitely helps that governments are willing to hire black-hats to find the billions of holes available in the platform EVERYONE USES.

Sure, Microsoft profits lots... they are what everyone uses... including and especially the weakest links.

Re:or it is used as a tool

[FudRucker]

and dont forget the windows users that insist on logging in and running as admin/root for a regular user account because they dont want to be inconvenienced with having to type in a password for anything

my own brother runs his PC like that and i explain to him the concept of a multi-user system that has root and user accounts and he just stares off in to space with that deer in the headlights look on his face

Re:cut the wire

[Whorhay]

From what I've heard that's mostly true. There are a number of 3 letter agencies that have been known to be so egotistical as to believe they are above the air gap requirements and actually run machines that cross that gap.

Besides which an air gap is not as full proof as one might think. Just look at what stuxnet managed to do to the Iranians nuclear program. And it would only take a single compromised person on whatever air gapped network to gather the datadumps and send them back to whatever party they work for. Off the top of my head I can think of at least one publisized account of malware being found on an airgapped system that seemingly couldn't be removed.

Whatever your technical measures and implementations, your security is always limited by the personnel using it. What percentage of people with clearances and access are turnable? It's impossible that it'd be zero, and even at a tenth of a percent it'd mean hundreds or thousands of compromised people and consequentially the networks they have access to.

All this ignores that classified information is often derivable from other non-classified sources.

Re:The problem with the DOD

[Whorhay]

While I agree that I'd like to see the DoD move to more secure technical solutions, I don't think it'd solve the security problem. Like you pointed out the system is only as good as the people that are using it. And even with a very small percentage of people willing to spy it'd be almost trivial for a foreign government to buy their way into almost any system.

Prior to 2001 everything was more compartmentalized, which was good for Information Security's sake. But it proved to be bad for our national safety as the CIA wouldn't pass on information about a potential threat to the FBI for what amounts to dick measuring reasons. In the aftermath of 9/11 the policies swung the other way and we end up with Bradley Manning having access to way more information than he needed for his job.

A proper solution is a multi faceted problem. We need technical systems that are secure and yet still useable by a barely trained 18 to 50 year old volunteer. We need systems designed to be as secure as possible but still interface with each other and work in a timely manner. We need people that are as immune to corruption and insanity as possible. And the hardest part is probably sticking to fights and engagements that don't force those people to question the morality of the job they are tasked with doing.