Consider this a followup to yesterday’s post about the abysmal state of our cyberdefenses, and about how the last thing we should be doing is cutting the budget for electronic warfare. This morning, Deputy Defense Secretary William J. Lynn III rolled out the Pentagon’s newest new cyberstrategy (cue this post about DOD’s fixation on changing management schemes), and as part of the rollout, he related an anecdote from March.
Apparently, someone penetrated the Pentagon’s computers and transferred 24,000 files to parts unknown. Oops:
The Defense Department lost 24,000 files to “foreign intruders” in the spring in what appears to be one of the most damaging cyberattacks to date on the U.S. military, a top Pentagon official acknowledged Thursday. But Lynn said that, over the past few years, all manner of data has been stolen, some of it mundane, some of it concerning “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols… It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies,” Lynn said.
The article goes on to note how in 2008 malicious code penetrated classified Pentagon servers after someone stuck an infected thumb drive into their laptops. The phrase “digital beachhead” makes an appearance, as does the phrase “spread undetected.” Terrific.
In other news, the hacking group Anonymous stole 90,000 military emails and passwords from Booz Allen Hamilton last week and released them on Monday. Someone in the company forgot to lock down a server properly, and that was all it took. The concern is that those same email/password combinations will work on multiple systems – because no one ever listens to security specialists who advise against reusing passwords on multiple accounts – which would expose classified systems. Presumably that risk has been mitigated, and everyone affected has changed vulnerable passwords. But the incident begs a more fundamental question: given that this unsecured server was just sitting there on the Internet, how many “foreign intruders” got there before Anonymous did? And how long did they have to test out the emails and passwords they lifted?
I’m borrowing this analogy from a CSIS briefing paper, but if someone backed a truck into the Pentagon, smashed out all the windows, loaded the truck with 24,000 files, and then drove away – that’s something that would make the news. People would mention it. But because we don’t appreciate the extent or impact of ongoing cyberwarfare, the March incident won’t even be a blip in the news cycle. It’s positively surreal.
The only thing that’s more surreal is the suggestion we should shift resources away from cybersecurity and into entitlements, lest someone ask seniors to wait a few more months before they become eligible for Medicare. What an unmitigated disaster that would be.