Buried in the lengthy National Defense Authorization Act for Fiscal Year 2012, the $622 billion defense spending bill which was signed into law by President Obama on Dec. 31, 2011, are some interesting nuggets about how the U.S. military wants to expand its cyber-defense strategy over the course of this year.
For one thing, the law amends Title 10 of the United States Code to let the secretary of defense temporarily assign a member of foreign country's military forces to a U.S. Department of Defense (DOD) organization "for the purpose of assisting the member to obtain education and training to improve the member's ability to understand and respond to information security threats, vulnerabilities of information security systems, and the consequences of information security incidents."
The Secretary of Defense is allowed to pay for this expense related to foreigners temporarily assigned to the U.S. military in this "fellowship" program in the interests of national security. The new law says the secretary of defense has to submit to Congress within a year a report evaluating the "feasibility and benefits of expanding the fellowship program" authorized under what is now Section 1051c of Title 10, United States Code, "to include ministry of defense officials, security officials, or other civilian officials of foreign countries." In other words, the U.S. military is looking at bringing foreign allies into cooperative military cyber-defense.
Another section of the defense authorization bill calls for the secretary of defense to advance its cybersecurity strategy by obtaining "advanced capabilities to discover and isolate penetrations and attacks that were previously unknown and for which signatures have not been developed for incorporation into computer intrusion detection and prevention systems and anti-virus software systems." The capability called for is to "enable well-trained analysts to discover the sophisticated attacks by nation-state adversaries that are categorized as 'advanced persistent threats.'" APTs are generally considered to be stealthy cyber-infiltrations aimed at stealing highly sensitive data.
It's hardly surprising that the DOD, which has already formed a U.S. Cyber Command led by NSA Director Gen. Keith Alexander, would try to put fresh emphasis on APTs given widespread evidence that China, for one, is attacking corporate and military networks. But it also appears the DOD wants to engage the larger Internet Service Providers as well in watching for APTs. Not only are there to be "network-layer gateways operated by the Defense Information Systems Agency where the Dept. of Defense network connects to the public Internet," it's also viewed as "appropriate" to involve "global networks owned and operated by private sector Tier 1 Internet Service Providers" in the anti-APT effort. These larger ISPs, and perhaps other types of companies, would contribute "behavior-based threat detection capabilities."
These APT-focused capabilities are to be acquired from commercial sources, according to the defense authorization bill, and there's to be "consideration" given to the needs of other federal agencies as well as state and local governments, plus "critical infrastructure owned and operated by the private sector."
The bill advocates a wide deployment of APT-monitoring and blocking systems across the DOD "to improve the ability of the United State Cyber Command" to ensure security and correlate data collected "at host or endpoint, at the network gateways, and by Internet Service Providers in order to discover new attacks reliably and rapidly." After testing and pilot projects, the DOD is supposed to report back to congressional defense subcommittees about a plan for all this by no later than April 1. Of course, just because that's April Fools' Day doesn't mean anyone should consider it a joke.
In fact, the former inspector general of the NSA and chief of counterintelligence for the director of National Intelligence, Joel Brenner, paints a dismal picture of the country's ability to ward off cyberattacks and APTs from China in his new book, "America the Vulnerable." "They're big-game hunters, they know what they're going after," he writes. The Wall Street Journal also had an interesting piece this week on China, missile buildup and cyber-strategy.
We just finished compiling the "security snafus" of 2011, and now 2012 starts out with another big one: The source code for two of Symantec's older desktop anti-malware products was stolen from a third-party server by a hacker group calling itself Lords of Dharmaraja.
Symantec has confirmed that segments of the source code for its older Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 had been posted online by hackers who apparently breached the network of a third party which Symantec didn't disclose. However, comments posted by one of the hackers, "Yama Tough," probably from India, suggest the server that was breached is owned by the government of India. For a variety of reasons, some governments require companies to submit their source code for inspection.
Symantec's flagship software, Symantec Endpoint Protection, is now in its 12th version. Symantec has indicated it is developing a so-called "remediation process" for customers still using the older versions of its products for which the source code was stolen. This suggests Symantec itself is concerned about the security implications of the source-code theft. However, reaction from others in the security industry to the hacking event were fairly low about it.
"What we're looking at here is more in line with public humiliation," said Anup Ghosh, chief executive officer at Fairfax, Va.-based browser-security vendor Invincea. He said it's not likely that the theft of source code would necessarily weaken the Symantec endpoint anti-malware products, especially since it's already widespread knowledge among attackers that write malware how to evade antivirus software in general. "I just don't think it changes the dynamics that much," he said. "It's not a game-changer."
However, Mike Lloyd, chief technology officer at RedSeal Networks, points out the breach does raises questions about addressing security of your own corporate data in the networks of business partners and others. "The fact that Symantec suffered a breach due to lax protections in someone else's network is a significant wake-up call," he says. "It is not enough to ensure you follow best practices; in an interconnected world, you have to worry about the security of other organizations."
Happy New Year: Microsoft to have big January Patch Tuesday
From Computerworld: Microsoft said it would deliver seven security updates next week -- tying the record for January -- to patch eight vulnerabilities in Windows and its developer tools. But the company declined to confirm that the Jan. 10 slate will include a patch pulled at the last minute a month ago. One of the seven updates was tagged "critical," the highest threat ranking in Microsoft's four-step system, while the others were marked "important," the second-highest rating, even though some of them could conceivably be exploited by attackers to plant malware on users' PCs.
Department of Energy developing project to reinforce grid cybersecurity
The government is trying once again to whip the key players behind the country's electrical grid into a security force that can defend against mounting cyberthreats. The U.S. Department of Energy announced what it calls an Electric Sector Cybersecurity Risk Management Maturity project that will let utility companies and grid operators measure their current capabilities and analyze gaps in their cyber defenses. Maturity models, the DOE stated, rely on best practices to identify an organization's strengths and weaknesses, are widely used by other sectors to improve performance, efficiency and quality.
MORE ON POWER: 15 cool energy projects of 2011
The initiative, which will involve officials from the Energy Department, the White House, the Department of Homeland Security and key utility companies will over the next several months draft a maturity model that can be used throughout the electric sector. More than a dozen electric utilities and grid operators are expected to participate in the pilot program to test the model, assess its effectiveness and validate results. This program will help develop a risk management maturity model that is expected to be made available to the electric sector later this summer, the DOE stated.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Read more about wide area network in Network World's Wide Area Network section.