Sophos Cloud Optix
The Pentagon can’t defend its own defense networks, what with them being “as porous as a colander,” according to Richard Clarke.
Clarke is the former White House counterterrorism chief who’s turned into what Wired calls a cybersecurity Cassandra. Wired quoted Clarke as he addressed a packed ballroom at the first-ever DARPA Cyber Colloquium on Monday.
At the conference, officials of the Defense Advanced Research Projects Agency pleaded with hackers to help them out and said that the agency plans to boost spending as it battles unnamed adversaries in cyberspace.
Regina Dugan, DARPA director, addressed an audience that comprised what the agency called “visionary hackers,” academics and others, according to a Reuters story.
Ms. Dugan contended that the military needs “more and better options” to meet cyber threats to a growing range of industrial and other systems controlled by computers vulnerable to penetration, including cars with advanced computer diagnostic boards. Of concern are brakes, accelerators, steering and other modern car systems that “we need to worry about” because they could be remotely hacked via such diagnostic controls, said another DARPA program manager.
While the Defense Department has long been recruiting hackers, it now appears that DARPA is looking for a transfusion of ponytailed, t-shirt-wearing visionaries at every level.
Ms. Dugan described a desire to plug in “the efforts of technical experts at unprecedented levels, including at the development of policy and legal frameworks,” Wired quoted her as saying, “on timescales that correspond with the dynamic nature of advances in cyberspace.”
DARPA officials said the country is at risk particularly since the playing field is far from level. Layered security defenses have grown increasingly bloated, according to a recent in-house analysis, while attackers operate with lean, mean malware.
The agency’s analysis reports that some security packages are weighing in at an eye-popping 10 million lines of code, while malicious software on average runs on a whip-thin 125 lines.
To combat such threats, DARPA officials called for both an increase in the development of cyber defensive technologies and of offensive weapon systems.
“Modern warfare will demand the effective use of cyber, kinetic and combined cyber and kinetic means,” Reuters quoted Dugan as saying. “Kinetic” is military shorthand for traditional weapons, including bombs, missiles and tanks.
At a time when much of the U.S. military is cutting spending, DARPA is planning to fatten its budget by a whopping 73% to recruit hackers and to fund research into “more and better” weapons that can fend off cyber assault and enable the launch of attacks from a keyboard.
DARPA’s budget request for fiscal 2012, which began October 1, called for its cyber research funding to increase more than 73 percent, to $208 million from $120 million. The agency plans to increase spending on cyber research from 8 to 12 percent of its budget over the coming five years.
This is just the latest of an increasingly rigorous clamor over cyber defense in the U.S. Recent headlines have included one Congressional report of hackers targeting U.S. government satellites, with another Congressional report charging China and Russia with technology and trade espionage.
The espionage report, titled Foreign Spies Stealing US Economic Secrets in Cyberspace, was released on Thursday by the Office of the National Counterintelligence Executive. It highlighted two vectors for increased threats: portable Internet devices and a growing cultural numbness to the dangers of sharing information.
“Over the next several years, the proliferation of portable devices that connect to the Internet and other networks will continue to create new opportunities for malicious actors to conduct espionage,” the report reads. “The trend in both commercial and government organizations toward the pooling of information processing and storage will present even greater challenges to preserving the security and integrity of sensitive information.”
In addition, the report claims that the U.S. workforce “will experience a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever.”
While cultural slackening of emphasis on privacy or data protection sounds about right, it’s hard to imagine why the Office of the National Counterintelligence Executive would forecast it as a future trend when it seems to have manifested in the present.
Indeed, it is high time to hire security talent en masse. Ponytailed visionaries, brush off your resumes. There are too many of us whose eyes have glazed over at the difficulty of attaining online privacy, and with this new culture has indeed come porous networks, porous information sharing and porous security. At risk are both trade and technology secrets as well as crucial infrastructure.
SOS. We need you.
Does anyone else feel that it cheapens the whole message by characterizing visionary security professionals as “ponytailed” — inferring that it’s the young spotty geeky guys that are what’s needed here?
Fully a third of the latest security certification class I took was populated by women, and both genders encompassed a wide range of ages, backgrounds, ethnicities and experiences — all in a group of 10 people.
Sure there will always be young visionary guys (and I applaud them) but a huge disservice is done to all other brilliant and valuable security visionaries to continue to fuel such boring and tired stereotypes.
We might as well continue suggesting that all the black-hat hackers are ponytailed kids in their bedrooms too.
I hope that educational establishments, industry, government and other bodies (yes, media too) relevant to this effort support a culture of fostering security expertise across the widest possible range of demographics in order to get us closer to where we need to be with security and privacy. Only then will we have the foundation we need to truly protect ourselves as a global society.
I'm sorry. You're absolutely right, I did use a cliché. Mea culpa, I'll iron that crap out next time.
If you can’t beat them, join them!
Don't waste your time
The problem is that they have government contractors reviewing potential solutions. The same people who are incapable of coming up with workable solutions themselves. So what makes anyone think they would know a good solution, even if it bit them in the a**?
DARPA announced a grant program for this last August at Black Hat. We spent a month crafting an RA for developing a solution based upon formal methods that would change the advantage from the attacker to the defender. Even if we were full of it, you'd think DARPA would want to know more, in case we weren't. We got a form letter rejection for "Mudge". Am I bitter I spent a month trying to help out the DoD? you bet. I have better things to do.
It reminds me of when the Web was first emerging and I was getting my MBA – Anderson Consulting came to our school with a "contest" to see who could come up with the best business model for the Web. Anyone know where AC is now? The DoD needs a good shot of Darwin.
The POSSE project (ten years ago) would likely have avoided the current DARPA embarrassment.
If DARPA really needs help with this then they can call the FBI and Justice Department in Tucson Arizona asking for a REASON (not an excuse) why the information I gave them in 2006 relating to this was not acted upon. I get more and more information as time wears on and I feel the FBI has turned a deaf ear to it all – including how it relates to the Sept 11 attack.
Sad to see so many looking for a solution, but ignoring a person who has information they simply refuse to investigate because of prejudices.