Think U.S. military computer networks are secure? Think again. A panel of computer security experts from across the U.S. government told a U.S. Senate committee yesterday that computer networks operated by the U.S. Department of Defense are so thoroughly compromised by spies from other nations that there’s almost no point in trying to keep them out.
At a meeting in Washington, the Senate Armed Services Subcommittee on Emerging Threats and Capabilities heard testimony from experts that, essentially summarized, goes like this: The attackers already have access to the systems, so rather than try to lock them out, it’s now a matter of managing them, now that they’re in. Just as in the real world, spies are going to get into the country whether you want them to or not. So, knowing that they’re there, it makes more sense to make their day-to-day spying activities as difficult and costly as you can. DOD security practices currently focus on trying to keep intruders out.
“I think we have to go to a model where we assume that the adversary is in our networks,” James Peery, director of the Information Systems Analysis Center at the Sandia National Lab, told legislators, as reported by Threatpost, a blog produced by security firm Kaspersky Labs. “They’re on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”
The hearing echoed some things we’ve been hearing on the security front from the likes of Art Coviello, the EMC vice president and former CEO of RSA Security, who spoke to AllThingsD recently.
Current practice calls for perimeter-based defenses that aim to put a defensive ring around a network to keep intruders out. That thinking is out of date and in need of a significant rethink, the panelists said. It should be noted that most of the agencies represented at the hearing were doing what government executives usually do when they go before the U.S. Senate: Jockeying for more funding.
That is, except for one agency: Michael Wertheimer, director of research and development at the super-secret National Security Agency (NSA), an agency whose budget is classified to begin with, said that current levels are sufficient, but that money needs to be spent more wisely. Then again, the NSA just built a massive data center in the Utah desert, which didn’t exactly come cheap.