Lt. Col. Tim Sands (from left), Capt. Jon Smith and Lt. Col. John Arnold monitor a simulated test in the Central Control Facility at Eglin Air Force Base, Fla. (Carrie Kessler/Courtesy of the U.S. Air Force)
WASHINGTON — Long-standing U.S. cyberdefense strategies may be making things worse, leaving the nation and the Department of Defense susceptible to surprise attack while failing to guard secrets and intellectual property, top Defense Department cyber and technology leaders said Tuesday.
General Keith Alexander, head of the National Security Agency and U.S. Cyber Command, said network protection too often is like setting up a digital castle and hunkering down inside, waiting for attackers.
“They find a vulnerability, they penetrate the network, we find out about it several months later.” Alexander said at a cybersecurity conference presented by the DARPA, DOD’s advanced technology research arm. “We diagnose the malware, we set up the signature, we clean up our systems, we get everything set again and wait for the next exploitation,”
But that strategy is not working, DARPA Director Regina E. Dugan said. She cited a DARPA study showing an exponential increase in the size of antivirus software — from several thousand to about 10 million lines of computer code over the years. But the worms and viruses themselves have remained remarkably constant in size at 125 lines on average.
“Ten million lines of code versus 125 lines of code. This is a striking example of why it is currently easier to play offense than defense in cyber,” she said. “But importantly, it also causes us to rethink our approach.”
DARPA, which built the early architecture of the Internet more than 40 years ago, is working on both classified and nonclassified programs to bring innovative approaches to protecting networks, Dugan said, including one that includes self-repairing defenses modeled on biological systems. Another of the agency’s programs attempts to trace the source of attacks using markers that researchers liken to a “cyber genome.”
But in response to requests for operational help from the Pentagon, DARPA will also begin working more on offensive cyber technology, she said.
“Our assessment argues that in cyber, we are capability limited, both defensively and offensively,” she said. “And we need to fix it.”
MIGRATING TO THE CLOUD
Not only do cyberdefense tactics need to change, Alexander said, but perhaps the way the DOD handles computing in general should undergo a major shift.
Currently, Cyber Command oversees security for 15,000 secured networks domains around the world, he said. Each network contains computers that hold potentially sensitive information in a vast number of separate programs. Simply installing the latest security patches can take months.
To find an alternative, the NSA has been doing a wide-scale testing of “cloud computing,” replacing standalone desktop computers that store data locally with Internet devices that connect to a central platform that delivers data and applications via the Internet.
It’s proving cheaper and easier to secure, Alexander said, and NSA and Cyber Command will be pushing cloud computing throughout the entire Defense Department.
“We’ve got to step back and say, is there a better way to do it?” he said. “In my opinion there is, and that’s part of the cloud technology.”
Twitter: ChrisCarroll_
