Cyberdefenses not ready to handle 'electronic Pearl Harbor,' experts say
By GEOFF ZIEZULEWICZ | STARS AND STRIPES Published: June 2, 2011
NAPLES, Italy – The breach of Google’s Gmail accounts comes only a week after U.S. defense contractor Lockheed Martin announced that it had weathered a “sustained and tenacious” hack on its computer networks. Cybersecurity experts say, while such attacks are worrisome, they are not surprising and are indicative of the need to strengthen cyberdefenses, particularly in private-sector businesses that have access to sensitive information.
Lockheed does a lot of business with the Pentagon, building missile defense components, fighter jets and a bevy of other products that led to sales of $45 billion in 2010 alone.
All that business brings a lot of juicy information to its networks, data on the cutting-edge technology that gives the American military its edge in the world.
Data that other countries would love to have.
Google said senior U.S. government officials and military personnel were among those whose personal Gmail accounts were broken into.
In an email to Lockheed employees that was posted on the company’s Web site after the May 21 incident, Chief Information Officer Sondra Barbour wrote that the company implemented a plan to strengthen its IT security after this latest intrusion.
“There has been no compromise of our customer, program or employees’ personal data,” Barbour wrote. “In this new reality we are a frequent target of adversaries around the world.”
Analysts say the U.S. has faced what some call an “electronic Pearl Harbor” over the past decade, a pilfering of American economic and intellectual property via computer hacking that bypasses government cyberdefenses.
“Over the past decade, we have seen the frequency and sophistication of intrusions into our networks increased,” James Miller, the principal deputy undersecretary of defense for policy, said last year. “Our networks are scanned thousands of times an hour.”
Despite the establishment last year of U.S. Cyber Command, critics say America’s cyberdefenses are still embryonic. While initial steps are being taken, the Pentagon has no cyberdefense best practices in place for the defense industry, according to Alan Paller, director of research at the SANS Institute, a consortium for information security training and development.
The Defense Department’s cybercrimes center does meet regularly with its 30 largest contractors, including Lockheed, to share data and solutions, Paller said.
“But it’s a voluntary program,” he said, adding that participation varies among the companies involved. “Some of the contractors give it more lip service.”
Lockheed Martin and CYBERCOM representatives did not respond to requests for comment for this story.
The Wall St. Journal reported in 2009 that Lockheed suffered a similar breach. Data on the Pentagon’s pricey and politically troubled next-generation Joint Strike Fighter program was stolen in the process, according to the Journal. Lockheed and the Pentagon denied the claims.
“Some of the data that was stolen was used to construct weapons systems by other countries using our technology,” Paller said of the incident. “Stealing from them is much more cost-effective for other nations than stealing from the DOD.”
Although it is not known who is behind this latest cyberattack on Lockheed, Dr. Daniel Kuehl, head of the National Defense University’s Information Strategies Concentration Program, said: “I suspect the answer is that “Casablanca” line: ‘Round up the usual suspects.’”
Russia and China are believed to have been behind many of the most high-profile cyberincidents in recent years, Kuehl said.
Georgia blamed Russia for cyberattacks against its networks before and during their brief 2008 war. Russian hackers are also believed to have been responsible for a blitz of Estonia’s networks in 2007, which kicked off after local authorities removed a Soviet Union-era statue.
China is a decade into melding its cyber capabilities with traditional military applications in an attempt to broaden the country’s global reach, according to a 2009 report by defense company Northrop Grumman.
Google blamed hackers in China for the latest breach of its Gmail accounts, as well as a previous attempt on its network. China denied on Thursday that it supports hacking and said such allegations were “unfounded.”
“The chances of it not being either one of them or someone working for them is pretty small,” Kuehl said. “Whatever Lockheed Martin is working on and whatever they’ve had stolen, I’m confident ‘Kabukistan’ didn’t need to do it.”
Cyberespionage is much easier when a target’s defenses are subpar, Kuehl said.
“I don’t mind the Russians and Chinese spying on us, that’s their job,” he said. “I mind us helping them.”
As a private company, Lockheed does not have to publicly disclose if the May 21 hack resulted in data theft. But even if sensitive data was stolen, Kuehl said, Lockheed might never admit it.
There is an “understandable unwillingness of corporate entities to stand up and say, ‘We got hit,’” he said. “There are all kinds of real-world economic disincentives to do that.”
Cybersecurity is a problem that requires openness and collaboration, but companies are hard-pressed to do that for a variety of reasons, Kuehl said. Collaborate too much, he said, and you might violate anti-trust laws.
But these discussions need to be had when it comes to cybersecurity, he said. “A threat to one is a threat to all.”
And the defense industry has generally been more open to government partnership than other American industries, the analysts said.
“Those kinds of industries are more willing to partner with, and partner rather vigorously, with the DOD in that area because that’s where their bread is buttered,” Kuehl said.
But Paller said the defense industry has only gone so far.
The industry has been in favor of “network monitoring,” which Paller said is a system that looks outward for any threats coming into a company’s computer network via the Internet.
But defense companies have been reluctant to adopt so-called “system monitoring,” where the government monitors a corporation’s internal systems to make sure its defenses remain up to par, he said.
By analogy, Paler said: “One is watching traffic around you, one is watching the systems of your car.”
In the fluid and changing cyberrealm, the latest attacks are indicative of the challenges the government faces, Kuehl said.
“We have a first-wave Constitution to guide the workings of a second-wave economy while we’re living in a third-wave world,” he said. “How you bring all those players together is getting to be more challenging.”