The Defense Department’s (DoD) computer networks have been totally compromised by foreign spies, according to federal cybersecurity experts. The experts, speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities, say current efforts to protect those networks are misguided at best.
Those expert claim that the billions spent by the government on cybersecurity have provided only a limited increase in protection; attackers can penetrate DoD networks; and the defense supply chain and physical systems are at high risk of attack.
James Peery, director of Sandia National Labs’ Information Systems Analysis Center, told the committee. “We’ve got the wrong model here. … I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway."
The DoD has layered security onto a uniform architecture which only protects against known threats and doesn’t adapt to new ones, according to Acting Director of the Defense Advanced Research Projects Agency (DARPA) Kaigham Gabriel. The offensive situation is no better, he warned, because the DoD has merely tried to scale up its intelligence-based cyber capability–which is a long way from actually giving the Pentagon an offensive threat.
“DoD is capability-limited in cyber, both defensively and offensively,” Gabriel told the panel. “We need to change that.”
It is difficult to know how many of these warnings are hyperbole, since some, but not all of them, were accompanied by pleas for more funding. Michael Wertheimer, director of research and development at the National Security Agency (NSA) said proposed 2013 funding levels are adequate and that the government just needed to spend it more wisely. The NSA is one of several agencies with budgets that can only be speculated on because they are kept top secret.
So, the DoD can’t protect its networks but we're supposed to think the Department of Homeland Security (DHS) will be able to protect those in the private sector? That legislation is still out there, and it's making me more nervous every day.