cyber defense blog

William Lynn,the US Deputy Secretary of Defense wrote the most succinct description of the US Pentagon Cyberstrategy yet in the September/October issue of Foreign Affairs.   Here are the good, the bad, and the ugly components of that strategy.

The good.  Lynn begins by acknowledging successful cyber attacks against the US military, in particular the intrusion via USB thumb drives that occurred in the fall of 2008. This intrusion led to the Pentagon making an unprecedented move to ban USB thumb drives from the military; a ban that was only rescinded in February 2010.  The cleanup effort to recover from the widespread worm infection, that Lynn claims was initiated in a Mideast base by foreign agents, was dubbed Operation Buckshot Yankee (OBY) in the Defense Department and Operation Rampart Yankee in the Army.

Lynn also states “To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.”  This is an important acknowledgement and reflects the state of cyber defense for every organization.  There is no single technology solution to be deployed that will counter all threats and even the latest and greatest technology will not defend against tomorrows attack methodologies.

Deterrence has been the subject of many recent reports coming from think tanks and cyber commissions.  Most have taken the view that cyber offensive or retaliatory measures must be in place to deter assailants.  I like Lynn’s take:

“deterrence will necessarily be based more on denying benefit to attackers than on imposing costs through retaliation.”

In other words, a strong defense is the best cyber defense.

Lynn also addresses the issue of international cooperation: “If there are to be international norms of behavior in cyberspace, they may have to follow a different model, such as that of public health or law enforcement."  Agree.

I can find no fault with Lynn’s summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces; to employ layered protections with a strong core of active defenses; to use military capabilities to support other departments' efforts to secure the networks that run the United States' critical infrastructure; to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe so that its revolutionary innovations can enhance both the United States' national security and its economic security.”

The bad. Even after highlighting the problems facing the Defense Department Lynn makes the argument that the Pentagon must leverage its ten years of concerted investment in cyberdefense to support broader efforts to protect critical infrastructure.   Yet the two areas that he suggests the DoD has made headway in are computer hygiene (keeping anti-virus and firewalls up to date) and “sensors which detect and map intrusions.”    As I am the one most often associated with criticism of these sensors (IDS) I must point out that while they sound sexy, the industry has moved way beyond signature based intrusion detection.  There is no argument that a massive government initiative could provide some interesting intelligence about the source and methods used by attackers if they deployed sensors on the 15,000 networks Lynn says they have.  But the effort will not do anything to stop those attacks today when there are many technologies that will.  If the most that DoD can offer to protect critical infrastructure is IDS and anit-virus updates we have a problem.

The ugly.
Back to Operation Buckshot and Rampart Yankee.  Wired questions the attribution to foreign agents for the attack.  If such claims are to be made the Defense Department is going to have to do more to make visible the results of their forensic work.

There is no question that the cleanup activity truly turned Pentagon resources out in a massive effort.  One Army base awarded four IT personnel special medals for the work they did to reimage all of the computers on an entire base.  If universal reimaging was the response to a spreading worm there is much yet to be done within DoD to update its security practices.

Apparently that military has recognized some of the work needed and even states in the DoD Fiscal Year 2011 IT President's Budget Request dated March 9, 2010:

“The AF (AirForce)Network Action Plan is designed to reinvigorate operational rigor and address lingering systemic issues in the AF Global Information Grid highlighted by the Operation BUCKSHOT YANKEE”

Those “lingering systemic issues” apparently include the lack of ability to use networks to communicate effectively that created the wide spread use of USB thumb drives. 
Barry Rosenberg interviewed Lt. General Jeffrey Sorenson, August 10, 2009:

“When the dictate was put out that thumb drives were no longer going to be allowed, it did have 
some operational implications because this was how different orders, missions and 
organizational information were transmitted from headquarter to headquarter. Over time, we’ve 
had to go back and look at how we transfer data, and, clearly, the use of the thumb drive was 
one of these expedient methods by which information was passed between computers because we 
didn’t have a system set up properly to transfer the data.

And there is the whole concept of the network service center, by which data can be 
forward-staged and transmitted via the network as opposed to people picking up their hard 
drives, or, in this case, what used to be thumb drives or servers, and moving them. We’re still 
a number of years in the future before we have a net-centric or net-enabled capability that can 
be used to share data.

In many cases, as we’ve learned through the most recent Army “Rampart Yankee” and [Defense 
Department] “Buckshot Yankee” exercise — where we had to go off and remediate computer systems 
because of some infected thumb drives — that was a rather laborious, manually intensive effort 
to essentially achieve a capability that we would like to have, which would be 
machine-to-machine.

This raises the almost insurmountable prospect of an IT infrastructure stuck in the ‘90s. 
The effort to modernize includes a plan to consolidate Active Directories as well.  Lt. General Sorenson states here that   17 trees and 5 rogues (with that number climbing) exist within the Air Force alone.   User identity directory consolidation was a big issue in 2003.  If the military has standardized on Microsoft and is only now moving to a consolidated directory structure they have a long road ahead of them in modernizing their IT operations.

Lynn has set the stage for the creation of a concise Cyberstrategy for the Pentagon.  Now they need to follow through on defending their networks at least up to industry standards.

Some deals just don’t make sense.  Some have underlying motivations that are not immediately apparent.  Intel’s announced intention to acquire McAfee for $7.68 billion is a deal that does not make sense no matter what perspective you take.

Technology acquisition.   One argument put forth by analysts so far is that by acquiring a market leading anti-virus software company Intel will be able to add security features to their core business, chips.  $7 billion dollars is a lot to pay for technology when there are 27 such technology companies, that would cost less to acquire ( Symantec, of course being more expensive).  Intel could acquire one of many anti-malware companies that have arguably better technology, better research, and much less baggage.

Brand enhancement. While there is a good argument to be made for technology vendors to acquire security companies to enhance their brands (EMC + RSA a notable example) Intel is not going to accomplish that by acquiring McAfee.  Intel already has one of the most recognized brands in all of technology and they have no negative perceptions because of a lack of security association.  Intel is highly respected across the board and is rarely faulted for lack of security.  This acquisition does not bolster their brand at all. If anything it dilutes Intel’s brand.

Government play. With a tremendous increase in government spending on cyber security projected one could argue that acquiring McAfee gives Intel a piece of the action. McAfee’s EPO desktop security suite is already short listed within most of the US Defense Department and the firewall business McAfee acquired with their Secure Computing acquisition has a large federal component.   But Intel is already entrenched in all aspects of state, local and federal government in almost every country in the world with their ubiquitous CPUs.   Intel needs no help getting government business.

Network play. McAfee has invested considerable time and effort in revamping the Secure Computing line into a credible network security play.  They also have one of the largest install bases of Intrusion Prevention  (IPS) solutions.  Will Intel work to enhance those network security products by supporting multi-core architectures in them?  What does that mean to every other networking company that could have been big consumers of Intel CPUs?  How will they feel about using chips from a direct competitor?  And if the acquisition is a networking play why would Intel put McAfee in their Software and Services division?

Investment. In the tradition of conglomerates and holding companies this acquisition could be viewed as an investment in the relatively stable security industry.  The plan would be to streamline operations and increase profitability.  Is Intel really trying to become the next GE or ITT?  Is that its core strength? Did it look at other investment opportunities?  I understand beach front property on the Gulf coast is looking pretty good right now.

At $7.68 billion this is the biggest acquisition of a pure play security company ever. It is also the worst. There is no synergy, no channel benefits, marginal revenue enhancement (considering the price),  no new markets, and no meaningful strategy.