WASHINGTON (AP) — America’s critical computer networks are so vulnerable to attack that it should deter U.S. leaders from going to war with other nations, a former top U.S. cybersecurity official said Monday.
Richard Clarke, a top adviser to three presidents, joined a number of U.S. military and civilian experts in offering a dire assessment of America’s cybersecurity at a conference, saying the country simply can’t protect its critical networks.
Network hardening is not all that difficult. Armor plating servers from penetration is again, not all that difficult. The problem is in the commercial software the military uses. It’s not nuclear hardened software. It’s not even firecracker safe software. It’s commercial grade junk we all have been putting up with for many years. But that’s not the only issue facing the nations cyber systems. A breach can come from many sources. It can come from outside, as well as from the inside. It can also come from sources that are not readily apparent as Stuxnet proved that as well as the lunacy surrounding the recent “Drone” hack. The difference between the two hacks is Stuxnet was brilliant, the drone attack was stupid, as it was a common gamers hack.
I know of a “security group” that has been operating on the net for many years. Their network is impenetrable. Why? Because it is a ghost network. It exists, but yet cannot be found. Firewalls cannot stop it as it’s path through such barriers is hidden in server protocols that are considered noise and therefore ignored. I cannot go into greater technical detail for obvious reasons but I can say that after 9 years of operation this network has never been scanned or penetrated. It is not visible to the Internet, but it is part of the Internet.
The problem is, as I see it anyway from my advantage point of being an Internet dinosaur is one of attitude and experience level. When I looked into a typical IT operation run by the government (as part of my business) I immediately saw a glaring problem with the departments. All personnel were enthusiastic about their work and competent to a degree. Unfortunately their ego’s were bigger than their skill level and experience. When I would ask somewhat complex network orientated questions I often times received blank stares (nobody home syndrome) which I found troubling. Then I noticed something else .. no gray hair.
The Cyber command has unique issues in that personnel come and go constantly. This cannot help the experience level issue at all. Personnel, both military and civilian, need to stay on the job and not be shuttled around like cattle. Retention of military operators is as well an issue and needs to be augmented with senior civilian staff that does not change. As for the command staff, well hands on experience would be nice.
At any rate. I fail to see Mr. Clark’s concern. Intel knows where the enemies cyber centers are. They will be targeted on the first wave by cruise missiles. So will the telecommunications infrastructure. Retaliation of a cyber kind cannot be accomplished from a smoking hole in the ground. Mr. Clark knows this. Which begs the question, what is the motive behind this rhetoric? My guess .. more funding. Taxpayers are paying through the nose for so-called “Experts in security”, we are not getting our money’s worth obviously, Anonymous was kind enough to show us that and I for one am a bit upset over a network structure that is so easily penetrated. I want my money back.