Home » Cyber Security » US Cyber Defenses Full of Holes

US Cyber Defenses Full of Holes

By Colin Clark Thursday, November 19th, 2009 4:26 pm
Posted in Cyber Security, Policy

When it comes to cyber attacks, the odds are against us. The head cyber protection guy at the National Security Agency, Richard Schaeffer, told the Senate Judiciary subcommittee that about 80 percent of attacks on our networks can be prevented.

That is “unacceptable,” Sen. Ben Cardin, subcommittee chairman, told Schaeffer and the other government officials testifying before him. “We would never ponder a defense budget that is dependent on an 80 percent success rate.”

A top expert on cyber war and protection who advises Strategic Command on such issues, Kevin Coleman, said the NSA estimate is probably on target. “Bottom line here is I think the NSA is being very forthright in the numbers. They very seldom give those numbers out,” he said, adding that a large percentage of the vulnerabilities probably reside on the commercial side of the network equation. His numbers were sobering.

To start with, recent estimates are that “60 to 70 percent of firewalls are misconfigured. If we would fix that that would be a huge benefit,” Coleman said.

Then he discussed the more basic weaknesses in American networks — code vulnerabilities. According to research he has done, there are roughly 102 million programmers worldwide. Using the average productivity per programmer, they can produce about 102 billion lines of code per year.

The error rate per thousand lines of code is a wide range of 15 to 50 errors per thousand lines. “The basic testing we do today eliminates up to about 1 per 10,000 lines of code,” he said, meaning that “10,200 bugs remain in operational code, but we just don’t know where they are. If only 1 percent of those are exploitable that means there are 102 thousand vulnerabilities introduced in the code used today.”

Coleman unveiled more worrying statistics. “If you take a look at IBM’s X-Force threat report in 2008 there were 7,406 vulnerabilities analyzed in commercial software. At the end of 2008, 53 percent of those vulnerabilities” had not been patched. “Only about 46 percent of the vulnerabilities identified in 2006 had patches by the end of 2008 and 44 percent of those in 2007 still did not have a patch by the end of 2008.”

Coleman looked at one vulnerability at a Fortune 500 company to see how quickly and effectively they moved to patch it. “From the date the vulnerability was announced to the day the patch was released, and the company was able to test and deploy it was 54 days,” he said. Long pause. “Would you leave your front door unlocked for 54 days?”

NSA is working with Microsoft, Apple, Sun and other companies to lessen the chances of cyber attacks, Schaeffer said in his prepared remarks for the committee. The latest example is assistance the super-secret agency gave to Windows as it prepared Windows 7, its latest operating systems, for release.

Of course, closing code holes does not begin to address the possible threat from computer chips, the vast majority of which are manufactured in Taiwan and the People’s Republic of China.

At least one foreign intelligence agency is known to have built “additional” code into a line of chips, Coleman said.

“When you look at whether they could compromise us, we’ve got a huge road ahead of us. Have we made progress? Yes. but we are at the first or second step when we have a 100 yard run in front of us,” he said.

One of the enduring debates in the cyber bureaucratic wars has been who will lead US efforts to protect our networks. Currently, the Department of Homeland Security has the lead, a fact that worries Larry Wortzel, China expert and former signals intelligence officer. Wortzel told Cardin’s subcommittee that “DHS should play a substantive role” in cyber. But, “that Department is new, has a broad range of responsibilities, is spread thin, and is still growing into its duties. My understanding is that DHS has run two national cyber exercises. But to my knowledge, there has not yet been a systematic examination of lessons learned from the exercises nor uniform application of standards for attempting to correct any problems revealed across government or in industry.”

And this isn’t the only US leadership role gone a missin’. The cyber czar position created by the Obama administration in May is still vacant.

Share |

Join the Conversation

	Charlie November 20th, 2009 at 8:24 am It comes down to money. The cost and time is quite large. Some of the most completely debugged software goes into A/C flight control systems. Even so crashes have occurred due to bugs in the software. Part of the defense is multilayered in nature, and does not rely on single point or method detection. Unfortunately, observed unusual behavior is still needed and used as part of the actual defense.
	Propellerhead November 20th, 2009 at 4:13 pm I wrote a whole article in a published magazine on the very topic… comes down to pre-planning to make sure the architecture is planned well enough to avoid making holes, and constant surveillance with a well planned reaction process.…though as Charlie points out, it is a question of money. Remember also that software is not just on PCs and chips, it is also on the Routers and Switches that run the Internet…constant battle to patch those OS’s and fix configuration holes.
	Mark S. November 22nd, 2009 at 7:15 pm Ah the joys of Windows!
	Scott Isaacs November 25th, 2009 at 3:22 pm Considering how much we rely on computers for our military to operate, we should try to find the time and money to address the coding issues. In particular we need to take capitalism out of the equation and have all chips to be used in defense computers manufactured here in the United States. At least that would make Chinese intelligence have to flip people here as opposed to handing over easy access to them by using Chinese manufacturers to begin with. It also seems to me that since the NSA handles most of the govt’s decryption operations which puts computers, both software and hardware, in their wheelhouse that they would be the logical choice to coordinate the security of the United States’ mission-critical computer components. The NSA also has plenty of experience, having been around for decades and having started using computers practically in their infancy.
	Bruce Almich November 26th, 2009 at 5:05 pm Security specialists need more hands-on training with equipment configured similarly to the “real world” but in environments where these “sandbox” training labs are separate from their corporate networks.
	Gordon of Khartoum November 26th, 2009 at 6:40 pm This whole cyber security is just ridiculous-you can’t make it secure, and that was known a long time ago. Plus,the lines of code times programmers, errors in chips-didn’t take much research to to put that out. The net is a ixed fortification”, like Patton said, and a “monumnet ot man’s stupidity.“ Patching holes and reconfiguring firewalls is purely defensive-go after the attackers-can’t you IT guys imbed a viral reply or something? Turn their computers into jelly? “Yeah! SUre! Here’s my bank accoujnt nr. and PIN. Go ahead. Click on this link to put $2 million into my account” Yup! Banning thumbdrvies is just an admission that IT can’t handle it.
	Forefronts November 26th, 2009 at 7:00 pm As throughout the IC, the NSA has been impeded from doing what it does best behind closed doors. Attracting,funding and keeping the best and brightest in the defense of our nation needs to be reestablished as a ‘priority one’ in closing cyber as well as other threats to our Nation. Our enemies are certainly taking that approach.
	John November 27th, 2009 at 4:44 pm I find comments on cyber to miss the point completely. We (I) knew in 1979 our nation was in trouble as I commanded the first cyber unit. At that time it was called the Red Team and was a creation of SAC and AFCC. Note this is all AF. CINCSAC created an exercise called Global Shield and for the first time C4 was actually attacked. Everything was on the table — computer systems, satellite, power, ATC, telephone switching systems and you name it. What we learned was documented extensively and we repeated our efforts in four more exercises. Get over it — we knew and did nothing. Today the AF hides cyber in Space Command — Space Command should work for cyber as there job is satellite housekeeping — the operator decides how the payloads are used.
	JCitizen November 27th, 2009 at 7:06 pm DOD has tested network defensive software that is proven fool proof. It is just that if your not a big corporation with a large wallet to lobby congress, you are not going to get a contract. And most likely many of them are afraid their intellectual property will be given to the Chinese by dishonest cranks within the system: also they fear getting their property rights confiscated by something like emminent domain, for the good of the country. Without guarantees — it is unlikely we will ever get cooperation from the geniuses that have the solutions to our cyber-security problems. NSA could fix the problem, but with O’Bama setting on the appointment of a cyber-security cabinet chief; their is no leadership here.
	JCitizen November 27th, 2009 at 7:17 pm One question. Have you seen the new Coalition Warrior Interoperability Demonstration 2009 Orientation Guide? This being put out by USJFCOM? This is all I’m going to say about it. If you haven’t and are interested I can send a copy. But you will have to ID yourself somehow. You could start out by making me a friend on Military.com I work for no person or company. I’m just a patriot that hates malware and is interested in the cyber and otherwise defense of my country.
	Guest November 27th, 2009 at 7:35 pm I find it interesting that the government is still heavily relying upon chips from China when a NIR was released a few years ago in which the Chinese government published an internal document citing “cyber-terrorism” as a viable means of weakening their “enemies” (among whom the United States was listed). Why are we playing a passive defense and handing the keys to the front door to those that want to do the most harm? The Chinese have already been caught attacking our military and government computers through Titan Rain (if you think the Chinese Gov’t wasn’t aware of their actions, you don’t know the extent of government control in China). What is wrong with our government officials? Why are we always playing patty-cake with these guys?
	ron December 15th, 2009 at 5:29 pm Thanks to the supercomputer tech that the US sold China. Clinton and then Bush, appeased China to no end. Intel/AMD/IBM are all american businesses. China does not even have a major microprocessor developer headquartered within their borders.
	Jimmy February 4th, 2010 at 5:41 pm Gee, I wonder if we just can’t stop WalMart from buying anymore Chinese exports until we are satisfied that they have stopped hacking us. Since they don’t let their money have the appropriate exchange rate, we could tariff their imports to get money to pay for cybersecurity. I am all for free trade, but I also want fair trade.