Network security experts from across the U.S. government told a U.S. Senate Armed Services Subcommittee Tuesday that federal networks have been thoroughly penetrated by foreign spies, and that current perimeter-based defenses that attempt to curb intrusions are outdated and futile.
Speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities the experts told the assembled Senators that the U.S. government needed to abandon the notion that it could keep outsiders off its computer networks.
“We’ve got the wrong mental model here,” Dr. James S. Peery, director of the Information Systems Analysis Center at Sandia National Laboratories, testified. “I don’t think that we would think that we could keep spies out of our country. And I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”
Zachary J. Lemnios, the assistant secretary of defense for research and engineering at the Department of Defense described the situation as “an environment of measures and countermeasures.”
“We can do things to make it more costly for them to hack into our systems…,” Senator Rob Portman (R-OH), ranking member of the Emerging Threats and Capabilities subcommittee said as a point of clarification, “but you didn’t say we can stop them.”
Dr. Kaigham J. Gabriel acting director of DARPA likened the situation to treading water in the middle of the ocean as a metaphor to describe the state of security on federal networks. Treading water is a great way to stay alive, to buy breathing room, he said, but treading water in the middle of the ocean inevitably leads to drowning.
“It’s not that we’re doing wrong things, it’s just the nature of playing defense in cyber,” Gabriel said.
All the experts calledfor better offensive capacities, but opted to wait for a closed-door session to go into specifics.
Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators that the federal government also faces a dire shortage of talent that is exacerbated by a sclerotic hiring and promotion system within the government.
The average annual salary increase for computer scientists in the private sector is 4 percent. The government norm is pay-freezes and DoD enforced pay-caps, Wertheimer argued. He noted that individuals with a PhD in computer science can enter the DoD at pay-grade 12, making, at most, $90,000 a year, and then stays at that pay grade an average of 12 years before winning any sort of promotion. Even with those obstacles, agencies are limited in the amount 13, 14, and 15-grade employees they may have on payroll. Finally, staffing is complicated by the fast-revolving door between the government and its private contractors, which lure away top talent, then hire it back to the government at inflated rates. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said that 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring.
Finally, the U.S. education system is failing to produce the number people with the advanced skills and degrees that are needed.
“The production of computer scientists is on the decline,” NSA Director Wertheimer, the gloomiest of the group explained. “We are not recruiting and retaining them… I am concerned also that the investments from the Congress and the people is almost all period of performance of one year or less. It’s to build tools. It’s to be a rapid deployment of capability. I rarely get the opportunity to think 3 years down the line even, in research. The money that comes to us has a very directed purpose… I feel the nation is frightened to think much beyond one or two years.”
Not everyone shared that gloomy perspective. Peery pointed out that Sandia National Laboratories, which operates under the DoE, pays out starting salaries of $115,000 and $95,000 to persons with PhDs and Master’s in computer science respectively. Gabriel argued that a focus on candidates with advanced degrees may be misguided, and that a model with the expectancy of high turnover rates may not be such a bad thing. He explained that he has a group of “cyber-punk” program managers that developed their skills in the hacking community. He says their skill sets have a 4-5 year shelf-life before DARPA needs to go out and hire newer white hats.
The open subcommittee hearing was followed by what promised to be a much more interesting closed door session with only the experts and the panel.
You can view the hearing here.