Experts Tell Senate: Government Networks Owned, Resistance Is Futile

Network security experts from across the U.S. government told a U.S. Senate Armed Services Subcommittee Tuesday that federal networks have been thoroughly penetrated by foreign spies, and that current perimeter-based defenses that attempt to curb intrusions are outdated and futile.

Network security experts from across the U.S. government told a U.S. Senate Armed Services Subcommittee Tuesday that federal networks have been thoroughly penetrated by foreign spies, and that current perimeter-based defenses that attempt to curb intrusions are outdated and futile.

Speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities the experts told the assembled Senators that the U.S. government needed to abandon the notion that it could keep outsiders off its computer networks. 

“We’ve got the wrong mental model here,” Dr. James S. Peery, director of the Information Systems Analysis Center at Sandia National Laboratories, testified. “I don’t think that we would think that we could keep spies out of our country. And I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”

Zachary J. Lemnios, the assistant secretary of defense for research and engineering at the Department of Defense described the situation as “an environment of measures and countermeasures.”

“We can do things to make it more costly for them to hack into our systems…,” Senator Rob Portman (R-OH), ranking member of the Emerging Threats and Capabilities subcommittee said as a point of clarification, “but you didn’t say we can stop them.”

Dr. Kaigham J. Gabriel acting director of DARPA likened the situation to treading water in the middle of the ocean as a metaphor to describe the state of security on federal networks. Treading water is a great way to stay alive, to buy breathing room, he said, but treading water in the middle of the ocean inevitably leads to drowning.

“It’s not that we’re doing wrong things, it’s just the nature of playing defense in cyber,” Gabriel said.

All the experts calledfor better offensive capacities, but opted to wait for a closed-door session to go into specifics.

Dr. Michael A. Wertheimer, director of research and development at the NSA, told the Senators that the federal government also faces a dire shortage of talent that is exacerbated by a sclerotic hiring and promotion system within the government. 

The average annual salary increase for computer scientists in the private sector is 4 percent. The government norm is pay-freezes and DoD enforced pay-caps, Wertheimer argued. He noted that individuals with a PhD in computer science can enter the DoD at pay-grade 12, making, at most, $90,000 a year, and then stays at that pay grade an average of 12 years before winning any sort of promotion. Even with those obstacles, agencies are limited in the amount 13, 14, and 15-grade employees they may have on payroll.  Finally, staffing is complicated by the  fast-revolving door between the government and its private contractors, which lure away top talent, then hire it back to the government at inflated rates. Historically, the government has lost about one percent of their IT talent annually; this year the government is set to lose 10 percent of that workforce, the experts claimed. Wertheimer said that 44 percent of the NSA resigns from their position as opposed to retiring. Within the NSA’s IT staff, that figure is 77 percent resigning as opposed to retiring. 

Finally, the U.S. education system is failing to produce the number people with the advanced skills and degrees that are needed.

“The production of computer scientists is on the decline,” NSA Director Wertheimer, the gloomiest of the group explained. “We are not recruiting and retaining them… I am concerned also that the investments from the Congress and the people is almost all period of performance of one year or less. It’s to build tools. It’s to be a rapid deployment of capability. I rarely get the opportunity to think 3 years down the line even, in research. The money that comes to us has a very directed purpose… I feel the nation is frightened to think much beyond one or two years.”

Not everyone shared that gloomy perspective. Peery pointed out that Sandia National Laboratories, which operates under the DoE, pays out starting salaries of $115,000 and $95,000 to persons with PhDs and Master’s in computer science respectively. Gabriel argued that a focus on candidates with advanced degrees may be misguided, and that a model with the expectancy of high turnover rates may not be such a bad thing. He explained that he has a group of “cyber-punk” program managers that developed their skills in the hacking community. He says their skill sets have a 4-5 year shelf-life before DARPA needs to go out and hire newer white hats.

The open subcommittee hearing was followed by what promised to be a much more interesting closed door session with only the experts and the panel.

You can view the hearing here.

Suggested articles

Discussion

  • Anonymous on

    Resistance is futile. The Borg are Borg.

  • Anonymous on

    "senator, F - it, we're owned. Here's how we can live with it"

  • Anonymous on

    More money is only going to attract those who can work in this country and are attracted by more money. There will always be more money working the private sector, why make $100,000 a year when one can make millions of dollars a year with their own start up or selling exploits to foreign governments like Vupen does. A lot of people are not attracted by money, have ideological reasons behind what they do or like doing it for the fun of it. It's also a question of brain power, genes, and environment, if those qualities exist in another part(s) of the world in greater ability than your own, then what can you do? Of course companies who are now producing "dumb" computing appliance tablets with closed iOS's and threatening to shut open computers out of the market isn't helping matters any. A open machine encourages the young and bright to tinker with it as it provides a opportunity to explore and develop their skills.
  • Anonymous on

    How is this a bad thing?  Bradley Manning is a hero for exposing AmeriKKKa crimes, now AmeriKKKa should be able to hide itself?

  • Anonymous on

    This is not surprising - what with millions of folks with some sort of security access. What would be surprising is if the US did not have comparable presence in Chinese, French, German, etc nets.

  • Anonymous on

     

    I concur with the statement above that this situation is not surprising.  Our government cannot see the pitfalls with how it mandates IT security … FISMA and FISCAM compliance is mostly a paper exercise (go back to NASA’s FY11 response) and does not ensure secure systems.  Further evidence is our government’s short-sightedness is its mandate to move Federal Departments and Agencies to a service provider-based Cloud solution under the guise of making these Federal systems more functional and SECURE.  Tell me how moving all of the Federal systems, to include email/messaging systems, to a non-Federally-owned and controlled infrastructure (ISP-owned infrastructure) will make these systems “more secure”.  The amount of penetration noted in the article is just the beginning; once our Fed moves to the ISP-based Cloud solution, the amount of penetration and, now, data leakage will increase dramatically.

  • creandawg on

    Whatever happened to working for the sake of job security? People with skills to combat this kind of stuff can pretty much expect to work the rest of their lives at a comfortable level - 6 figures aside that is pretty darn good. I don't think a Phd is needed to combat cyber attacks either. Are the Russian, Bulgarian, Hindi, Chinese, and other hackers holders of Phd's? I think not. Going to school too much for too long is stupid. Get in the workplace like our parents did and start living the dream.

  • Anonymous on

     

    Idiot? Really?

     

    How are Federal systems and their data going to be secured?  What ensures these system’s and their data remain in CONUS?  Also, encryption mechanisms are not the answer as we have seen.  The best defense is to keep one’s data under one’s total control.  The ISP’s that are seeking this new Federal business have data centers across the globe, so how can the Fed be assured any of their systems are not being stored outside the US, they cannot.  How can the Fed be assured the background of the personnel managing these systems, they cannot.  What controls the storage and access to backup tapes, what is the disposition of replacement storage media and how are actions confirmed and assured, etc?  What happens when the Federal government settles on a few ISPs to provide Cloud computing solutions (Google and Microsoft are the frontrunners for this new business)?  When this occurs, these systems and their data are consolidated – is that secure?  These are real concerns for which mere contracts and agreements with vendors/suppliers cannot ensure system security.

     

    So, instead of a simple one word response, please pose cogent and non-confrontational arguments.  If logical, I will gladly concede my lack of forethought.  Finally, my earlier response is based on not just my experience and opinions but, rather, is a shared with and by coworkers. 

     

  • Anonymous on

    I agree that it is absolutely stupid to get the PhD's  You need the hackers not the academics.  There are several other things we need to do.  One is to lock out the foreign students from our PhD and MS programs at the local University by getting the States to take back 150% of the Out of State tuition differential that they collect and send it back to the State treasury rather than the College treasury.  Then they will have no incentive to recruit that way.  In Huntsville Alabama US Army Counter Intelligence Agency figures that about 3,000 upper division students at local colleges and universities are "Assets of their Respective Nation States" (Spies!).  We need to awake to the role of academia against national security.  The same is true for spies all over the USA.

  • Anonymous on

    Can you say "The Lorenzi Group"?

    We've been saying this and doing such services for two years.

    Yet another prime example of Corporate IGNORANCE and WE ALL PAY FOR THAT.

    Can you say, "Greece"?

  • Anonymous on

    There are many who do the job for reasons other than money. That being said, even if a person takes a significant cut to be a fed employee they should still reasonably expect a raise in pay to keep them at even with inflation. The last fed pay increase was in 2010 and the outlook is likely that it will be frozen through 2015. With 8% inflation, $4 gas, and an ability to double your pay in the private sector (don't forget being piled on in congress and the press as a leech and usless beurocrat) It gets old. 

  • Anonymous on

    Isolated networks. How the f*ck do they work?
  • Anonymous on

    Isolated networks. How the f*ck do they work?
  • Anonymous on

    " that current perimeter-based defenses that attempt to curb intrusions are outdated and futile." from the article. As I have understood it, the DoD guidelines (I use them for my personal systems) are definitely protecting systems at depth, contradicting the article's viewpoint. I'd guess they want more funding for hiring additional personnel to actually implement the guidelines and their changes in a due manner.
  • Anonymous on

    Being a front-line worker in this field, I can say that this article is somewhat contrasting to what is actually going on.  The biggest problem we tend to see is a lack of communication and coordination between managerial assets and operational assets.  This is a systemic fault not localized to the military/DoD, however, so it's to be expected somewhat.

  • Anonymous on

    We could just block internet access to facebook from Susie Joe's PC, but we won't because she'lll whine until she gets it.

    Give people an iPad and block their work PC from the internet.  Cheaper and more effective.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.