Pentagon Discloses Massive Data Theft, Lays Out New Security Strategy

A targeted attack on a defense contractor in March of this year resulted in the theft of 24,000 files by an unknown attacker, according to Defense Department officials. The attack, which officials say was the work of a foreign government, would represent one of the more serious known attacks on the department and its contractors.

Pentagon plansA targeted attack on a defense contractor in March of this year resulted in the theft of 24,000 files by an unknown attacker, according to Defense Department officials. The attack, which officials say was the work of a foreign government, would represent one of the more serious known attacks on the department and its contractors.

In a speech Thursday in which he unveiled the Department of Defense Strategy for Operating in Cyberspace, William J. Lynn, deputy defense secretary, said that the attack was just one of thousands such intrusions that the government and its contractors suffer every year.

“The critical infrastructure the military depends upon also extends to
the private companies that build the equipment and technology we use. 
Their networks hold valuable information about our weapons systems and
their capabilities.  The theft of design data and engineering
information from within these networks undermines the technological edge
we hold over potential adversaries,” Lynn said in his speech.


“It is a significant concern that over the past decade, terabytes of
data have been extracted by foreign intruders from corporate networks of
defense companies.  In a single intrusion this March, 24,000 files were
taken.”

Lynn did not specify what kind of data that was stolen or who specifically the department thinks is responsible. The federal government and its contractors always have been clear targets for foreign governments and private groups looking to disrupt U.S. operations or gain some insight on defense, economic or other plans. As far back as the infamous “Cuckoo’s Egg” attack in 1986–and likely long before that–foreign governments have been working to compromise sensitive systems and extract data.

In his speech, Lynn reiterated that the U.S. may well respond to cyberattacks with physical force.

“It should come as no surprise that the United States is prepared to
defend itself. It would be irresponsible, and a failure of the Defense
Department’s mission, to leave the nation vulnerable to a known threat.
Just as our military organizes to defend against hostile acts from
land, air, and sea, we must also be prepared to respond to hostile acts
in cyberspace. Accordingly, the United States reserves the right, under
the laws of armed conflict, to respond to serious cyber attacks with a
proportional and justified military response at the time and place of
our choosing,” Lynn said.

 

As for the Defense Department’s new strategy, much of it is similar to other documents that the Obama administration and the Bush administration before it have released, outlining the parameters of network defense and national security. But the new strategy goes farther in a couple of respects, including the section that spells out the department’s intention to use procurement as a way to improve security and a section that lays out the DoD’s plan for a continuous active defense system.

“The high point of the strategy, in terms of impact on the nation’s ability to
protect its networks and systems, is Initiative 5. Part of the impact of this
Initiative comes from the promise of innovative recruiting and training
activities. But the larger part comes from the promise of deployment of the
federal procurement infrastructure
to provide incentives to vendors to build safer and more defensible systems and
software,” said Alan Paller, director of research at The SANS Institute. “Procurement is the only major leverage the nation has — its $75
billion IT expenditure. Leveraging that to ‘persuade’ companies to deliver safer
systems is THE big step forward. However, the procurement Initiative works only
for future systems that are touched by the procurement process.”

Suggested articles

Discussion

  • David Emery on

    I assert this is a consequence of the (vulnerable) mono-culture instituted across Government and Industry by CIOs that accept no accountability for the security of what they buy when they assert "this is the industry standard."

  • walterrbyrd on

    Which foriegn government? How did it happen? Did somebody crack our systems, or was it the result of offshore outsourcing? Was it done by a visa worker?

    Article has too few detailas to be meaningful.

  • Anonymous on

    If you look at the speech, it doesn't look like Lynn gave any ther details on who it was or how it happened. No reason for him to say any more.
  • Anonymous on

    Nobody does their homework any more.  Here is what you need to know about what's going on.  It's a report prepared for the US Government after two large defense contractors were pwned.

    Once you see the details and the skills in play, you'll realize that success had nothing to do with Windows, or even a "monoculture".  Realize these are not script kiddies; they are serious men and women who are highly skilled professionals.  They have budget, training, and plan things very carefully and thoroughly.

    http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf

    Not sure how that link will work, but search for the title and you'll find it just fine.

  • Jon DuBois on

    I bet foriegn governments use more computers than people, even for operations like this.

  • Anonymous on

    These sort of disclosures happen relatively frequently throughout the industry; it's rare that we hear publicly of such events. Let's just hope they learn from this attack to prevent similar intrusions.

  • Anonymous on

    Theft? Does that mean they no longer have the files? If not, please amend.

  • Anonymous on

    Dear William J. Lynn, deputy defense secretary

    Its your own fault.  You NEVER physically or logically connect classified networks to the public network.  This is what happens when you do.  If they weren't connect you wouldn't get hacked.  It would seem for all the billions you spend you would hire someone that knew this like me, but then again if you did you wouldn't spend billions and be able to cry "I got hacked I need more money!"

     

    You set your self up to get hacked.  The truth is Mr. deputy defense secretary I think you did this just so you can enact more laws to restrict The People.

  • Bob on

    I agree with the previous post, if you do business with the US GOVT you will be connected to a private network that does not touch the public Internet period. You must support 100% end to end encryption and all servers must be on a UNIX platform. All desktops must be thin clients with no USB allowed.  We have the power to stop them if we just do it!

  • Anonymous on

    Bob and the post above...

    Unix is not going to protect you. These aren't kiddies who got their hands on the Zues source. You think the Pentagon forgot to run WSUS!? It probably was unix. Or maybe they attacked a software that could run on Windows or Linux, maybe a design software etc. Bob...what are thin client going to do? There is no difference between hacking a thin client or a physical. Disabling USB and not equipping CDRs would be ideal in this situation, but they said it was "hacked" not someone with clearance copied the files to a jump drive.

    Just as another note, they said that a contractor was hacked. They made no reference that there was a system connection. Company designs missles and sells the design to the US. Company gets hacked and now the bad guys have the plans that were sold to the US.

    I also disagree with the fact that confidential systems cannot touch the internet. In fact, confidential data can be made available over the internet if done correctly. Confidential data needs to require and application to host it (not SMB!) and that application should require at least TRUE 2 factor authentication if not three. The govenments computers will actually be safer IMO if all data sharing is done through the web with no tunnels or leased circuits to other buildings. A comprised client should not be able to compromise sensative data that is accessible from the client.

    I could say a lot more but I'll leave it at that.

  • maxinealk on

    I don't want to say right now
  • ritateaut on

    I don't want to say right now
  • clairesor on

    I don't want to say right now

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.