S 3254 Introduced – DOD Authorization

This last week Sen. Levin (D,MI) introduced S 3254, the  National Defense Authorization Act for Fiscal Year 2013. While, as expected, there is nothing in this bill that directly addresses ICS security issues, there are some issues raised in Title IX of Division A in the bill that might be of interest to the cybersecurity community. Additional issues are raised in the Committee Report.

Interconnected Networks

Section 923 of the bill requires the Secretary of Defense take actions to “to substantially reduce the number of sub-networks and network enclaves across the Department of Defense, and the associated security and access management controls” {§923(a)}. There are a number of good reasons given for requiring this action; they include:

• Visibility for the United States Cyber Command in the operational and security status of all networks, network equipment, and computers.

• Elimination of redundant network security infrastructure and personnel.

• Rationalization and consolidation of cyber attack detection, diagnosis, and response resources, and elimination of gaps in security coverage.

• Reduction of barriers to information sharing and enhancement of the capacity to rapidly create collaborative communities of interest.

• Enhancement of access to information through authentication-based and identity-based access controls.

• Enhancement of the capacity to deploy, and achieve access to, enterprise-level services.

• Separation of server and end-user device computing to facilitate server and data center consolidation and a more secure tiered and zoned network architecture.

The one thing that seems to be missing from this reasoning is that if Cyber Command has easy ‘visibility’ of all of these networks, it means that an adversary who successfully penetrates one of these networks can achieve that same visibility. Just think about a single low-ranking intelligence analyst’s unfettered access that lead to Wiki Leaks.

Host Based Cybersecurity

Section 924 requires the DOD CIO to “develop a strategy to acquire next-generation host-based cybersecurity tools and capabilities” {§924(a)}. This next-gen capability should eliminate the current problems with signature based threat detection techniques. An important part of this new system is that it be expandable to include more than just intrusion detection. That potential tool set, yet to be developed, should include {§924(b)(2)}:

• Insider threat detection;

• Continuous monitoring and configuration management;

• Remediation following infections; and

• Protection techniques that do not rely on detection of the attack, such as virtualization, and diversification of attack surfaces.

An additional requirement is that it should be “designed for ease of deployment to potentially millions of host devices of tailored security solutions depending on need and risk, and to be compatible with cloud-based, thin-client, and virtualized environments as well as battlefield devices and weapons systems” {§924(b)(2)}.

While this is the holy grail of security systems, if anyone has the resources to get one developed that meets these requirements, it will be DOD and DARPA. Even if they only half-succeed, it will be a major accomplishment. The only question is since such a system will undoubtedly classified, will the Government allow its use by critical infrastructure that needs the same level of protection against similar attackers.

Improving Software Security

While an improved cybersecurity system will go a long way to protecting DOD computer systems, they will only be as secure as the software that runs on those systems. Section 925 would require an improved software acquisition process. This new process would require:

• Update of development and acquisition models {§(925(b)};

• Requirements for secure code development practices {§(925(c)}; and

• Verification of effective implementation {§(925(d)}.

There is an interesting sub-paragraph to this section that has the misleading title of “Study on additional means of improving software security” {§(925(e)}. What it is really being required is a study to look at ways of ensuring that procured software meets the security needs of the Department. The methods suggested include:

• Liability for defects or vulnerabilities in software code.

• So-called ‘‘clawback’’ provisions on earned fees that enable the Department to recoup funds for security vulnerabilities discovered after software is delivered.

• Exemption from liability for rigorous conformance with secure development processes.

• Warranties against software defects and vulnerabilities.

Because of the size of the DOD purchasing pocket book this could be a change in the way that software security is addressed in the market place. If these types of actions become the standards for software security assurance, there will be a wholesale change in the way software is developed and sold; probably an over due change.

Cyber-Operations Facilities

Anyone that has spent time in the military knows that all services have extensive physical facilities where the weapons of war are tested, evaluated, and most importantly where their use is practiced. The Senate Armed Services Committee takes the Department to task in its report for “its lack of attention to its cyber ranges” (pg 67; Adobe 87). An extensive discussion covering three pages of the Committee Report identifies a number of instances where funding and resourcing of existing and developing cyber ranges have declined in recent years.

The Committee requires DOD to prepare a report to Congress that identifies a central management structure for the oversight of cyber range “infrastructure, funding and personnel” (pg 69; Adobe 91). The report will also identify the sources of funding and resources for the modernization and operation of the cyber ranges.

Cybersecurity Personnel

Everyone knows that there is a severe shortage of personnel with a cybersecurity background. The Department of Defense has a large number of personnel slots that need to be filled in this area. The Committee Report notes that “that every effort must be made to successfully recruit, train, and motivate for military service young people with computer skills to operate and defend the Department of Defense’s computer networks and infrastructure” (pg 117; Adobe 139).

The Report requires DOD to provide a ‘letter report’ to Congress within 180 days of this legislation becoming law that:

• Describes current programs for identifying, recruiting, training, and retaining young people with outstanding computer skills for military service;

• Reports any human capital or specialty shortfalls in cyber defense career fields; and

• Describes bonuses or any non-traditional or non-standard recruiting practices that are employed by the military services to locate and recruit young people for cyber-related career fields.

Development of Cybersecurity Expertise

The Committee Report (pg 180, Adobe 202) “encourages the Department of Defense to continue to support multi-disciplinary programs of study and research that focus on developing U.S. cyber security expertise and tackling vital cyber security issues”. Included in those issues, the Committee specifically included the protection of critical infrastructure “which the Department would be called upon to defend in the event of a cyber attack on the United States”.

What is not clear from this discussion is how the Senator’s would expect DOD to impose themselves between such critical infrastructure and cyber-attackers.