Committee Report on S 1253 – Cyber Security Matters

As I mentioned in yesterday’s blog on S 1253 I expected to find additional information on military cyber security matters in the Senate Armed Services Committee report on S 1253 (Sen Rept 112-26) and I wasn’t disappointed when I reviewed the 343 page document. I only found one new item (a discussion of USB security devices) but there are some interesting additional details about the subjects that I discussed in yesterday’s blog.

Previous Topics

For those readers who are specifically interested in any one of the particular topics that I covered yesterday here is a list of the topics and respective pages for the additional coverage (Note when using Adobe Reader® you have to add ‘22’ to the page number to get to the appropriate page, the Committee Report does not start arabic page numbering until after the table contents, a confusing, out-dated practice).

• GPS Interference – Pg 161

• Detecting Cyber Attacks – Pg 165-9

• WIKI Leaks Prevention – Pg 169

• Cyberspace Experts – Pg 184

The lengthy discussion on detecting cyber attacks based upon previously unidentified vulnerabilities is well worth the read. Of particular interest is the sanitized discussion of the capabilities of NSA to detect attacks based upon zero-day exploits (pgs 165-6). It would seem to me that a complimentary technique would be for NSA and other appropriate agencies (CERT and ICS-CERT for example) to conduct programs to actively look for vulnerabilities in critical software packages or systems.

USB Device Security

The Committee recommends a $3.0 million increase in the budget authorization for the Department’s Information Systems Security Program. This would be used to fund an, as of yet to be determined, additional number of File Sanitization Tools (FiST; don’t you love DOD acronyms?). These devices were developed by NSA ‘to check and cleanse the content of thumb drives’. These devices were initially developed when “military networks, including classified networks, were infected with a propagating virus that was initially introduced via USB flash drive or ‘thumb drive’ removable media devices” (pg 81) several years ago.

Interestingly it took the predecessor to the Cyber Command 16 months to require the use of such devices after NSA developed them within months of receiving the tasking. DOD initially determined that they would need 700 such devices, but to date (apparently two years after their development) only 57 have actually been purchased and deployed.

The Report notes that other mitigation efforts (including limiting the computers that can accept/use a USB memory device) have been put into place, but the Committee expresses some concern that this relatively inexpensive device (well relatively inexpensive for really sensitive computers) isn’t more widely used. DOD is in the process of determining how many additional units are actually needed, so the $3 million is based upon the Committee’s best guess of the cost.