Security experts question DOD cybersecurity

WASHINGTON - The U.S. Department of Defense (DOD) relies too much on commercial software, doesn't know who is creating the software, and faces other significant cybersecurity problems, witnesses told a U.S. House of Representatives subcommittee Thursday.

The U.S. military's use of commercial, off-the-shelf software has yielded fast improvements in software and cost-savings benefits for U.S. taxpayers over the last 20 years, but such software has its downside, said Professor Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University.

"Most of those products are not written to be used in an environment where there is a significant threat," Spafford told the House Armed Services Committee's Subcommittee on Terrorism, Unconventional Threats and Capabilities. "We have ... attacks being committed by hackers, by anarchists, by criminals, probably by foreign intelligence services. The (commercial) products have not been designed to be reliable or robust under those kinds of circumstances."

As the subcommittee attempted to assess the cybersecurity programs at the DOD, Spafford and Robert Dacey, director of the Information Technology Team at the U.S. General Accounting Office (GAO), both raised questions about cybersecurity efforts in the U.S. military.

In addition to relying on too much commercial software, the DOD uses the same software across many of its systems, forming a "near mono-culture," Spafford added, without naming any software packages. Common software products suffered about 2,000 vulnerabilities last year, he said.

"When a new attack is found that has affected any one of these products, it seeps through the entire network," he said. "Operators of systems may be in the position of applying three to five security critical patches per week for every system under their control. That really is unacceptable for us to be in a state of high readiness."

But Scott Charney, chief security strategist for Microsoft Corp., said homogeneous software systems also have their advantages. It's easier to train systems administrators on one piece of software than on multiple products, he said, and patching can happen faster if an agency has just one product to patch.

"Reasonable minds are debating whether a homogeneous environment or a heterogeneous environment is better for decreasing risk," Charney said. "The advantage of a homogeneous environment, or more of a mono-culture, is it's much easier to manage. You train your people in a particular system, and they manage that system, they know all the security settings, you run tools to make sure they lock it down."

The GAO's Dacey highlighted cybersecurity weaknesses identified in DOD reports on fiscal year 2002. The DOD, he said, has concerns about the amount of time necessary for correcting reported vulnerabilities, about training all its network workers, and about ensuring that computer security policies are distributed quickly. Other DOD concerns include the lack of comprehensive testing of cybersecurity policies and increasing the use of authentication certificates to aid cybersecurity.

But the DOD has at least acknowledged those problems, Dacey added. "DOD has been at the forefront of many information security initiatives in the federal government," he said.