Security experts question DOD cybersecurity

Military relies too much on commercial, off-the-shelf software, experts say

Robert Lentz, director of information assurance at the DOD, said the agency is making "significant progress" in protecting its information networks. The agency is complying with cybersecurity policies required by the Federal Information Security Management Act of 2002, he said, and it is working from a cybersecurity roadmap that includes major goals of defending systems and networks, focusing on research, and protecting information.

"This means that all information must be protected from end to end, and through its lifecycle, from the most sensitive nuclear command and control to business transactions," Lentz said.

Last year, the DOD successfully defended against 50,000 attempts to gain root level access on its computers, Lentz said.

While Lentz defended the DOD's cybersecurity efforts, Spafford questioned the DOD's use of commercial software that's often produced outside the U.S. "Much of this software, an increasing amount of this software, is being written by individuals we would not allow into the environments where it's operating," he said. "The reason for that is, they're not U.S. citizens ... they don't have any kind of background checks."

Outsourcing software development is good for the world economy and good for U.S. software vendors trying to compete in the marketplace on price, but using this software for computer systems containing national security information may be questionable, Spafford said.

"It introduces a tremendous vulnerability to our systems," he said. "The software is being developed, sometimes tens of millions of lines, by individuals whose motivations and agendas may not be fully known."

Microsoft's Charney suggested that asking where a piece of software was developed is the wrong question. Instead, purchasers of software should ask if good quality assurance processes are in place to test the software after the code has been written.

"One of the things you have to have is very rigorous processes in place to examine the code," he said. "If you are getting components from overseas and actually reviewing the quality of the component and testing the component, you will know what's in your code."

Representative Roscoe Bartlett, a Maryland Republican, asked witnesses what would happen to the U.S. military if all computer systems were knocked out and unable to be brought back up again. A nuclear bomb set off in the upper atmosphere could take out most communication satellites, Bartlett said, and he questioned if the DOD had a backup plan for such a scenario.

"Are we just through if our computer systems don't work?" he asked. "Are we looking at what would happen if they went away and didn't come back."

Such a scenario seems unlikely, Spafford answered. "Taking out all the computers would be a very difficult thing to do," he said.

Representatives Marty Meehan, a Massachusetts Democrat, and Joe Wilson, a South Carolina Republican, both asked whether cyberterrorism training camps exist.

Lentz offered to give representatives a classified briefing on such activity, and Spafford suggested that tools available to the public can instruct anyone on how to be a cyberterrorist.