The cyberattack that awakened the Pentagon

Incident in 2008 by a foreign intelligence service led to DOD's revamped strategy

 

The 2008 breach of the Pentagon’s classified and unclassified networks by a relatively unsophisticated worm was a wakeup call for the military, said Deputy Defense Secretary William J. Lynn, who today outlined the DOD’s developing strategy for defending against and responding to cyber attacks.

Lynn declassified at least some of the details of the intrusion and subsequent cleanup effort, called Operation Buckshot Yankee, for an article to appear Thursday in the journal Foreign Affairs. In it, he said the intrusion was caused by a worm uploaded from a flash drive by a foreign intelligence agency and spread through DOD classified and unclassified networks.

“It isn’t the most capable threat, but that’s the point,” Lynn said Wednesday in a teleconference with reporters. “The important policy application is that it was done and we need a set of defenses that would prevent that going forward. We need a new strategic approach.”


Related stories:

DOD struggles to define cyber war

US already at war in cyberspace, experts say


Lynn outlined the five pillars of the new strategy, one of which would include extending DOD protection to non-military critical infrastructure.

“The .mil networks do not exist in a vacuum,” he said. But he added that the Homeland Security Department has priority in defending the .gov and .com domains and that DOD and the National Security Agency would play only a supporting role. “The call there is Homeland Security,” he said. “We would follow the Homeland Security lead.”

Lynn’s disclosures of Buckshot Yankee offered few new details of the incident. The breach had been widely reported in 2008 and it was known that the malware responsible was the agent.btz worm, which spread by exploiting the Microsoft AutoRun function that automatically runs programs on removable drives when attached to a computer. The most significant revelation from Lynn was his insistence that the breach was the work of a foreign nation, although he refused to identify the country or how the attack was attributed. He also did not say whether the worm actually succeeded in stealing or corrupting data on the DOD systems.

“It is tied to a foreign intelligence service,” he said. “The important thing is that it did occur and the threat exists.”

To counter that threat, a document detailing the DOD’s strategic cyberdefense and response posture will be developed this fall. Lynn said he expected it to be completed by year’s end. He said the strategy will consist of five pillars, some of which already are being implemented by the Pentagon:

  • Recognize cyberspace as a new domain of warfare, alongside land, sea, air and space. This has been officially done with the creation of the U.S. Cyber Command, which became active earlier this year and is expected to achieve full operational capability in a few months. It is collocated with the National Security Agency at Fort Mead, Md.
  • Extend our defensive posture beyond good computer hygiene and traditional perimeter defenses. “We need a sophisticated and active defense” capable of responding “at network speed," Lynn said.
  • Extend protection beyond the .mil networks to the critical infrastructure that supports the DOD and much of the nation’s economy.
  • Pursue international cooperation for the sharing of information and warnings. Lynn said he has been in talks with the United Kingdom, Canada and Australia about such cooperation, and expects to extend those talks to NATO in the coming months.
  • Maintain U.S. IT dominance with a cadre of trained professionals backed up by sophisticated automated tools. This also would require adapting government IT acquisition policies to match the speed of technological change.

Although the Pentagon is in the process of establishing cyber defenses and strategies, defining cyberwarfare remains a challenge, Lynn said. Defining the points at which intrusions become espionage or an act of war still remains to be done.

“We are still working through where these thresholds are,” he said. “This is far less clear than for nuclear” warfare, which defined the strategies of the Cold War.

One particular problem is attribution, or the ability to identify the source of an attack.

“Attribution is very difficult,” Lynn said. “Even when you can do it, it takes a long time.” Because of this, the country’s cyberdefense strategy is likely to rely more on denying our enemies the benefits of an attack rather than on retaliation, which was the backbone of the U.S. Cold War strategy.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Mon, Sep 13, 2010 philipic

not to stress! the money isn't going to be there for quite some time. in other news, the DISA parking lot on Courthouse Road was observed to be filled before 0900 this morning! an in-house investigation is underway.

Wed, Sep 8, 2010 DoD contractor

DIACAP is only a waste, if it is treated as a paperwork exercise and not an Information Assurance exercise. There have to be trained and knowledgable individuals who implement the process. The DIACAP process includes individual accountability. The DAA puts their career and reputation on the line when they approve a system as part of the DIACAP process. In addition, as threats are never static the system has to be reevaluated to ensure it still meets its IA goals.

Thu, Sep 2, 2010 bullseyebob

DIACAP uses a huge amount of time and money but does not do anything for security. It is a system that, in reality, says that this device/network ect. is secure as of the completion of the documentation. Networks are living things and do not stay static. Seconds after an ATO is signed it is no longer valid as the network has changed; ie, devices are added that are not authorized, software that has not been CONd has been added, etc. While it has not improved security, it has given lots of people jobs and has fooled some into thinking it has made things more secure.

Tue, Aug 31, 2010

Until the government accepts the cold hard fact that EVERY system/network has a back door that needs to be more secured than the conventional points of entry they will remain open to cyberattacks from everyone from the "script kiddies" to the most talented state supported black hats.

Tue, Aug 31, 2010

IO functionaries in the DIA and DISA are DIACAP certified. The fact of the matter is that in addition to the DoD oversight process of DIB contractors being fundamentally bereft of accountablility (see GAO reporting) so are the alleged GSA IDIQ bid security consulancies who tout their prowess at reviewing the military intallations to ensure they are STIG complaint under the DIACAP C&A process. Factor out HBF apporaches, the record is clear. The DoD is either a novice at defending its own computing infrastructure and its own secret classifications, or fundmentally lacks the skill set to engage in this form of aysmmetric conflict.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above