OSD CIO: Network configuration, scanning softened cyberattack blow

ORLANDO, Fla. – Dennis Clem, chief information officer at the Pentagon and the Office of the Secretary of Defense, didn’t think his network was as vulnerable to attack as it was.

But last June, malicious code hit part of his network. To isolate the intrusion, he shut down part of the network of the Office of the Secretary of Defense, which affected 1,500 users.

“They used every tool they could against us,” he said March 4 at the Information Processing Interagency Conference. Although Clem did not identify the source of the code, public reports later identified it as most likely coming from the Chinese government.

It was a judgment call on Clem’s part to block only part of the network that handles the e-mail system. He had staff advising him to shut down the whole network.

“It was a huge gamble,” he said, adding that the security operations center had in place an effective scanning tool which supported his view that the intrusion had not yet spread throughout the network. But his next step would have been to shut down all of the office’s network, Clem said.

The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites.

In total, it took three weeks and $4 million to recover from the incident, he said.

The Pentagon experiences 70,000 illegal-entry attempts daily from small, innocuous probes to full-blown attack attempts, Clem said. Hackers know within minutes when a new server or software is deployed in the Pentagon, and they attempt to intrude. They have stolen lots of information from the Defense Department, he said.

“We don’t know how our adversaries will use the information," Clem said. "It can be as dangerous as a weapon and used later it may cost someone’s life.”

It was crucial that he understood his network configuration, he said. He had been in the process of consolidating 14 networks into one enterprise network, and he had to know what was on them, he said.

“If you don’t know what’s on your network, you can’t protect it,” he said.

Besides disconnecting part of the network, Clem took some actions that mitigated the damage. He proceeded systematically through the processes and procedures. He used a utility to check user identifications and required the regular use of smart cards, which have two-factor authentication. He implemented digital signatures to protect against spoof e-mail. He recorded all his activities and communications during the response period.

Information technologysecurity has to be comprehensive to be effective. “You have to close every possible door that can be opened,” Clem said, but cautioned, “Even the best intrusion detection program can’t stop all of them.”

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Social Media
    Editorial credit: pcruciatti / Shutterstock.com

    They took all the tweets and put 'em in a tweet museum

    Twitter cancelled @realdonaldtrump, but the National Archives will bring presidential tweets back via the Trump library website.

  • Workforce
    Avril Haines testifies SSCI Jan. 19, 2021

    Haines looks to restore IC workforce morale

    If confirmed, Avril Haines says that one of her top priorities as the Director of National Intelligence will be "institutional" issues, like renewing public trust in the intelligence community and improving workforce morale.

Stay Connected