OSD CIO: Network configuration, scanning softened cyberattack blow

ORLANDO, Fla. – Dennis Clem, chief information officer at the Pentagon and the Office of the Secretary of Defense, didn’t think his network was as vulnerable to attack as it was.

But last June, malicious code hit part of his network. To isolate the intrusion, he shut down part of the network of the Office of the Secretary of Defense, which affected 1,500 users.

“They used every tool they could against us,” he said March 4 at the Information Processing Interagency Conference. Although Clem did not identify the source of the code, public reports later identified it as most likely coming from the Chinese government.

It was a judgment call on Clem’s part to block only part of the network that handles the e-mail system. He had staff advising him to shut down the whole network.

“It was a huge gamble,” he said, adding that the security operations center had in place an effective scanning tool which supported his view that the intrusion had not yet spread throughout the network. But his next step would have been to shut down all of the office’s network, Clem said.

The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites.

In total, it took three weeks and $4 million to recover from the incident, he said.

The Pentagon experiences 70,000 illegal-entry attempts daily from small, innocuous probes to full-blown attack attempts, Clem said. Hackers know within minutes when a new server or software is deployed in the Pentagon, and they attempt to intrude. They have stolen lots of information from the Defense Department, he said.

“We don’t know how our adversaries will use the information," Clem said. "It can be as dangerous as a weapon and used later it may cost someone’s life.”

It was crucial that he understood his network configuration, he said. He had been in the process of consolidating 14 networks into one enterprise network, and he had to know what was on them, he said.

“If you don’t know what’s on your network, you can’t protect it,” he said.

Besides disconnecting part of the network, Clem took some actions that mitigated the damage. He proceeded systematically through the processes and procedures. He used a utility to check user identifications and required the regular use of smart cards, which have two-factor authentication. He implemented digital signatures to protect against spoof e-mail. He recorded all his activities and communications during the response period.

Information technologysecurity has to be comprehensive to be effective. “You have to close every possible door that can be opened,” Clem said, but cautioned, “Even the best intrusion detection program can’t stop all of them.”

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.