OSD CIO: Network configuration, scanning softened cyberattack blow

ORLANDO, Fla. – Dennis Clem, chief information officer at the Pentagon and the Office of the Secretary of Defense, didn’t think his network was as vulnerable to attack as it was.

But last June, malicious code hit part of his network. To isolate the intrusion, he shut down part of the network of the Office of the Secretary of Defense, which affected 1,500 users.

“They used every tool they could against us,” he said March 4 at the Information Processing Interagency Conference. Although Clem did not identify the source of the code, public reports later identified it as most likely coming from the Chinese government.

It was a judgment call on Clem’s part to block only part of the network that handles the e-mail system. He had staff advising him to shut down the whole network.

“It was a huge gamble,” he said, adding that the security operations center had in place an effective scanning tool which supported his view that the intrusion had not yet spread throughout the network. But his next step would have been to shut down all of the office’s network, Clem said.

The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites.

In total, it took three weeks and $4 million to recover from the incident, he said.

The Pentagon experiences 70,000 illegal-entry attempts daily from small, innocuous probes to full-blown attack attempts, Clem said. Hackers know within minutes when a new server or software is deployed in the Pentagon, and they attempt to intrude. They have stolen lots of information from the Defense Department, he said.

“We don’t know how our adversaries will use the information," Clem said. "It can be as dangerous as a weapon and used later it may cost someone’s life.”

It was crucial that he understood his network configuration, he said. He had been in the process of consolidating 14 networks into one enterprise network, and he had to know what was on them, he said.

“If you don’t know what’s on your network, you can’t protect it,” he said.

Besides disconnecting part of the network, Clem took some actions that mitigated the damage. He proceeded systematically through the processes and procedures. He used a utility to check user identifications and required the regular use of smart cards, which have two-factor authentication. He implemented digital signatures to protect against spoof e-mail. He recorded all his activities and communications during the response period.

Information technologysecurity has to be comprehensive to be effective. “You have to close every possible door that can be opened,” Clem said, but cautioned, “Even the best intrusion detection program can’t stop all of them.”

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.