Just when you thought it was safe to tread back into the cyber-waters, The Washington Post discloses that a large number of U.S. Department of Defense programs have been compromised by Chinese hackers. The list of “compromised” systems detailed by the Defense Science Board is somewhat breathtaking: missile defense systems, next-generation fighter planes, unmanned aerial vehicles and even conference attendee information. You can almost hear the “gulp” from inside the Pentagon.
But before Washington does what Washington does best (hold hearings, call for heads, legislate at breakneck speed), let’s take a step back and think strategically about this situation. This isn’t really a new story. The Pentagon has been saying for some time now that some of its major weapons systems have serious cyber-vulnerabilities. Nor has Congress or DOD been asleep — a significant amount of money and effort has been poured into shoring up cyber-defenses. To tackle this problem, we must start with the right questions and thoughts:
1. Panic is not called for: Not all breaches are created equal. Just because a DOD system was breached, does not automatically mean that vital information has been stolen and is gone for good. A thorough forensic investigation is needed to determine what exactly was stolen and when. Frankly that has probably already been done, and it may well be that the “compromised” systems have already had fixes installed.
2. Ask the right questions: Inevitably, questions will swirl around “how could this happen?” Reality check: More breaches will happen because no defense is or can be perfect. A better line of inquiry will focus on the forensic analysis and lessons learned. How long did it take for the breaches to be discovered? Hours, days or weeks is okay; years or even months is bad. Once the breaches were discovered, was information about them effectively shared with potential targets? DOD and Congress should be focusing on whether everything was caught and what lessons were learned.
3. Don’t fight the last cyber-war: Viruses may be yesterday’s news. Less sophisticated cyber-attackers are likely to use viruses we already know about, and DOD is well-prepared for them. The focus should be on fighting the more sophisticated, previously unseen threats. Various terms are used for such attacks (signature-less, zero day, etc.), but the common theme is that advanced adversaries come up with entirely new ways to conduct attacks that evade traditional protections. We need to focus on new, creative ways to protect their systems, such as allowing systems to only execute specific commands (“whitelisting”) or using technologies that test programs in a safe environment to tell whether they pose a threat (“detonation chambers”). We have to make sure we are not just plugging existing gaps at the expense of keeping up with new threats.