"One gap that needs to be filled immediately is the need to do more research in this area," Robert Lentz, director of information assurance at Defense, told the House Armed Services Terrorism, Unconventional Threats and Capabilities Subcommittee. Lentz added that the defense community has held an "aggressive series of working groups" on cyber security in the past year.
But the General Accounting Office highlighted persistent weaknesses across the federal government. "Our most recent analyses of audit and evaluation reports for the 24 major departments and agencies continued to highlight significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse and disruption," said Robert Dacey, director of the GAO information technology team.
Dacey said GAO found that Defense still lacks mechanisms to assess its compliance with information security standards.
"Without a Defense-wide information assurance policy and implemented practices, the Defense Department's networks may be vulnerable to anyone who has a computer, the knowledge and the willpower to launch cyber attacks," said Subcommittee Chairman Jim Saxton, R-N.J. And subcommittee ranking Democrat Martin Meehan of Massachusetts added, "Many [Defense] systems remain redundant, outdated and inefficient."
Members of the subcommittee raised questions about whether the proposed cut of $2 billion from the information technology component of the House Defense authorization bill would impact the department's ability to protect communications systems.
Eugene Spafford, a Purdue University professor and information assurance expert, cited the risks inherent in Defense using so much commercial technology. He said that any adversary could buy such technology and that it may not be sufficiently robust to withstand attacks. Spafford also said the high number of patches required to keep commercial software ahead of attackers is "unacceptable for us to be in a high state of [military] readiness."
Panelists debated how to address the potential problem that increasing numbers of software developers do not have security clearance or are foreign. Scott Charney, chief security strategist at Microsoft, said the level of risk depends on the development process, not who is doing the work. There must be quality assurance around the software code, he said.
Dacey said GAO is studying the issue.
Lentz said his office has daily contact with the Homeland Security Department entities that have longstanding close relations with Defense, such as the National Communications System and the National Infrastructure Protection Center (NIPC). Defense now is placing officials within the NIPC, he said.
Lentz said Defense and Homeland Security are discussing ways to coordinate cybersecurity research and development.
Subcommittee members asked about terrorist camps that teach computer hacking, but Lentz said he would have to answer privately. Spafford said bulletin boards and discussion lists teach cyberterrorism techniques to anyone. "We have perhaps a virtual worldwide training camp," he said.