OSD CIO: Network configuration, scanning softened cyberattack blow

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


Published on March 6, 2008


Click here to comment on this article

Related story links

DOD continues offensive for cyberwarfare authority

DOD asks contractors to protect unclassified data

OMB: Security incidents jumped in 2007


You might also be interested in these FCW newsletters:


To learn more, click here.

ORLANDO, Fla. - Dennis Clem, chief information officer at the Pentagon
and the Office of the Secretary of Defense, didn't think his network
was as vulnerable to attack as it was.

But last June, malicious code hit part of his network. To isolate the
intrusion, he shut down part of the network of the Office of the
Secretary of Defense, which affected 1,500 users.

"They used every tool they could against us," he said March 4 at the
Information Processing Interagency Conference. Although Clem did not
identify the source of the code, public reports later identified it as
most likely coming from the Chinese government.

It was a judgment call on Clem's part to block only part of the
network that handles the e-mail system. He had staff advising him to
shut down the whole network.

"It was a huge gamble," he said, adding that the security operations
center had in place an effective scanning tool which supported his
view that the intrusion had not yet spread throughout the network. But
his next step would have been to shut down all of the office's
network, Clem said.

The hackers took advantage of a known Microsoft software vulnerability
and sent spoof e-mail messages with the names of staff in Clem's
division. When the messages were opened, the code sent back the user
names and passwords, which allowed access to the network. In follow-up
forensics, Clem discovered that the hackers accessed sensitive
information, which they encrypted as they transmitted it back to their

In total, it took three weeks and $4 million to recover from the
incident, he said.

The Pentagon experiences 70,000 illegal-entry attempts daily from
small, innocuous probes to full-blown attack attempts, Clem said.
Hackers know within minutes when a new server or software is deployed
in the Pentagon, and they attempt to intrude. They have stolen lots of
information from the Defense Department, he said.

"We don't know how our adversaries will use the information," Clem
said. "It can be as dangerous as a weapon and used later it may cost
someone's life."

It was crucial that he understood his network configuration, he said.
He had been in the process of consolidating 14 networks into one
enterprise network, and he had to know what was on them, he said.

"If you don't know what's on your network, you can't protect it," he

Besides disconnecting part of the network, Clem took some actions that
mitigated the damage. He proceeded systematically through the
processes and procedures. He used a utility to check user
identifications and required the regular use of smart cards, which
have two-factor authentication. He implemented digital signatures to
protect against spoof e-mail. He recorded all his activities and
communications during the response period.

Information technologysecurity has to be comprehensive to be
effective. "You have to close every possible door that can be opened,"
Clem said, but cautioned, "Even the best intrusion detection program
can't stop all of them."

Site Timeline