The Times based its story on an article written by William J. Lynn 3d, deputy secretary of defense, writing in the journal Foreign Affairs. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Mr. Lynn wrote. The Times noted that Wired magazine and The Los Angeles Times had previously reported the incident.
The article, entitled Defending a New Domain, describes a nightmarish array of challenges facing the Pentagon for which it is apparently unprepared. The challenges themselves are familiar to data center operators who operate in a threat environment. The article contains enough passages about the nature of the threat to remind even the most cynical reader that Pentagon systems are mission critical in a way that private networks are not. What’s more: Lynn notes that U.S. networks are attractive targets, “Over the past ten years, the frequency and sophistication of intrusions into U.S. military networks have increased exponentially. Every day, U.S. military and civilian networks are probed thousands of times and scanned millions of times. And the 2008 intrusion that led to Operation Buckshot Yankee was not the only successful penetration. Adversaries have acquired thousands of files from U.S. networks and from the networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data.”
The sheer size of the U.S. military network makes it vulnerable, because of the sheer number of attack points that it presents but also because its unwieldy infrastructure makes modernization nearly impossible. Lynn describes it as a system that comprises 15,000 networks and seven million computing devices across hundreds of installations in dozens of countries that requires more than 90,000 full time people to maintain.
“On average,” Lynn writes, “ it takes the Pentagon 81 months to make a new computer system operational after it is first funded. Taking into account the growth of computing power suggested by Moore's law, this means that by the time systems are delivered, they are already at least four generations behind the state of the art. By comparison, the iPhone was developed in 24 months. That is less time than it would take the Pentagon to prepare a budget and receive congressional approval for it.”
Not surprisingly, the private sector has a role to play, Lynn acknowledges. However, he warns, “Making use of the private sector's innovative capacity will also require dramatic improvements in the government's procedures for acquiring information technology.” Lynn notes, “Even as the U.S. government strengthens its cadre of cybersecurity professionals, it must recognize that long-term trends in human capital do not bode well. The United States has only 4.5 percent of the world's population, and over the next 20 years, many countries, including China and India, will train more highly proficient computer scientists than will the United States. The United States will lose its advantage in cyberspace if that advantage is predicated on simply amassing trained cybersecurity professionals. The U.S. government, therefore, must confront the cyberdefense challenge as it confronts other military challenges: with a focus not on numbers but on superior technology and productivity. High-speed sensors, advanced analytics, and automated systems will be needed to buttress the trained cybersecurity professionals in the U.S. military. And such tools will be available only if the U.S. commercial information technology sector remains the world's leader -- something that will require continuing investments in science, technology, and education at all levels”.
I would add that warnings sounded by Peter Curtis and Andrew Lane in Mission Critical and joined by other industry voices about the lack of trained professionals in the data center industry should be added to Lynn’s list of vulnerabilities. These professionals will be needed to ward off infrastructure attacks and implement automation and monitoring solutions, just as software experts will be needed to address software vulnerabilities, and good policies will be needed to prevent further laptop exploits.