Thursday, November 17, 2005

FCW Reports DoD to Hold Security Stand-Down

I read that DoD plans to hold a security stand-down on 29 November "to focus on information assurance and network security." Apparently United States Strategic Command, one of nine Unified Commands, issued the order. The news came from Air Force Lt. Gen. Charlie Croom, director of the Defense Information Systems Agency and commander of the Joint Task Force - Global Network Operations (JTF-GNO).

FCW says "some DOD officials are concerned about the amount of hardware and software manufactured overseas and whether they might incorporate malicious code. [Croom] said one way to fight the problem is to require companies to assure DOD that their products are safe and for the military to monitor them closely." (emphasis added)

I like the fact Lt Gen Croom understands the importance of monitoring.

A separate article conveys this story, indicating Lt Gen Croom is a fair guy:

"The first time Croom showed up for a meeting at DISA, someone announced his presence and everyone in the room snapped to attention, as they did with previous DISA commanders, a headquarters employee said.

Croom told everyone at the meeting that that was the first and last time anyone was to announce him and have everyone stand at attention."

That's amazing. I have seen commanders institute similar policies on operations floors, but generally you're expected to stand when the commander enters a meeting room.

The FCW article did not say much about what constitutes a network "stand-down," other than "changing passwords" and "conduct[ing] certain activities to strengthen and become more aware of network security." Can anyone elaborate on this? A department-wide password change sounds like an immense incident response action. I believe we instituted a similar action once when I was still in uniform.

Typically stand-downs are held in the flying community when an aircraft crashes due to a mechanical problem. The rest of the community wants to verify that their aircraft are not also afflicted. I believe the Titan Rain intrusions may be the "crash" that prompted this stand-down. FCW reports "Croom said DOD networks are being intruded on. 'The enemy is among us,' he said."


Anonymous said...

Just being a PITA, but it reinforces stereotypes of military thinking when you have nine "unified" commands... :) I'm going to have my own definition of "balanced" and see if my bank goes for it re: my checking account.

Anonymous said...

Because I value my job, I will remain anonymous. It is not breaking news DoD networks are being intruded upon. Why? Well the real question is where do you start? Part of the problem is because our tax dollars are paying for a bunch of incompetent DoD Civilians who are drawing a descent income on top of their military retirement. The problem is all these people ARE retired and incompetent in execution of their sworn duties. Many of these people are in command decision making positions for DoD IA programs. And even if they are compentent, the civilians under them are not. And it is common knowledge you can't just fire a government civilian without substantial just cause and alot of paperwork.

The second problem is with standardization. The Air Force has their approved products list, the Army has theirs, the Navy and Marine Corps have their own, NSA has its own, etc, etc. Everyone wants to have the freedom to choose their own products and methods and they consider it a slap in the face if you consult on the possibility of just doing it the way another service or agency does it. To much pride and not enough common sense here. What should happen is DISA maintain "THE" standard for everyone since they own the backbone which interconnects all the NIPR and SIPR. They must direct everyone to either use the hardware in DISA approved lists all the way down to unit level or you don't get connectivity.

Third, lack of proper training and continuity. As you and I know Richard from being in the Air Force, military members come and go every 2-4 years. On average, about 75% of the knowledge is passed on to the inbound personnel. Many people in the communications career field should be loading bombs or handing out jock straps at the gym. Couple this incompetency and constant revolving door with the DoD Civilian problem I mentioned earlier, and you are left with a hand full of contractors who must remain competent if they want to keep their job.

The DoD considers the NIPR network to be compromised and forbids storage of any sensitive information on it. I wonder how many documents on the NIPR have personal info like SSNs and are stored on public drives.

As a contractor on the inside I see the BS everyday. But, I can only consult. The problem is so big and high level it would take years to correct. There is always red tape to deal with on every issue and beauracracy. It is a scarey situation and a ticking timebomb. Our weakest link is our dependence on network communications because we fail to protect it.

One day some co-workers and I were debating on how to handle a unit who failed to maintain IAVA compliance. I said to just unplug them from the network until they comply. A GG-14 civilian chimed in and said how are you going to explain it to the commander of that AOR? I said what do you mean? They went on to say how you can just unplug an entire unit, garrison, division, wing, or whatever, and how you can't treat a high level officer that way. I said well if he understands the fact that the enemy will know everything about him, his units, manueuvers, logistics, and the explicit email he sent to his wife the night before he will understand real fast won't he? Commanders don't see the broad picture, they are only concerned with mission accomplishment and blowing stuff up. They don't understand, yet, the enemy can and will know everything we are going to do and capabilities if we don't secure our networks. Most importantly, commanders must recognize the consequences if they don't comply with standards set forth and those standards are in place to protect them and their assets.

Famous last words- "But I didn't know it was a TS/SCI document!"

Richard Bejtlich said...

Anonymous, thanks for your insights.

I have two small comments.

When I worked at the AFCERT, we used to interface with the MARCERT (Marine Corps CERT). At that time (pre-2001) they provided centralized connectivity for all MC assets. If a MC base did not comply with an IAVA or other order, the MARCERT had authority to remove the offending MCB from the network until they were compliant. I do not know if that is the case today.

Second, one of the AFCERT contractors I worked with had been a red team comm guy when he was still in uniform. He used to red team against the hot shots at Nellis. He said his group was extremely effective because the flyers did not implement the security protocols they should have. My friend had friendly planes taking false orders (injected by the red team) and so on. Rather than address these vulnerabilities, the Nellis management ended the red teaming, despite the fact that the Russians would do far worse!

Nothing changes until people die. Even then, sometimes not.

John Ward said...

Hmmm sounds a lot like what happened to Red Cell... At least your friend didn't get court martialed.

Anonymous said...


Check this out -

I wonder if NMCI gets to do the portion of "One step will involve changing passwords" again?? (I'm using Croom's words here specifically.)

I like the other person am not going to ID myself or name names. We're knee deep in this thing. The big problem is that the directives were generic and all parts of DoD were asking the same questions of JTF-GNO on clarification of what their intent was - are we reading your tea leaves correctly?!?!

The other person's frustration - I feel your pain, let me try to further explain it.

The big thing is that some organizations have mission critical operations and they have non-IAVA compliant machines (unpatched) on their networks, BUT disconnecting them from the network will result in something that is essential to military operations not being done or available. People use that "excuse" as their trump card - "You can't disconnect me, I have these operational impacts....."

Problem is that no one has been cut-off or restricted to just what they need (getting a Program Manager of a major DoD system to articulate what ports, protocols, services [PPS] they actually use is nearly impossible) in order to feel some pain. I know the Marines are pretty strict and centrally managed, but the other end of the spectrum always exists. Imagine an organzation looses the ability to surf outbound http beyond the NIPRNET, wait they need,,, etc, etc for intel, IMPAC purchasing, etc., and of course for morale purposes.

The part that I hate is the on past issues similar to this we have GOs at public conferences discussing things that aren't classified but need to be kept away from the press even though unclassified. Yes, the intruders probably are aware of the Network Security Stand Down and have probably read the FOUO messages with details, but now you and the rest of the world know. You'll ask questions, post stuff to your blog, elicit comments, and here we are. Go back and take a look recent Army DOIM conferences, AFCEA shows, etc and you'll see what I mean. and are a treasure trove. You commented awhile back on the Titan Rain articles in the Post and

Other GOs don't answer questions on what happens during aircraft stand downs beyond the "we don't fly and focus on safety issues" - DoD needs to use the standard "We don't discuss current military operations or TTPs used to conduct them." in order to keep the other sides from adapting their TTPs.

Bottomline, DoD is engaged in 3 major theaters of operations - Iraq, Afghanistan, and Internet/NIPRNET. The problem is that the third doesn't have physical confines and the enemy is everyone form a script kiddies to a nation state.

There needs to be a public execution so to say and they need to become the poster child. But no one is going to have their career ruined because of some computer wasn't configured properly. I'm not talking about punish some poor E-4 sysadmin, it needs to be in the officer ranks at the 0-5 level or higher. Better yet they need to hold DAA (Designated Approval Authorities) responsible for the risk they sign off on - wait that is a whole different story. Most DAAs don't have clue what they're signing (don't really ask any questions either!).

Yeah, OK - I've already said too much. [Nothing in this text is even at the FOUO level!]

Anonymous said...

As another anon contractor, all I can say is that it depends on your command. If the Comm folks have good troops and good Civilians,it can be very productive. It helps to have some very smart Sys Admins and willing military personnel. DoD has just published DOD 8570.1M which finally has some standards for Civ and Military. At least we're going in the right direction.

Anonymous said...

OK, I was the person who made the comment about the NMCI link and Croom talking about this, since many are stating what type of employee they are, well, I felt compelled to defend those of us that are Government employees many in the GG series and the GS series. We're not all a bunch of non-knowing feet on the desk newspaper reading and doing 1 hour of work in a 8 hour work day types. I've gone to SANS and done the practical, got numerous Cisco certs at the Professional level, been using WinNT since 1992, actually have a copy of Windows 1.0, built my first PC as a Heathkit - as a GS-14 I don't have much stick time at the office, but I keep up with technology and "play" at home.

I've had contractors that had all kinds work experience but couldn't write a coherent paragraph using proper English - don't even get me started on how much that ANC 8a company was charging the Govt and those employees made 25% more money than I did.

Greetz to all the folks on the 2nd & 3rd floor in building 817 across the street from John's Best!

Anonymous said...

Well said in the previous posts. Official details haven't made it down to me yet so I don't really have anything to add.

MARCERT still has the authority to disconnect networks/nodes with non-compliant systems. Doesn't happen in my shop because we're pretty proactive with that kind of stuff but it does happen. They don't mess around.

Looking forward to seeing what NMCI is really going to do on this.

jacko492 said...
This comment has been removed by a blog administrator.