Intelligence
The computer scientist in charge
IAD is led by computer scientist Curt Dukes. During a recent conversation in his office on the sprawling grounds of Fort Meade, Dukes described the daunting challenge his 3,000- person directorate has in training DOD’s future cybersecu- rity professionals and cleaning up major public- and private- sector hacks.
After the large-scale breach of Office of Personnel Manage- ment systems that exposed personal data on some 22 million people, Dukes said IAD provided eight to 10 specialists at any given time to help with forensics.
IAD staff also analyzed the hack of Sony Pictures Entertain- ment in November 2014, though Dukes said they were not actually on the film studio’s network. And IAD has recently instructed DOD and other federal agencies to swiftly patch the dangerous backdoor discovered in Juniper Networks firewalls, he added.
IAD analysts have been summoned for help in every big hack in the past 18 months, Dukes said, with varying degrees of involvement in the response. If that trend holds, “we will continue to have resource pressures from that.”
To conserve resources, IAD has sought to “train the train- ers.” The directorate’s employees — about 80 percent of whom come from fields such as computer science, math and engineering — train Cyber Command personnel and bring those trainees up to what Dukes said is the “NSA standard for cyber defense.” Once the students have met that standard, Cyber Command does their own in-house training.
IAD trained a Cyber Command team that deployed to a U.S. military facility to analyze vulnerabilities in supervisory control and data acquisition systems there in response to growing concerns about vulnerabilities, according to Dukes. For nearly a decade, he said, IAD has been focused on weak-
nesses in industrial control systems (ICS) such as the SCADA systems that underpin the power grid. In the past year or so, U.S. officials’ concerns about those vulnerabilities have become more apparent.
In testimony to Congress in November 2014, Rogers predicted that a nation-state or rogue group would likely launch a major cyberattack on U.S. critical infrastructure networks before 2025. At the time, he said nation-states and other actors had done reconnaissance on U.S. critical infra- structure networks in preparation for a potential hack of control systems. That fear came to the fore recently when it was revealed that Iranian hackers had infiltrated a New York dam’s control system.
Given that a control system can stay in the field for years and develop vulnerabilities as it is outpaced by newer, more secure systems, Dukes said his specialists develop “wrap- pers,” or layers of encryption, that can be overlaid on ICS command and control links. But it would save IAD significant time and money if IT vendors built such security controls into their products from the start.
“It never scales for us to constantly have to go out and send cyber defense forces to actually do assessments,” Dukes said.
Jekyll and Hyde
NSA, of course, wants to exploit ICS weaknesses in other countries, and the agency’s Jekyll and Hyde approach to software vulnerabilities is on display in what is known as the Vulnerabilities Equities Process. Officials use the interagency tool to decide which discovered vulnerabilities to disclose to the private sector and which to hoard for exploitation by NSA or Cyber Command.
Historically, NSA has revealed more than 91 percent of the vulnerabilities it has discovered, the agency said in a recent
20 February 2016 FCW.COM
IAD analysts have
been summoned for help in every big hack in the past 18 months, with varying degrees of involvement in
the response. If that trend holds, “we
will continue to
have resource pressures from
that.”
IAD DIRECTOR CURT DUKES