The Pentagon recently asked the JASON research group to conduct a study on the theory and practice of cybersecurity, the findings of which were obtained by the Secrecy News blog. According to the report, JASON was asked to "evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach, identify what is needed in creating a science of cyber-security, and recommend specific ways in which scientific methods can be applied." Further:
The need to secure computational infrastructure has become significant in all areas including those of relevance to the DOD and the intelligence community. Owing to the level of interconnection and interdependency of modern computing systems, the possibility exists that critical functions can be seriously degraded by exploiting security flaws. While the level of effort expended in securing networks and computers is significant, current approaches in this area overly rely on empiricism and are viewed to have had only limited success.
The JASON report "identifies a need to accelerate the transformation of research results into tools that can be readily used by developers. There are some very sophisticated approaches (model checking, type checking etc. as discussed previously) that can be used to assess and reason about the security of current systems, but they are not widely available today in the form of developer tools. There may be an insufficient market for private development of such tools and this may argue for a more activist role on the part of DOD in supporting future development."
Marine Corps Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said last week that the Defense Department must spend far more money defending its networks than hackers do attacking them, a trend that has to be reversed, Inside the Navy reports this week. Further:
"The lines of code to attack any software haven't changed in the last five years, a number of them," Cartwright said during a roundtable discussion hosted by Government Executive. "What changes is, every time we get attacked, we have to spend substantially more than they invest to protect ourselves. We've got to turn that equation around."
He said the Pentagon intends to make it much more difficult to attack its networks in the future.
Cartwright noted that that major military networks were "not designed to be defended," but were made to allow anyone to plug into them virtually anywhere and use them in myriad ways.
"We've got to change that construct to one that gives us a layered defense, gives us a non-homogenous surface, so to speak," the general said. "In other words, it is not the same when you go out. We like to see things like operating systems changed every few hours and be invisible. It makes it extremely difficult."