Hackers hit Pentagon; NSA struggles to keep up

A National Security Agency program to provide advanced cryptography for use by the Department of Defense and other government agencies, begun in 1999, has been delayed to at least 2012, with most of the substantive security improvements being delayed as far as 2018, according to a Baltimore Sun report Sunday.

The NSA is transitioning to a Key Management Infrastructure, begun in 1999, which when complete will use conventional and public key cryptography to provide security for electronic communications and data storage throughout the government.

With conventional cryptography, the same key used to encrypt a message also decrypts the message, so the key itself must be kept secure wherever it is to be used and when it is in transit from one place to another.

Public key cryptography, on the other hand, splits a key in two halves, one of which encrypts a message and the other half of which decrypts a message. Only the half which decrypts the message, called the private key, must be kept secure, while the other half, the public key, can be distributed to anyone. The holder of the private key uses it to decrypt incoming messages which are encrypted with the public key.

In addition, reversing the encryption process by using the private key to encrypt a message and the public key to decrypt the message creates a digital signature which ensures information came from the sender and was not tampered with en route. The two can be combined to create a message which is both encrypted and digitally signed.

If a private key is compromised, the compromise can be noted using a revocation, and replaced in the field with a new key. Conventional methods would require a new key to be transported from elsewhere to the location needing a new key, and could require many other locations to switch to new keys.

The initial parts of the new infrastructure, first expected to be complete in 2005, will replace DoD’s existing key management infrastructure with one that has similar capability, but unlike the current system, can be upgraded to support more advanced capabilities, according to the Sun. The deadline for completing this first phase has slipped to 2012.

The delays have raised concern in the defense and intelligence communities as hacker attacks against military computers are on the rise, having increased two hundred fold since 1996, from 800 that year to over 160,000 in 2005. And as we all know, government computer security sucks. They can’t even keep out some guy in London who’s convinced the Pentagon is hiding information on UFOs. The Sun notes a recent incident in which Chinese hackers were able to successfully capture classified information from a Joint Chiefs of Staff computer system.

An internal NSA report in April 2005 described the problem as “critical,” noting that 30 percent of the agency’s security equipment does not provide “adequate” protection; another 46 percent is approaching that status.

“Much of the existing cryptographic equipment is based on — technologies that are 20-30 years old,” said the report from the agency’s information security directorate. At the same time, it noted, technology for breaking into computer systems has improved, which “gives our adversaries enhanced capabilities.”

“Numerous states, terrorist and hackers groups, criminal syndicates, and individuals continue to pose a threat to our computer systems,” Maj. Gen. Michael D. Maples, director of the Defense Intelligence Agency, warned Congress this year. “Over the last few years, hackers have exploited thousands of [Department of Defense] systems.”

In addition to the NSA’s aging security technology, some of the tools required for encrypting data lack security protections and are vulnerable, so an infiltrator could uncover and possibly replicate the tools to access government data, according to the NSA’s December 2005 planning document. — Baltimore Sun

Hackers, especially from China and the Middle East, have been targeting U.S. government computer systems for years, and there is now concern that Iran may have a program targeting government computers.

In the meantime, the government is employing band-aid fixes to patch up its computers primarily after they’re wounded in hacker attacks. Meanwhile, government computer security still sucks governmentwide, despite a 2002 law requiring agencies to improve their information security practices.

Part of the problem might be that the DoD looks at the Internet as an enemy weapons platform. It’s no more an enemy weapons platform than a hill or a line of trees. It’s the battlespace, and their computers are out there exposed.