Security News > 2008 > May > ONE BREACH IS ONE TOO MANY IN CYBER WARFARE
http://www.montereyherald.com/business/ci_9092292 By KEVIN HOWE Herald Staff Writer 04/29/2008 Cyberspace is a battleground that the U.S. military should learn to dominate, just as it has land, sea and air, says an expert with the Naval Postgraduate School's computer science department. "Destroying a computer infrastructure is like denying somebody air," said Scott Cote, senior lecturer in the school's Center for Information Security Studies and Research. Students at NPS waged a four-day battle in cyberspace that pitted them and each of the service academies . Army, Navy, Air Force, Coast Guard, Merchant Marine, and the Air Force Institute of Technology . against a team of computer hackers fielded by the National Security Agency last week. The schools could only defend, said Navy Lt. Mateo Robertaccio, a student in NPS' information systems technology and management course, who took part in the cyberbattle. "We would have liked to do offense, it's easier," he said. A defender must protect every vulnerable point of a computer system. An attacker only has to find one chink in the firewall's armor. "You can't make one mistake. It has to be perfect." Now in its eighth year, the annual cyberwar exercise is meant to give students who volunteer a chance to "get their hands dirty" while learning about the vulnerability of computer systems, Cote said. The students and instructors were required to use a variety of systems - Windows, Linux and Mac - some of which had compromising programs implanted in them that needed to be ferreted out. As the exercise progressed, the Navy school's e-mails and other systems had to remain open. "It's like having a business," Cote said. "A customer could be a burglar casing the store, or a customer. You have to be able to be open for business." They also had a budget limit for hardware and firewall software to add realism to the exercise. "You couldn't buy your way out of trouble," Cote said. He postulated a situation in which a U.S. technology team was sent to help a NATO ally that might have older equipment, legacy systems. "You couldn't just say, 'throw out all this stuff and buy new.'" "They forced us to use things that have weaknesses," Robertaccio said, "older systems." Every Navy ship, he said, has a different computer operating system, and the Navy can't replace them all. This year's cyberwar exercise drew 30 students, about half of them civilians, he said. "There's a big human element to this. A lot of it was based on making sure we had the right teams in the right subgroups." A terrorist cell doesn't have to use bombs to cause damage, Cote said. "You can attack the Pentagon and physically destroy the building, or you can attack it so its network doesn't function." Only one cyber attack from NSA got through the NPS firewall during the four days, Cote said. "We were 99.4 percent perfect, but that didn't matter. One compromise . once they get into the system . they can wreck it." The Air Force Institute appeared to be the top scorer, he said, and the undergraduate service academies didn't do as well, because its students didn't have as much background in computer science as the graduate schools. The penetration of a computer system would register on a graph in red, Cote said. "We'd call that 'bleeding.' The Naval Academy bled for days." Cote and Robertaccio compared the computer exercise to a live-fire exercise with planes, tanks or ships firing real bullets, shells and missiles. Planning for each year's event begins in October and continues through May with an after-action analysis following the actual cyberspace battle in late April. Funding the exercises is "a hard sell" in Washington, Robertaccio said, but it teaches a lot of lessons. "I hope we can do an attack next year." Meanwhile, students who took part can carry away a sense of how systems can be attacked, the damage that can be done, and the ways to guard against it. The idea is to stave off a catastrophic event resulting from a massive attack on a critical computer network. "A lot of people are waiting," Cote said, "for a cyber Pearl Harbor." _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com