Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: US Department of Defense and National Policy - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
US Department of Defense and National Policy

A recent article released by the US Department of Defense (DoD) spoke of the worst compromise in DoD history, facilitated by what was said to be the unauthorized use of a USB drive.  As a result of this incident, the US government has seen fit to step up the DoD involvement, working with the US Department of Homeland Security (DHS), in an effort to protect critical national infrastructure.  The full article (requires registration) by WIlliam J. Lynn, Undersecretary of Defense, speaks of the DoD and it's experiences which makes it uniquely qualified for cyberdefense.  "Cyberattacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous and exceedingly hard to trace. Such attacks may not cause the mass casualties of a nuclear strike, but they could paralyze U.S. society all the same," he wrote. "In the long run, hackers' systematic penetration of U.S. universities and businesses could rob the United States of its intellectual property and competitive edge in the global economy."

The announcement by the DoD that within the last 24 months it had suffered it's worst compromise in history would seem embarrassing, but then to announce in the same week that they will become more involved in the protection of national critical infrastructure is disconcerting.  The DoD is the US arm for defense of national interests, however I do not believe that makes the DoD the best agency for this role. 

I welcome your comment,


tony . carothers at   gmail dot com


150 Posts
ISC Handler
Sep 5th 2010
According to this was a worm called agent.btz that spread by dropping an Autorun.inf and a DLL on removable USB drives.

From "Before Windows XP SP2, AutoPlay was disabled by default on removable drives, such as the floppy disk drive (but not the CD drive), and on network drives. Starting with Windows XP SP2, AutoPlay is enabled for removable drives". They're referring to the NoDriveTypeAutoRun registry-value, which affects autorun behavior, and defaulted to 0x95 prior to XP SP2, and defaults to 0x95 in XP SP2 and XPS SP3.

From "In 2010, 25 percent of new worms have been specifically designed to spread through USB storage devices connected to computers, according to PandaLabs."

Fact: on XP SP3, fully patched, manual action (registry modification or policy) is required to prevent Autorun.inf from being executed on USB drives such as memory sticks, smartphones, picture frames etc.

Perhaps an operating system primarily targeting "user experience" (which I fail to recognize in this case) shouldn't be used when "Cyberattacks" may take place?
Erik van Straten

129 Posts
Oops, typo, NoDriveTypeAutoRun defaults to 0x91 in XP SP2 and XP SP3. Sorry!
Erik van Straten

129 Posts
The biggest historical threats to the USA have been internal ones; perhaps the Civil War between the Yankees and the Confederates is the best example. I believe it to be the same again with "Critical National Infrastructure"; for example, when power tripped out a few years ago on the Eastern Seaboard, it turned out to be an overloaded circuit in the MidWest somewhere ... not an external attack, at all.

And I don't believe in US Universities and US Businesses having an 'edge'. Education ... and businesses ... are global nowadays, and IBM, Microsoft, and many others develop and market around the planet. Exploit talent wherever you find it.

I pledge allegiance to the Flag, and to the Republic for which it Stands.

God Save the Queen.

Take your choice, either suits me, but I think that William J should look a bit more globally. It isn't just the good ol' USA at the moment.
Erik van Straten
9 Posts
So which government agency do you feel is better able to address Cyber security
Erik van Straten
5 Posts

None. Set up a new dedicated agency instead for cyber security that merges elements of NSA, DHS together as a bridge between the two.

A hand-shake agency... so both work together on cyber security.
The answer is "None". Look, the FAA isn't doing their job, the FDA isn't doing its job, the INS is obviously not doing its job either. What is there to make anyone think any new agency is going to do the job?

25 Posts
Because if you fusion all the elements of the different agencies together, and create a national cyber security fusion agency, then I feel its going to be more effective than having one department holding the key to the kingdom. There should be no power grab from one particular agency. We need all the agencies with a vest interest in cyber security to come together, take its best staff and fusion them into a bridge agency, so all parties can work together, info share and best human resources under one umbrella. It wouldn't be a "new" agency per se, it would merge the current talents of multiple agencies to form the agency. You wouldn't hire new guys, you would take your best from each current agency and use them for the fusion agency.
I would imagine the new Cyber Command will perform most of those functions
I thought U.S cyber comm was a strictly *offensive* command and is no way involved with *defensive* capability.
USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks

The primary function if the U.S Cyber Command is to protect the pentagon.
My understanding is they will be mainly defense.
The problem with a fusion agency is precisely the problem with DHS. In 2004, 108 congressional committees had oversight of DHS, simply because they had taken components of other agencies (as mandated by statute to exist) and put them in one place. Such a fusion agency in this case would have extraordinary forces pulling at it politically in terms of oversight as well as divides within the agency as seen within DHS.
Having worked in network security within DoD and within a civilian agency I would say DoD would be best suited to handle this. DoD is very draconian and they will set, enforce, and manage the policies centrally.

When I worked within DoD when we detected violations or attacks we had ports shutdown and accounts locked out in 5-10 minutes. When I worked within the civilian agencies we would send a report to a local field office and the normal M.O. was to call us back about 60 days later to ask if the activity was still going on. Civilian agencies are resistant to change and will do all they can to resist something they did not ask for or want. DoD flat out does not give their members a choice.
Anthony S.

2 Posts
Certainly whoever takes this on has to set effective policy and actually enforce it... unfortunately, government doesn't do anything very well, so I agree that it should probably be one of the military orgs that handles this.

29 Posts

Sign Up for Free or Log In to start participating in the conversation!