Some of the underlying attributes that are mandated by DoD, government and federal agencies for network communications and computer gear, are the result of mandated standards for open source, open architectures, and COTS in the acquisition cycle. Goals include reduced costs and improved interoperability for software and hardware that is developed and manufactured by high-tech corporations whose critical mass of operations and research is significantly concentrated in countries from which cyber exploits not-so-coincidentally originate.

If the variables of cost, cycle-time, interoperability, and forward and backward compatibility are some of the factors that are forcing the U.S. to select technologies that are built upon open source, open architectures, and COTS, might it be probable that such factors similarly reduce the barrier-to-entry for the bad guys to conduct rapid prototyping of potent cyber-threats that possess a high probability to compromise U.S. national interests, or at least keep pace with U.S. developed preemptive capabilities?

It may be probable that some of the forces that are vectoring U.S. cyber-preemption capabilities toward open source, open architectures and COTS technologies, are increasing the potency for exploits/cyber-threats toward U.S. interests. America’s adversaries may know our technology as well as we do, and maybe more. Sourcing policy forces commercially available products and subject-matter-expertise, upon which we are dependent for IT and network technologies, to many times originate outside of the U.S., thus further exposing the U.S. to the potential of logic bombs, self-modifying code, and backdoors.

Is the cyber security of America’s critical infrastructure improved or eroded by migrating to a smaller set of networks? Does a larger set of networks imply heterogeneity, and does either the number of networks and/or heterogeneity translate to a greater challenge for cyber network attackers? Does a smaller set of networks imply greater homogeneity, and does that translate to increased exposure to cyber threats, especially when the underlying systems are selected based upon cost as derived from the benefits of open source, open architectures, and COTS?

Will the cyber security budget determine and possibly limit the eventual strategy developed and applied by USCYBERCOM to improve America’s cyber defenses?

If cyber threats to America’s critical infrastructure endanger national security, at what price is our national security?

Your listing of “Five Key Cyberthreats” is insufficient. The INTERNET is, from an engineering standpoint, fundamentally insecure. It was designed (and continues to operate) with protocols that do not give to security a priority.

The most critical need is for authentication because the Internet does not allow for end-to-end verification of transactions. Unless both the senders as well as the recipients of messages are authenticated there will be always the danger that anything that is received may not be what it claims to be.

Internet messages are mediated by means of software that operates computerized switches (called “routers”) while messages travel on an indeterminate path from their origin to their destination. The average number of connections to complete any transaction is nine but could be much larger when the network is congested. The Internet should be understood as a web of circuits that connect hundred thousands of traffic collectors (Internet Service Providers – ISPs). The ISPs then forward messages through millions of switches (routers) that link over five billion points of contact such as desktops, laptops, cell phones, credit card readers, burglar alarms, teller stations and radio frequency merchandise identity tags.

The insecurity of the Internet is inherent in the ways the routers communicate. The decision to send a message from one router to the next is controlled by the router software that picks one of several possible paths for passing the message in the direction of its ultimate destination. To keep track which one of the routers has the capacity to transport the traffic, every router keeps in contact with others in the neighborhood. In this way every router becomes a switch that changes every fraction of a second in how it operates.

The most dangerous corruption of the Internet originates from malicious changes to the router software. An attacker can manage to take control and change its logic so that a duplicate message (plus passwords) is routed to wherever a criminal collects intelligence.

Having control of a router is not difficult because a sophisticated attacker can install a copy of the switching software on a computer that masquerades as a legitimate router. There are many ways that a bogus machine can be inserted into the Internet, since the characteristics of the entire network are not traceable. The insertion of a fake router is often done with the collaboration from a trusted insider.

Paul

http://www.businessweek.com/globalbiz/content/jul2009/gb2009071_378545.htm

Over the last couple of years investigating network attacks it seems that covert groups have already succesfully utilized this concept of creating a “Virtual Supercomputer” to attack specific targets at will. Mainly hacking the DNS.

It is really interesting to see how they do it. The perpetrators acquire a “Hot” movie
that everyone is waiting to download and upload it before anyone else, This creates an immediate surge of downloads on the P2P network. They now have their weapon “locked and loaded” and with the expanded bandwidth can focus their attack against whatever server they want to crack.

It would seem to me that a commercial enterprise could be established to deliver
subsidized media, software etc. as a “Loss Leader” providing health care, education,
and government services for the public good utilizing a “Key Based” system.

Unless somebody fixes the Education system in the USA their will be no one with the
skills to defend against future Cyber Attacks, based on my real world experiance.
Under Secretary of Defense Gordon England expressed these same concerns in 2006
at the Pentagon.