Information Dominance Anytime, Anywhere… Program Executive Office Command, Control,...

Information Dominance Anytime, Anywhere…

Program Executive OfficeCommand, Control, Communications, Computers and Intelligence (PEO C4I)

Statement A: Approved for public release; distribution is unlimited

PMW 130 Overview for NDIA

11 May 2011Kevin McNally

Program Manager PMW 130858-537-0682

Kevin.mcnally@navy.mil

Why Cyber Matters?

• Over 2.08 billion Internet users (420M in China) – UN International

Telecommunication Union (ITU)

• DOD makes 1 billion+ Internet connections daily, passing 40TBs of

data – RADM Edward H. Deets, III

• DOD Networks scanned and probed 6M times/day – USCYBERCOM• Several years ago, zero countries armed for cyber warfare, today 20+

countries – Dr. Eric Cole, McAfee

• Stuxnet – Most advanced Cyber Weapon ever seen – CEO McAfee

“The next battle is in the information domain, and the first shots have already been fired.”- Admiral Gary Roughead, CNO

“The next battle is in the information domain, and the first shots have already been fired.”- Admiral Gary Roughead, CNO

"If the nation went to war today in a cyber war, we would lose.” - Admiral Mike McConnell (retired), 23 Feb 2010

"If the nation went to war today in a cyber war, we would lose.” - Admiral Mike McConnell (retired), 23 Feb 2010

2

McAfee Threat Summary

New stats:• 20 Million new malware in 2010• ~55,000 new malwares/day (new record)• Growth in sites hosting malware• Number of new mobile malware in 2010

increased by 46 percent over 2009

Source: McAfee Threats Report Q4 2010

3

Malware growth since Jan 09

Adobe products still the top target

Symantec Expansion of Tool Kits

Source: Symantec Intelligence Quarterly (April-June 2010)

4

61% of threat activity on malicious websites

is toolkit specific

4

ZeuS, aka ZbotAdaptable Trojan for sale

• Cost on the black market •The Private Version is $3-4K•VNC private module is $10K

• ZeuS author earned $15M in commissions from license rights

• Infect PCs by simply visiting an infected Web site• Oct 2010, over 30 individuals were arrested for ZeuS-based attacks against U.S. and U.K. bank account holders• Dec 2010, spoof email from “White House” to UK Government• U.K. officials suggest the cyber attack originated from China

5

TOOLKIT TO BUILD YOUR OWN TROJAN HORSE

77% of infected PCs have up-to-date anti-virus software

Can you tell the difference?

6

Amazing Coincidence?

7

Is our supply chain safe?

8

January 2008, a joint task force seized $78M of counterfeit Cisco networking hardwareSource: Defense Tech

May 2010, Counterfeit Cisco Network Gear Traced to China, Not SurprisinglySource: Security Magazine

April 2009, Chinese spies may have put chips in U.S. planesSource: The Times of India

Conficker Spreading5 Versions in 5 Months

9

9

End Dec 2008: CONFICKER B

Code Cryptography+ Password Cracking

+ USB Infection VectorAnti-Virus Countermeasures

+ Primitive Peer-to-Peer CommsSoftware Update Countermeasures

20 Nov 2008:CONFICKER.A

No Software ArmoringHTTP Command & Control

Mid Feb 2009CONFICKER B++Direct Update Feature

Early Feb 2009CONFICKER C

50K DomainsKills Security Software

+ Robust Peer-to-Peer CommsMalware Analysis Countermeasures

+ Improved HTTP Command & Control

April 2009CONFICKER E

Spam“Scareware”

50,000 PCs a day are attacked

March 2009IBM announces: Asia has 45% of

infections; Europe 32%; South America 14%;

North America 6%

Mid Jan 2009Conficker A and B explodes.

Estimates range from 3-12 million machines infected

Conficker(At the one year mark)

1010

What about specialized weapons and aircraft?

11

French fighter planes grounded by computer virus- The Telegraph, 07 Feb 2009

French fighter planes were unable to take off after military computers were infected by a computer virus. Microsoft had warned that the "Conficker" virus, transmitted through Windows, was attacking computer systems in October last year

Android Disasters

• March 1, 2011: confirmed that 58 malicious apps were uploaded to Android Market

• Rootkit granting hackers deep access• Google initiated “remote kill” to affected devices • Admits they can’t patch the hole causing the

vulnerability

Source: http://techcrunch.com/2011/03/05/android-malware-rootkit-google-response/http://www.computerworld.com/s/article/9211879/Infected_Android_app_runs_up_big_texting_bills

• Symantec: Android app called “Steamy Windows” was modified to SMS premium rate numbers owned by Chinese hackers

12

SCADASupervisory Control And Data Acquisition

13

• Infrastructure processes include:• Water treatment & distribution• Wastewater collection & treatment • Oil & gas pipelines • Wind farms • Civil Defense siren systems• Large communication systems• Electrical power transmission & distribution

• Shumukh Al-Islam Network call to Mujahadin Brigades to “strike the soft underbelly…”

• “…strikes…simultaneous”; “…spread hysterical horror…”

OSC Web monitoring report found an article dated 18 December 2010 on Shumukh Al-Islam Network titled “Launch SCADA Missiles” urging an attack

Social Networking Event

Robin Sage• Purportedly Cyber Threat Analyst

for the Naval Network Warfare Command

• Impressive resume at 24, high-level security clearances

• 10 years' experience in the cybersecurity field

• Friends list included people working for the nation's most senior military officer, the chairman of the Joint Chiefs of Staff, NRO, a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors

• Job offers from industry

“One soldier uploaded a picture of himself taken on patrol in Afghanistan containing embedded data revealing his exact location”

14

Information Assurance & Cyber Security (PMW 130)

• Computer Network Defense (CND) – ACAT IVT• EKMS/KMI - Component of NSA – ACAT IAM• PKI - Component of DISA – ACAT IAM• Cryptography (modernization; legacy)

• Navy, USMC, USCG, MSC• Radiant Mercury (RM)

• Cross Domain Solution• Tactical Key Loader (TKL)

• USMC and SPECOPS• Information Assurance (IA) Services

15

PMW 130 collaborates with FLTCYBERCOM, 10th Fleet, NCF, NNWC, and NCDOC

C4I Networks TodayDefense In Depth

Enterprise View

RegionalViews

LAN Defenses• Host Protection (HIDS, Firewall,

anti-virus, baselining)• Vulnerability Scanning• Vulnerability Patch Remediation• Network Intrusion Detection

WAN Defenses• Boundary Defense (firewalls)• Enclave Protection (IPS/IDS)• Data Correlation • Virus Protection

Enterprise Management• Prometheus

– Advanced Data Correlation• Governance• Situational Awareness: CND-COP• CND C2• Coordinated Response Actions

PlatformViews

Navy Computer Network Defense Centers

Network Operations Service Centers

Mission Operations16

Navy Computer Network Defense High-Level Operational View

17

Cyber Defense and the NavyWhat Lies Ahead

• Identifying network anomalies & behaviors• Moving from reactive to predictive• Advanced Persistent Threat • Insider Threat/Data loss prevention• Advanced spear phishing• Web security, Social Networks• Web enabled application security• Correlation and Analysis of sensor data• Cloud Security• Wireless/handheld device security• Cyber Situation Awareness

18

Future Collaboration

• Collaboration is vital to our future• Welcome collaboration across government,

commercial, academia and other stakeholders• PMW 130 Government/Industry Exchange

• An opportunity for industry to present products they feel may be of interest to PMW 130

• Attendees include PMW 130 senior leadership, SPAWAR and PEO C4I invitees, and other PMW 130 personnel (Assistant Program Managers, engineers, etc.)

• Held once a month • 50 minutes, including Q&A• Please contact Carol Cooper at Cooper_carolyn@bah.com

19

We get IT.We also integrate it, install it and

support it. For today and tomorrow.

Visit us at www.peoc4i.navy.mil

20