When it comes to cyber attacks, the odds are against us. The head cyber protection guy at the National Security Agency, Richard Schaeffer, told the Senate Judiciary subcommittee that about 80 percent of attacks on our networks can be prevented.
That is "unacceptable," Sen. Ben Cardin, subcommittee chairman, told Schaeffer and the other government officials testifying before him. "We would never ponder a defense budget that is dependent on an 80 percent success rate."
A top expert on cyber war and protection who advises Strategic Command on such issues, Kevin Coleman, said the NSA estimate is probably on target. "Bottom line here is I think the NSA is being very forthright in the numbers. They very seldom give those numbers out," he said, adding that a large percentage of the vulnerabilities probably reside on the commercial side of the network equation. His numbers were sobering.
To start with, recent estimates are that "60 to 70 percent of firewalls are misconfigured. If we would fix that that would be a huge benefit," Coleman said.
Then he discussed the more basic weaknesses in American networks -- code vulnerabilities. According to research he has done, there are roughly 102 million programmers worldwide. Using the average productivity per programmer, they can produce about 102 billion lines of code per year.
The error rate per thousand lines of code is a wide range of 15 to 50 errors per thousand lines. "The basic testing we do today eliminates up to about 1 per 10,000 lines of code," he said, meaning that "10,200 bugs remain in operational code, but we just don't know where they are. If only 1 percent of those are exploitable that means there are 102 thousand vulnerabilities introduced in the code used today."
Coleman unveiled more worrying statistics. "If you take a look at IBM's X-Force threat report in 2008 there were 7,406 vulnerabilities analyzed in commercial software. At the end of 2008, 53 percent of those vulnerabilities" had not been patched. "Only about 46 percent of the vulnerabilities identified in 2006 had patches by the end of 2008 and 44 percent of those in 2007 still did not have a patch by the end of 2008."
Coleman looked at one vulnerability at a Fortune 500 company to see how quickly and effectively they moved to patch it. "From the date the vulnerability was announced to the day the patch was released, and the company was able to test and deploy it was 54 days," he said. Long pause. "Would you leave your front door unlocked for 54 days?"
NSA is working with Microsoft, Apple, Sun and other companies to lessen the chances of cyber attacks, Schaeffer said in his prepared remarks for the committee. The latest example is assistance the super-secret agency gave to Windows as it prepared Windows 7, its latest operating systems, for release.
Of course, closing code holes does not begin to address the possible threat from computer chips, the vast majority of which are manufactured in Taiwan and the People's Republic of China.
At least one foreign intelligence agency is known to have built "additional" code into a line of chips, Coleman said.
"When you look at whether they could compromise us, we've got a huge road ahead of us. Have we made progress? Yes. but we are at the first or second step when we have a 100 yard run in front of us," he said.
One of the enduring debates in the cyber bureaucratic wars has been who will lead US efforts to protect our networks. Currently, the Department of Homeland Security has the lead, a fact that worries Larry Wortzel, China expert and former signals intelligence officer. Wortzel told Cardin's subcommittee that "DHS should play a substantive role" in cyber. But, "that Department is new, has a broad range of responsibilities, is spread thin, and is still growing into its duties. My understanding is that DHS has run two national cyber exercises. But to my knowledge, there has not yet been a systematic examination of lessons learned from the exercises nor uniform application of standards for attempting to correct any problems revealed across government or in industry."
And this isn't the only US leadership role gone a missin'. The cyber czar position created by the Obama administration in May is still vacant.
