Teresa Takai, chief information officer at the Department of Defense, said the department is looking at ways to decrease its use of the Internet while maintaining connectivity.
“We’re looking at cross-domain solutions that will allow for information exchange without the threat of being connected to the Internet,” she said while speaking at a Georgetown University conference recently.
Takai said the $40 billion spent per year on technology needs to include a review of its implications for cybersecurity.
“The only way to really move forward is to think about the way we actually plan and design our technology deployment to assume that we will get breached and how will we operate,” she said. “All of this has to include everything all the way out to the tactical edge.”
The department is tackling the problem in several key areas, including acquisitions, training and information sharing.
Takai acknowledged that the engineering culture and the way that the department and the services approach IT security is a major roadblock for any actual changes in infrastructure design.
“We assume that if we test enough we’ll be able to find the vulnerability,” she said. “And all of you know that that is a false assumption”
Eugene Kaspersky, Kaspersky Lab’s founder and renowned IT security expert, also gave a keynote address at the conference. He described the 2003 New York City electrical blackout as a prime example of Internet reliance.
“For sure, this infrastructure is not connected to the Internet,” he said he had thought. He was wrong, as the bug had jumped from Microsoft [MSFT] to UNIX systems.
Kaspersky, who has been in the IT security business for 20 years, said he started his career tracking 10 viruses a month. Now he looks at 100,000 suspected files everyday.
“We collect millions of new malware every year,” he said of Kaspersky Lab, which keeps an extensive database of threats and is one of the world’s leading vendors of software security products.
Describing another example of infrastructure vulnerability, Kaspersky said the 2007 attack on Estonia only required 50,000 infected computers to kill the Internet in a country of 1 million people. Increased to the scale of the United States, a similar attack would require infecting 15 million computers to knock of out the country’s connectivity.
He said this scenario is possible in the United States.
“Unfortunately, the IT world is not safe by design,” he said, explaining that some critical infrastructure still includes MS-DOS. “How many resources, how much time do we need to redesign IT infrastructure that has been worked on for the last 40-50 years?”
Despite the grim nature of the challenges Kaspersky described, Takai said she’s confident that a framework can be reached for securing IT in the future.
“Yes they’re painful, yes they’re required legal agreements, yes they require lawyers,” she said. “I’m convinced that we can work together.”