Program Executive Office Command, Control, Communications, Computers and Intelligence (PEO C4I) PMW 130 Overview for NDIA 11 May 2011 Kevin McNally Program Manager PMW 130 858-537-0682 Kevin.mcnally@navy.mil Statement A: Approved for public release; distribution is unlimited Information Dominance Anytime, Anywhere… Why Cyber Matters? "If the nation went to war today in a cyber war, we would lose.” - Admiral Mike McConnell (retired), 23 Feb 2010 • Over 2.08 billion Internet users (420M in China) – UN International Telecommunication Union (ITU) • DOD makes 1 billion+ Internet connections daily, passing 40TBs of data – RADM Edward H. Deets, III • DOD Networks scanned and probed 6M times/day – USCYBERCOM • Several years ago, zero countries armed for cyber warfare, today 20+ countries – Dr. Eric Cole, McAfee • Stuxnet – Most advanced Cyber Weapon ever seen – CEO McAfee “The next battle is in the information domain, and the first shots have already been fired.”- Admiral Gary Roughead, CNO 2 McAfee Threat Summary New stats: • • • • 20 Million new malware in 2010 ~55,000 new malwares/day (new record) Growth in sites hosting malware Number of new mobile malware in 2010 increased by 46 percent over 2009 Malware growth since Jan 09 Adobe products still the top target Source: McAfee Threats Report Q4 2010 3 Symantec Expansion of Tool Kits 61% of threat activity on malicious websites is toolkit specific Source: Symantec Intelligence Quarterly (April-June 2010) 44 ZeuS, aka Zbot Adaptable Trojan for sale TOOLKIT TO BUILD YOUR OWN TROJAN HORSE • Infect PCs by simply visiting an infected Web site • Oct 2010, over 30 individuals were arrested for ZeuS-based attacks against U.S. and U.K. bank account holders • Dec 2010, spoof email from “White House” to UK Government • U.K. officials suggest the cyber attack originated from China • Cost on the black market •The Private Version is $3-4K •VNC private module is $10K • ZeuS author earned $15M in commissions from license rights 77% of infected PCs have up-to-date anti-virus software 5 Can you tell the difference? 6 Amazing Coincidence? 7 Is our supply chain safe? January 2008, a joint task force seized $78M of counterfeit Cisco networking hardware Source: Defense Tech April 2009, Chinese spies may have put chips in U.S. planes Source: The Times of India May 2010, Counterfeit Cisco Network Gear Traced to China, Not Surprisingly Source: Security Magazine 8 Conficker Spreading 5 Versions in 5 Months Mid Jan 2009 Conficker A and B explodes. Estimates range from 3-12 million machines infected Mid Feb 2009 CONFICKER B++ Direct Update Feature Early Feb 2009 CONFICKER C 50K Domains Kills Security Software + Robust Peer-to-Peer Comms Malware Analysis Countermeasures + Improved HTTP Command & Control End Dec 2008: CONFICKER B Code Cryptography + Password Cracking + USB Infection Vector Anti-Virus Countermeasures + Primitive Peer-to-Peer Comms Software Update Countermeasures 20 Nov 2008: March 2009 IBM announces: Asia has 45% of infections; Europe 32%; South America 14%; North America 6% CONFICKER.A April 2009 CONFICKER E No Software Armoring HTTP Command & Control Spam “Scareware” 50,000 PCs a day are attacked 9 9 Conficker (At the one year mark) 1010 What about specialized weapons and aircraft? French fighter planes grounded by computer virus - The Telegraph, 07 Feb 2009 French fighter planes were unable to take off after military computers were infected by a computer virus. Microsoft had warned that the "Conficker" virus, transmitted through Windows, was attacking computer systems in October last year 11 Android Disasters • March 1, 2011: confirmed that 58 malicious apps were uploaded to Android Market • Rootkit granting hackers deep access • Google initiated “remote kill” to affected devices • Admits they can’t patch the hole causing the vulnerability • Symantec: Android app called “Steamy Windows” was modified to SMS premium rate numbers owned by Chinese hackers Source: http://techcrunch.com/2011/03/05/android-malware-rootkit-google-response/ http://www.computerworld.com/s/article/9211879/Infected_Android_app_runs_up_big_texting_bills 12 SCADA Supervisory Control And Data Acquisition • Shumukh Al-Islam Network call to Mujahadin Brigades to “strike the soft underbelly…” • “…strikes…simultaneous”; “…spread hysterical horror…” • Infrastructure processes include: • • • • • • • Water treatment & distribution Wastewater collection & treatment Oil & gas pipelines Wind farms Civil Defense siren systems Large communication systems Electrical power transmission & distribution OSC Web monitoring report found an article dated 18 December 2010 on Shumukh Al-Islam Network titled “Launch SCADA Missiles” urging an attack 13 Social Networking Event Robin Sage • Purportedly Cyber Threat Analyst for the Naval Network Warfare Command • Impressive resume at 24, highlevel security clearances • 10 years' experience in the cybersecurity field • Friends list included people working for the nation's most senior military officer, the chairman of the Joint Chiefs of Staff, NRO, a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors • Job offers from industry “One soldier uploaded a picture of himself taken on patrol in Afghanistan containing embedded data revealing his exact location” 14 Information Assurance & Cyber Security (PMW 130) • • • • Computer Network Defense (CND) – ACAT IVT EKMS/KMI - Component of NSA – ACAT IAM PKI - Component of DISA – ACAT IAM Cryptography (modernization; legacy) • Navy, USMC, USCG, MSC • Radiant Mercury (RM) • Cross Domain Solution • Tactical Key Loader (TKL) • USMC and SPECOPS • Information Assurance (IA) Services PMW 130 collaborates with FLTCYBERCOM, 10th Fleet, NCF, NNWC, and NCDOC 15 C4I Networks Today Defense In Depth Enterprise Management • Prometheus Enterprise View Navy Computer Network Defense Centers Regional Views Network Operations Service Centers Platform Views – Advanced Data Correlation • Governance • Situational Awareness: CND-COP • CND C2 • Coordinated Response Actions WAN Defenses • Boundary Defense (firewalls) • Enclave Protection (IPS/IDS) • Data Correlation • Virus Protection LAN Defenses • Host Protection (HIDS, Firewall, anti-virus, baselining) • Vulnerability Scanning • Vulnerability Patch Remediation • Network Intrusion Detection Mission Operations 16 Navy Computer Network Defense High-Level Operational View 17 Cyber Defense and the Navy What Lies Ahead • • • • • • • • • • • Identifying network anomalies & behaviors Moving from reactive to predictive Advanced Persistent Threat Insider Threat/Data loss prevention Advanced spear phishing Web security, Social Networks Web enabled application security Correlation and Analysis of sensor data Cloud Security Wireless/handheld device security Cyber Situation Awareness 18 Future Collaboration • Collaboration is vital to our future • Welcome collaboration across government, commercial, academia and other stakeholders • PMW 130 Government/Industry Exchange • An opportunity for industry to present products they feel may be of interest to PMW 130 • Attendees include PMW 130 senior leadership, SPAWAR and PEO C4I invitees, and other PMW 130 personnel (Assistant Program Managers, engineers, etc.) • Held once a month • 50 minutes, including Q&A • Please contact Carol Cooper at Cooper_carolyn@bah.com 19 We get IT. We also integrate it, install it and support it. For today and tomorrow. Visit us at www.peoc4i.navy.mil 20