The United States needs to be more agile in defending against attacks from cybercriminals who are constantly infiltrating domestic networks, said Robert Lentz, CISO at the U.S. Department of Defense, during a keynote address to Black Hat USA 2009 attendees.
"One of the top challenges is strengthening our network underpinnings," Lentz said. "We have shifted radically from government-built services and capabilities to commercial services and capabilities."
Lentz referred to a presentation given Tuesday by noted network security researcher Dan Kaminsky of IOActive, who demonstrated vulnerabilities in the X.509 cryptography found in public key infrastructures (PKI). Kaminsky also reviewed the continued use of faulty hash algorithms by certificate authorities. He revealed that through a simple alteration of the common name in an X.509 certificate, an attacker could trick the certificate authority into certifying the legitimacy of a malicious site.
Lentz reiterated a call from government officials for public-private cooperation to share research and defend against cyberattacks "This is truly an important time for all of us in the security profession," Lentz said. "We have to accomplish a shift to get to a resilient cyber-ecosystem … We need all of you in this room to partner together as a nation and with our international allies to make this shift happen."
He also spoke of the need to deploy DNSSEC, a suite of specifications that use public key cryptography to digitally sign responses to DNS lookups, to better secure the Internet domain naming system. He also reaffirmed the federal government's commitment to support the transition from IPv4 to IPv6.
"For us in the DoD, the race is real and daunting, and we have a lot of significant challenges in front of us," Lentz said.
Lentz said the government continues its research into attack surfaces to produce an agile, dynamic defense capable of not only detecting but being able to take a proactive role to prevent future attacks against government infrastructure before they happen. While virtualization technologies represent a technical challenge for the government, it also opens opportunities for the government to manage attack surfaces appropriately.
"It's all threaded in this area of driving anonymity out of network," Lentz said.