Friday, February 11, 2011

The Known Unknowns in Cyber Operations

Former Secretary of Defense, Donald Rumsfeld, believes that it is the known unknowns that can hurt you. Here is a compilation of a few situations where facts are not available:

1. How many “bots” (hostile implanted software) are there in DoD millions of computers?
2. How many of the estimated three million DoD desktops and laptops have open ports that are accessible to malware attacks?
3. How many servers hosting critical applications or data do not have verified backups?
4. How many DoD computer devices have USB port into which a thumb-drive can be inserted without detection?
5. What fraction of DoD client devices experience access downtime greater than half an hour?
6. How many DoD computers have boot times greater than ten minutes?
7. How many military, civilian or contractor employees perform any part of classified work on their personal computers that do not require a CAC card for identification?
8. For how many days do military, civilian and contractors retain access authorization to DoD networks after they have been terminated from their position?
9. How many social computing transactions take place over NIPRNET?
10. What share of traffic conveyed over DoD networks is from social applications?
11. How many individuals have more than one .mil address?
12. How many downloads to YouTube and similar sites from DoD sites are recorded for subsequent forensic analysis?
13. How many communications from DoD sites to sites not on .mil addresses are screened for inappropriate contents, such as pornography?
14. Are DoD originated e-mails, regardless of source, filed and retained for compliance with the
Federal Records Retention regulations?

According to Rumsfeld here are also “unknown unknowns” that can potentially inflict even greater damage. Do not know how to make such a list. 

Unknown unknowns are potentially exploitable flaws for launching cyber attacks. Keeping track 
of failed implementations offers a sobering perspective on situations that warrant attention.