Information Dominance Anytime, Anywhere… Program Executive Office Command, Control, Communications, Computers and Intelligence (PEO C4I) Statement A: Approved for public release; distribution is unlimited PMW 130 Overview for NDIA 11 May 2011 Kevin McNally Program Manager PMW

Why Cyber Matters? Over 2.08 billion Internet users (420M in China) – UN International Telecommunication Union (ITU) DOD makes 1 billion+ Internet connections daily, passing 40TBs of data – RADM Edward H. Deets, III DOD Networks scanned and probed 6M times/day – USCYBERCOM Several years ago, zero countries armed for cyber warfare, today 20+ countries – Dr. Eric Cole, McAfee Stuxnet – Most advanced Cyber Weapon ever seen – CEO McAfee “The next battle is in the information domain, and the first shots have already been fired.”- Admiral Gary Roughead, CNO "If the nation went to war today in a cyber war, we would lose.” - Admiral Mike McConnell (retired), 23 Feb 2010 "If the nation went to war today in a cyber war, we would lose.” - Admiral Mike McConnell (retired), 23 Feb

McAfee Threat Summary New stats: 20 Million new malware in 2010 ~55,000 new malwares/day (new record) Growth in sites hosting malware Number of new mobile malware in 2010 increased by 46 percent over 2009 Source: McAfee Threats Report Q Malware growth since Jan 09 Adobe products still the top target

Symantec Expansion of Tool Kits Source: Symantec Intelligence Quarterly (April-June 2010) 4 61% of threat activity on malicious websites is toolkit specific 4

ZeuS, aka Zbot Adaptable Trojan for sale Cost on the black market The Private Version is $3-4K VNC private module is $10K ZeuS author earned $15M in commissions from license rights Infect PCs by simply visiting an infected Web site Oct 2010, over 30 individuals were arrested for ZeuS-based attacks against U.S. and U.K. bank account holders Dec 2010, spoof from “White House” to UK Government U.K. officials suggest the cyber attack originated from China 5 TOOLKIT TO BUILD YOUR OWN TROJAN HORSE 77% of infected PCs have up-to-date anti-virus software

Can you tell the difference? 6

Amazing Coincidence? 7

Is our supply chain safe? 8 January 2008, a joint task force seized $78M of counterfeit Cisco networking hardware Source: Defense Tech May 2010, Counterfeit Cisco Network Gear Traced to China, Not Surprisingly Source: Security Magazine May 2010, Counterfeit Cisco Network Gear Traced to China, Not Surprisingly Source: Security Magazine April 2009, Chinese spies may have put chips in U.S. planes Source: The Times of India April 2009, Chinese spies may have put chips in U.S. planes Source: The Times of India

Conficker Spreading 5 Versions in 5 Months 9 9 End Dec 2008: CONFICKER B Code Cryptography + Password Cracking + USB Infection Vector Anti-Virus Countermeasures + Primitive Peer-to-Peer Comms Software Update Countermeasures 20 Nov 2008: CONFICKER.A No Software Armoring HTTP Command & Control Mid Feb 2009 CONFICKER B++ Direct Update Feature Early Feb 2009 CONFICKER C 50K Domains Kills Security Software + Robust Peer-to-Peer Comms Malware Analysis Countermeasures + Improved HTTP Command & Control April 2009 CONFICKER E Spam “Scareware” 50,000 PCs a day are attacked March 2009 IBM announces: Asia has 45% of infections; Europe 32%; South America 14%; North America 6% March 2009 IBM announces: Asia has 45% of infections; Europe 32%; South America 14%; North America 6% Mid Jan 2009 Conficker A and B explodes. Estimates range from 3-12 million machines infected Mid Jan 2009 Conficker A and B explodes. Estimates range from 3-12 million machines infected

Conficker ( At the one year mark ) 10

What about specialized weapons and aircraft? 11 French fighter planes grounded by computer virus - The Telegraph, 07 Feb 2009 French fighter planes were unable to take off after military computers were infected by a computer virus. Microsoft had warned that the "Conficker" virus, transmitted through Windows, was attacking computer systems in October last year

Android Disasters March 1, 2011: confirmed that 58 malicious apps were uploaded to Android Market Rootkit granting hackers deep access Google initiated “remote kill” to affected devices Admits they can’t patch the hole causing the vulnerability Source: Symantec: Android app called “Steamy Windows” was modified to SMS premium rate numbers owned by Chinese hackers 12

SCADA Supervisory Control And Data Acquisition 13 Infrastructure processes include: Water treatment & distribution Wastewater collection & treatment Oil & gas pipelines Wind farms Civil Defense siren systems Large communication systems Electrical power transmission & distribution Shumukh Al-Islam Network call to Mujahadin Brigades to “strike the soft underbelly…” “…strikes…simultaneous”; “…spread hysterical horror…” OSC Web monitoring report found an article dated 18 December 2010 on Shumukh Al-Islam Network titled “Launch SCADA Missiles” urging an attack

Social Networking Event Robin Sage Purportedly Cyber Threat Analyst for the Naval Network Warfare Command Impressive resume at 24, high- level security clearances 10 years' experience in the cybersecurity field Friends list included people working for the nation's most senior military officer, the chairman of the Joint Chiefs of Staff, NRO, a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors Job offers from industry “One soldier uploaded a picture of himself taken on patrol in Afghanistan containing embedded data revealing his exact location” 14

Information Assurance & Cyber Security (PMW 130) Computer Network Defense (CND) – ACAT IVT EKMS/KMI - Component of NSA – ACAT IAM PKI - Component of DISA – ACAT IAM Cryptography (modernization; legacy) Navy, USMC, USCG, MSC Radiant Mercury (RM) Cross Domain Solution Tactical Key Loader (TKL) USMC and SPECOPS Information Assurance (IA) Services 15 PMW 130 collaborates with FLTCYBERCOM, 10 th Fleet, NCF, NNWC, and NCDOC

C4I Networks Today Defense In Depth Enterprise View Regional Views LAN Defenses Host Protection (HIDS, Firewall, anti-virus, baselining) Vulnerability Scanning Vulnerability Patch Remediation Network Intrusion Detection WAN Defenses Boundary Defense (firewalls) Enclave Protection (IPS/IDS) Data Correlation Virus Protection Enterprise Management Prometheus –Advanced Data Correlation Governance Situational Awareness: CND-COP CND C2 Coordinated Response Actions Platform Views Navy Computer Network Defense Centers Network Operations Service Centers Mission Operations 16

Navy Computer Network Defense High-Level Operational View 17

Cyber Defense and the Navy What Lies Ahead Identifying network anomalies & behaviors Moving from reactive to predictive Advanced Persistent Threat Insider Threat/Data loss prevention Advanced spear phishing Web security, Social Networks Web enabled application security Correlation and Analysis of sensor data Cloud Security Wireless/handheld device security Cyber Situation Awareness 18

Future Collaboration Collaboration is vital to our future Welcome collaboration across government, commercial, academia and other stakeholders PMW 130 Government/Industry Exchange An opportunity for industry to present products they feel may be of interest to PMW 130 Attendees include PMW 130 senior leadership, SPAWAR and PEO C4I invitees, and other PMW 130 personnel (Assistant Program Managers, engineers, etc.) Held once a month 50 minutes, including Q&A Please contact Carol Cooper at 19

We get IT. We also integrate it, install it and support it. For today and tomorrow. Visit us at 20