WASHINGTON (Reuters) - The U.S. government’s main code-making and code-cracking agency now works on the assumption that foes may have pierced even the most sensitive national security computer networks under its guard.
“There’s no such thing as ‘secure’ any more,” Debora Plunkett of the National Security Agency said on Thursday amid U.S. anger and embarrassment over disclosure of sensitive diplomatic cables by the web site WikiLeaks.
“The most sophisticated adversaries are going to go unnoticed on our networks,” she said.
Plunkett heads the NSA’s Information Assurance Directorate, which is responsible for protecting national security information and networks from the foxhole to the White House.
“We have to build our systems on the assumption that adversaries will get in,” she told a cyber security forum sponsored by the Atlantic and Government Executive media organizations.
The United States can’t put its trust “in different components of the system that might have already been violated,” Plunkett added in a rare public airing of NSA’s view on the issue. “We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”
The NSA must constantly fine tune its approach, she said, adding that there was no such thing as a “static state of security.”
More than 100 foreign intelligence organizations are trying to break into U.S. networks, Deputy Defense Secretary William Lynn wrote in the September/October issue of the journal Foreign Affairs. Some already have the capacity to disrupt U.S. information infrastructure, he said.
Plunkett declined to comment on WikiLeaks, which has started releasing a cache of 250,000 diplomatic cables, including details of overseas installations that officials regard as vital to U.S. security.
Official have focused publicly on Army Private Bradley Manning, who is being detained at a Marine Corps base in Quantico, Virginia, as the source of the leak.
NSA, a secretive Defense Department arm that also intercepts foreign communications, conceives of the problem as maintaining the availability and assuring the integrity of the systems it guards, rather than their “security,” she said.
NSA — which insiders jokingly used to say referred to “No Such Agency” — also focuses on standardization and auditing to hunt for any intrusions, Plunkett said. She referred to the development of sensors for eventual deployment “in appropriate places within our infrastructure” to detect threats and take action against them.
Mike McConnell, a retired Navy vice admiral who headed the NSA from 1992 to 1996, told the forum he believed no U.S. government network was safe from penetration.
A third-party inspection of major computer systems found there was none of consequence “that is not penetrated by some adversary that allows the adversary, the outsider, to bleed all the information at will,” said McConnell, director of national intelligence from 2007 to 2009 and now leader of the intelligence business for the Booz Allen Hamilton consultancy.
Reporting by Jim Wolf; editing by Todd Eastham