Is the Military Prepared For Cyberwarfare?

pbahra writes "If you think that combating cyber criminals is hard in your organization, imagine doing it in an enterprise with some 18 or so layers of management between the top man (and it is always a man) and the most junior employee. Now imagine that in such an organization, there is a form for everything, that it can take literally decades to buy new equipment, and that you can be jailed for having dirty footwear. But that same organization is charged with helping to defeat shadowy hacker groups who are faster, have better equipment, almost certainly are better funded and don't have to salute every time someone senior walks past them. The modern military is used to operating in what is known as an asymmetric environment, with a distinct imbalance between the two opponents. The problem for the military is that they like to be the big guy. According to a senior officer speaking at the 2011 Annual Defense Lecture in London, when asked if the military was capable of operating at the same speed as their opponents, he admitted they were not."

FUBAR = Normal

[Edgewood_Dirk]

I'm a currently-serving active duty Marine, and the fact that we're not ready for cyberwarfare is symptomatic of our way of doing things. The problem with the US military changing its ways of doing anything is that if there isn't a group of people already trained for the purpose of that new thing, its not gonna get done. Every Marine/sailor/soldier/airman/coastie has a specific job designation when they join up. They may do certain things outside of their scope at times, but "innovation" isn't commonplace or encouraged. It will be years if not a decade or more before an entirely new MOS (Military Occupational Specialty) is created and a training program implemented for the single purpose of creating "cyber-soldiers". Until that happens, the military will rely on other assets within the federal services, or contractors.

Re:One word: Windows

[HBI]

I would disagree, but not entirely. Yes, the US military is over-reliant on Windows. That said, Windows gets lots of scrutiny - much more than competing OS. The fact that Windows has an entirely broken security model is not lost on those responsible for CND (computer network defense) within the armed forces. Unfortunately, the means of fixing it is mostly via STIGs, "security and technical implementation guides" produced by NSA. This results in an OS which mostly won't run software and can't communicate over a network. This is why the STIG is supposed to be applied with consciousness of the impact on software, and with some delicacy to preserve capabilities. This does not stop those responsible for purported security scans and IA (information assurance) inspections from mandating the application of said STIGs across the board as a prerequisite for allowing your systems on the network, with the results you'd expect.

Getting an exception to the STIG requires getting a general officer* to sign off on a risk, which is a career-ending move if there is some kind of penetration attributable to the exception. So they aren't really interested in doing that much.

I suppose computers that don't work correctly are "secure", in the sense that it's hard to get data off a computer that isn't used as a resource, but rather a boat anchor. Still, this doesn't say much for the military ultimately achieving much in cyberwarfare or even CND by breaking their systems by default.

The root of the problem is that most people that go into IA or CND in the military are nontechnical or just incompetent. It's not the trade that you'd choose if you were savvy, and being surrounded by a good percentage of idiots can't be pleasant. There are some very, very smart people within the system but I wonder personally how any of them stand the general level of incompetence. I can't get a straight answer out of them except for "duty", which may be the real one.

That said, the whole infrastructure is on the wrong track to gaining true capability. Needs changing.

* Each agency has a "Designated Approving Authority" or DAA. It's usually the highest ranking person at said agency. That is who takes ownership of risk.