Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is the Military Prepared For Cyberwarfare?

Posted by Soulskill on from the not-until-they-can-email-hand-grenades dept.

pbahra writes "If you think that combating cyber criminals is hard in your organization, imagine doing it in an enterprise with some 18 or so layers of management between the top man (and it is always a man) and the most junior employee. Now imagine that in such an organization, there is a form for everything, that it can take literally decades to buy new equipment, and that you can be jailed for having dirty footwear. But that same organization is charged with helping to defeat shadowy hacker groups who are faster, have better equipment, almost certainly are better funded and don't have to salute every time someone senior walks past them. The modern military is used to operating in what is known as an asymmetric environment, with a distinct imbalance between the two opponents. The problem for the military is that they like to be the big guy. According to a senior officer speaking at the 2011 Annual Defense Lecture in London, when asked if the military was capable of operating at the same speed as their opponents, he admitted they were not."

21 of 147 comments (clear)

  1. WSJ submitting their own stories by Anonymous Coward · · Score: 2, Interesting

    It's nice to see the Slashdot is now taking direct plugs from the WSJ.

  2. ah just what we need by Dyinobal · · Score: 4, Interesting

    Ah just what we need another war. We got a war on terror, war on drugs, a war on war and a war on not enough war. Lets add a 'Cyber war' so we can get some more tax dollars thrown at us.

    1. Re:ah just what we need by Errol+backfiring · · Score: 2

      But the US really wages war. Drugs are fought with jet bombers. Terrorism is fought with jet bombers - heck, two whole countries are almost wiped off the map to find two terrorists. Even international justice will probably fought with jet bombers. The threat has been issued already. I wish the USA would see that the War On [please fill in here] were not meant literally.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  3. One word: Windows by antifoidulus · · Score: 4, Insightful

    The military is over-reliant and over-confident on Windows. Hell they pretty much write their security specifications to whatever Windows does AND they scrutinize non-Windows(particularly Linux machines) much more than they do Windows machines. Relying on Microsoft for anything is just asking to get hacked. I hope(though I know it won't happen) that the next Secretary of Defense will make it his mission to wean the military off of Windows. Not only will it result in a more secure system(probably), it will also save the government money and not make them beholden to the beast of Redmond....

    Sadly I know it won't happen because Microsoft is always sure to let senior military officers in charge of this kind of stuff know that when the time is right they are always "looking" for people who have held those positions. IE throw lots of government money at us and we'll make sure you get a do-nothing job with an impressive title and salary to match.

    --
    Monstar L
    1. Re:One word: Windows by HBI · · Score: 5, Informative

      I would disagree, but not entirely. Yes, the US military is over-reliant on Windows. That said, Windows gets lots of scrutiny - much more than competing OS. The fact that Windows has an entirely broken security model is not lost on those responsible for CND (computer network defense) within the armed forces. Unfortunately, the means of fixing it is mostly via STIGs, "security and technical implementation guides" produced by NSA. This results in an OS which mostly won't run software and can't communicate over a network. This is why the STIG is supposed to be applied with consciousness of the impact on software, and with some delicacy to preserve capabilities. This does not stop those responsible for purported security scans and IA (information assurance) inspections from mandating the application of said STIGs across the board as a prerequisite for allowing your systems on the network, with the results you'd expect.

      Getting an exception to the STIG requires getting a general officer* to sign off on a risk, which is a career-ending move if there is some kind of penetration attributable to the exception. So they aren't really interested in doing that much.

      I suppose computers that don't work correctly are "secure", in the sense that it's hard to get data off a computer that isn't used as a resource, but rather a boat anchor. Still, this doesn't say much for the military ultimately achieving much in cyberwarfare or even CND by breaking their systems by default.

      The root of the problem is that most people that go into IA or CND in the military are nontechnical or just incompetent. It's not the trade that you'd choose if you were savvy, and being surrounded by a good percentage of idiots can't be pleasant. There are some very, very smart people within the system but I wonder personally how any of them stand the general level of incompetence. I can't get a straight answer out of them except for "duty", which may be the real one.

      That said, the whole infrastructure is on the wrong track to gaining true capability. Needs changing.

      * Each agency has a "Designated Approving Authority" or DAA. It's usually the highest ranking person at said agency. That is who takes ownership of risk.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    2. Re:One word: Windows by Willuz · · Score: 2

      I didn't expect a clear and sensible response here when the original post spent more time bashing the military than it did proving any kind of supporting evidence. It's true that a system becomes almost unusable for most software when all of the STIGs are applied. However, much of the problem lies with software developers who don't develop on fully STIG compliant systems. They design the software the same way as always, then request any conflicting STIGs be left out and mitigated on the OS side. This is a completely backwards approach to secure software development. Attempting to secure a system AFTER development is a recipe for failure.

      When the developers are familiar with STIGs and include them in development from the early planning stages then it is not a problem. However, this is difficult when software development can take years and STIGs are constanty changing. It is also very difficult for contractors to receive any information on planned changes to STIGs so that they may prepare for it. The DOD security branches need to cooperate and be more inclusive with civilian software developers so it becomes easier to develop secure software.

    3. Re:One word: Windows by bill_mcgonigle · · Score: 2

      Windows gets lots of scrutiny - much more than competing OS

      You figure the Windows source is getting more people doing better security reviews than Linux? If that's the case, then we'd have to assume that Microsoft isn't heeding the results. I'm not sure which is worse.

      It's possible there's a case for military office workers to use Windows. But for vertical applications - well, the NSA went through this evaluation and wrote SELinux.

      At least most of the embedded systems projects at the DoD are linux-based.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  4. FUBAR = Normal by Edgewood_Dirk · · Score: 4, Informative

    I'm a currently-serving active duty Marine, and the fact that we're not ready for cyberwarfare is symptomatic of our way of doing things. The problem with the US military changing its ways of doing anything is that if there isn't a group of people already trained for the purpose of that new thing, its not gonna get done. Every Marine/sailor/soldier/airman/coastie has a specific job designation when they join up. They may do certain things outside of their scope at times, but "innovation" isn't commonplace or encouraged. It will be years if not a decade or more before an entirely new MOS (Military Occupational Specialty) is created and a training program implemented for the single purpose of creating "cyber-soldiers". Until that happens, the military will rely on other assets within the federal services, or contractors.

  5. How to prepare for cyberwar by Xenkar · · Score: 4, Interesting

    Step 1: Make our own hardware again.
    Step 2: Remove anything critical to our infrastructure from the damned internet.
    Step 3: Remove our government computers from the internet and on to a private intranet where they can log everything and hunt down witches/pedophiles in the government while the rest of us get a pass from ineffective feel-good legislation.

    1. Re:How to prepare for cyberwar by bky1701 · · Score: 4, Insightful

      Step 4: Close government-mandated security holes in software the CIA and FBI asked for.

      --
      Great Intellect...
  6. Re:Not even close to being prepared.. by Anonymous Coward · · Score: 2, Insightful

    actually, our military is very good at the blowing shit up and killing people part. this is what they do. hell, they are even very good when we ask them to blow up buildings without scratching the paint of the car parked in front of it.

  7. Military are slowly changing by Calibax · · Score: 3, Interesting

    I suppose the summary quotes 18 levels because that's approximately the number of ranks in each branch of the military. But it's not really 18 levels of management. Remember the old saying "Privates are for doing things, sergeants are for making certain things get done, officers are for thinking." And even junior officers don't get involved in purchasing decisions. The actual level of management when it comes to purchasing is more like 5 or 6, but even that is a big number.

    What really screws things up is that the military purchasing machine is designed for 100k+ of each item with fairly exacting requirements about being easy to operate, able to work in severely adverse conditions, and to be "fair" to everyone wanting to sell to the military. Which means a very complete description (sometimes thousands of pages), open bids, preference to certain categories of bidders, and much else. Oh, and they need to appear accountable for spending all the money that an army sized purchase entails.

    So the guys who actually need relatively small amounts of highly specialized equipment are fighting an entrenched bureaucracy who wants to preserve the status quo. Think $500 hammers. I believe it's getting better though, at least in some areas, and the process is getting reduced from decades to months. Even so, they are rarely have the ability to on-line order stuff from commercial vendors and pay with a credit card, although that does happen sometimes.

    The guy speaking at the lecture is right - large militaries can't move as fast as small fast moving enemy groups. But when they do move they can usually outspend him by at least 100,000:1. Which probably doesn't help.

    The key is to organize like the bad guys - small groups each with their own budget and freedom to use it without having to go up the chain of command.

  8. Re:This is a recruitent problem by bassmadrigal · · Score: 2

    This is totally true. The sad thing is technically minded people who ARE in the military still have a hard time getting any type of computer job. I came to the Air Force after completing an Associates degree in Computer Network Technology (this was a time before security-specific training was really pushed). I went to the recruiter and tried to get any job that was computer related. I had extremely high test scores (overall 92 on my ASVAB) and I qualified for just about any job (there are a few jobs that require additional tests). I have extensive knowledge in both Windows and Linux server adminstration and also managing users and fixing problems (malware and picnic errors) on the desktop. What job did I find myself in? Air Transportation. Basically the loading and unloading of airplanes. I have had numerous supervisors wonder why I am in this career field (it certainly was not by choice). I have also tried to cross-train (switch into a different career field), and even with multiple recommendations from mulitple people in my chain of command, I got turned down.

    I am the go to computer guy for any nearby offices before they call the actual people whose job it is to fix our systems. I have even helped them when they can't figure things out (I am limited in what I can do due to system lockdowns). But if I want to try and actually do ANYTHING computer related for my career... I get turned down.

    The system definitely is flawed.

  9. Privateers by Beryllium+Sphere(tm) · · Score: 4, Interesting

    Back in the old days, governments would authorize private parties to go out and do bad things to the enemies of the governments.

    http://en.wikipedia.org/wiki/Letter_of_marque

    Reviving that concept might work better than trying to use the military for a task it's not optimized for.

    1. Re:Privateers by Arancaytar · · Score: 2

      Arrrrr! I be intrigued by yer ideas, and be wishin' ter subscribe ter yer letter o' news.

  10. Re:I think you have hit the nail on the head by memyselfandeye · · Score: 2

    Exactly. The CIA and NSA and other Alphabet Soup Agencies send their boys and gals to military bases for much of their training. Not just technical stuff, but languages, combat training, and intelligence. I'm really tired of this crap. Anti-sec Teenage anst isn't going to get a massive retaliatory strike if you 'server pawn' a military subcontractor. In a shooting war, all bets are off. The job of the officer is not to be the be-all end-all oracle of knowledge. Your C/O might not be the world's greatest super hacker, just as he isn't' the world's greatest marksman or the world's greatest radar operator. The job of the officer is to facilitate the needs of his command.... period! In other words, our officers ARE 'ignorant managers', but they are ignorant managers who have command of a group that can usually wipe the floor with any enemy, and they are good at using them. Last time I checked, Norad isn't dealing with a Suxtnet type worm infecting every system from super computers to auto-flush toilets. Maybe the guys who helped write the book on the Internet actually know how to use it?

  11. Cyber warriors == special forces by SirGarlon · · Score: 2

    When we speak of the military as a lumbering bureaucracy, let's bear in mind there are also smart, mobile, very adaptable teams within that huge organization: the special forces. If the military has any sense at all then cyber-warriors will be organized and commanded more like special forces than like an infantry division.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
  12. Always Fighting the Last War by Phoenix666 · · Score: 2

    Of course the military isn't ready for cyberwarfare. They are always fighting the last war. Recent articles have come out about how the Pentagon is finally restructuring itself to fight terrorism, meaning they've done away with mass troop movements in favor of lots of small actions. Which will work great until we get into a war with China, which will both hack our systems and require mass troop movements. Chinese military doctrine has expressly stated it means to do just that along with financial warfare (suddenly dumping all dollar reserves), shutting off the Panama Canal (which they now control) to impede the American navy, and lots of other outside-the-box thinking.

    --
    Do what you can, with what you have, where you are.
  13. Re:Not even close to being prepared.. by wallstop · · Score: 2

    Except the land warrior is tested in all kinds of conditions, is 100% stable, has long MTBF and is generally a solid system. Your smartphone is made from cheap parts, isn't proven to be reliable, is made overseas, etc etc. It's the same kind of difference between building some cheap consumer-grade PC and claiming that it's better than a $5000 ruggedized server rack. The military is 5-10 years behind civilian tech? Really? The answer is no, not really.

  14. Re:Not even close to being prepared.. by rezalas · · Score: 2

    My $600 phone can barely take a drop from my pocket to the server room floor without me wondering if I now have to spend another $600. Land warrior systems can be thrown out of a helicopter hit by a mule and smashed against rocks while the soldier wearing it does his job without wondering if it still works. Quite a bit of the money involved in systems like land warrior is dedicated to ensuring stability and reliability during combat operations in extreme heat, cold, rain, and snow. All of these are things that a $600 cell phone can't do.

  15. Questionable Qualifications by farploop · · Score: 3, Interesting

    In reviewing this, I find it amazing that Laura Callahan (the former senior deputy director at DHS who resigned in 2004 after an investigation found out that she had received three degrees from a diploma mill in Evanston, Wyoming) is now working again for US Cyber Command as a GS-14 employee as of May 2011. If you google her name, you'll find the entire story of what her lack of qualifications did to several government agencies and the white house (clinton e-mail scandal). My question is that how did someone with a history of misleading investigators get hired for this type of position (which no doubt involves access to classified information ala NIPR/SIPRnet, JWICS, etc) given her previous 'fraudulent' degrees. A check of OPM regulations shows that lying or misleading investigators in the course of a background investigation, including prior bad acts, and falsification of academic credentials is grounds for termination, or being marked ineligible for hiring. I would suggest if the military wants to keep losing ground, all it needs to do is to continue to hire persons like Ms. Callahan and watch the damage unfold. As for the part of outsourcing, you might want to ask Booz Allen Hamilton and IRC federal about their recent break in by Anonymous and the loss of sensitive information and PII.