Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is the Military Prepared For Cyberwarfare?

Posted by Soulskill on from the not-until-they-can-email-hand-grenades dept.

pbahra writes "If you think that combating cyber criminals is hard in your organization, imagine doing it in an enterprise with some 18 or so layers of management between the top man (and it is always a man) and the most junior employee. Now imagine that in such an organization, there is a form for everything, that it can take literally decades to buy new equipment, and that you can be jailed for having dirty footwear. But that same organization is charged with helping to defeat shadowy hacker groups who are faster, have better equipment, almost certainly are better funded and don't have to salute every time someone senior walks past them. The modern military is used to operating in what is known as an asymmetric environment, with a distinct imbalance between the two opponents. The problem for the military is that they like to be the big guy. According to a senior officer speaking at the 2011 Annual Defense Lecture in London, when asked if the military was capable of operating at the same speed as their opponents, he admitted they were not."

9 of 147 comments (clear)

  1. ah just what we need by Dyinobal · · Score: 4, Interesting

    Ah just what we need another war. We got a war on terror, war on drugs, a war on war and a war on not enough war. Lets add a 'Cyber war' so we can get some more tax dollars thrown at us.

  2. One word: Windows by antifoidulus · · Score: 4, Insightful

    The military is over-reliant and over-confident on Windows. Hell they pretty much write their security specifications to whatever Windows does AND they scrutinize non-Windows(particularly Linux machines) much more than they do Windows machines. Relying on Microsoft for anything is just asking to get hacked. I hope(though I know it won't happen) that the next Secretary of Defense will make it his mission to wean the military off of Windows. Not only will it result in a more secure system(probably), it will also save the government money and not make them beholden to the beast of Redmond....

    Sadly I know it won't happen because Microsoft is always sure to let senior military officers in charge of this kind of stuff know that when the time is right they are always "looking" for people who have held those positions. IE throw lots of government money at us and we'll make sure you get a do-nothing job with an impressive title and salary to match.

    --
    Monstar L
    1. Re:One word: Windows by HBI · · Score: 5, Informative

      I would disagree, but not entirely. Yes, the US military is over-reliant on Windows. That said, Windows gets lots of scrutiny - much more than competing OS. The fact that Windows has an entirely broken security model is not lost on those responsible for CND (computer network defense) within the armed forces. Unfortunately, the means of fixing it is mostly via STIGs, "security and technical implementation guides" produced by NSA. This results in an OS which mostly won't run software and can't communicate over a network. This is why the STIG is supposed to be applied with consciousness of the impact on software, and with some delicacy to preserve capabilities. This does not stop those responsible for purported security scans and IA (information assurance) inspections from mandating the application of said STIGs across the board as a prerequisite for allowing your systems on the network, with the results you'd expect.

      Getting an exception to the STIG requires getting a general officer* to sign off on a risk, which is a career-ending move if there is some kind of penetration attributable to the exception. So they aren't really interested in doing that much.

      I suppose computers that don't work correctly are "secure", in the sense that it's hard to get data off a computer that isn't used as a resource, but rather a boat anchor. Still, this doesn't say much for the military ultimately achieving much in cyberwarfare or even CND by breaking their systems by default.

      The root of the problem is that most people that go into IA or CND in the military are nontechnical or just incompetent. It's not the trade that you'd choose if you were savvy, and being surrounded by a good percentage of idiots can't be pleasant. There are some very, very smart people within the system but I wonder personally how any of them stand the general level of incompetence. I can't get a straight answer out of them except for "duty", which may be the real one.

      That said, the whole infrastructure is on the wrong track to gaining true capability. Needs changing.

      * Each agency has a "Designated Approving Authority" or DAA. It's usually the highest ranking person at said agency. That is who takes ownership of risk.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  3. FUBAR = Normal by Edgewood_Dirk · · Score: 4, Informative

    I'm a currently-serving active duty Marine, and the fact that we're not ready for cyberwarfare is symptomatic of our way of doing things. The problem with the US military changing its ways of doing anything is that if there isn't a group of people already trained for the purpose of that new thing, its not gonna get done. Every Marine/sailor/soldier/airman/coastie has a specific job designation when they join up. They may do certain things outside of their scope at times, but "innovation" isn't commonplace or encouraged. It will be years if not a decade or more before an entirely new MOS (Military Occupational Specialty) is created and a training program implemented for the single purpose of creating "cyber-soldiers". Until that happens, the military will rely on other assets within the federal services, or contractors.

  4. How to prepare for cyberwar by Xenkar · · Score: 4, Interesting

    Step 1: Make our own hardware again.
    Step 2: Remove anything critical to our infrastructure from the damned internet.
    Step 3: Remove our government computers from the internet and on to a private intranet where they can log everything and hunt down witches/pedophiles in the government while the rest of us get a pass from ineffective feel-good legislation.

    1. Re:How to prepare for cyberwar by bky1701 · · Score: 4, Insightful

      Step 4: Close government-mandated security holes in software the CIA and FBI asked for.

      --
      Great Intellect...
  5. Military are slowly changing by Calibax · · Score: 3, Interesting

    I suppose the summary quotes 18 levels because that's approximately the number of ranks in each branch of the military. But it's not really 18 levels of management. Remember the old saying "Privates are for doing things, sergeants are for making certain things get done, officers are for thinking." And even junior officers don't get involved in purchasing decisions. The actual level of management when it comes to purchasing is more like 5 or 6, but even that is a big number.

    What really screws things up is that the military purchasing machine is designed for 100k+ of each item with fairly exacting requirements about being easy to operate, able to work in severely adverse conditions, and to be "fair" to everyone wanting to sell to the military. Which means a very complete description (sometimes thousands of pages), open bids, preference to certain categories of bidders, and much else. Oh, and they need to appear accountable for spending all the money that an army sized purchase entails.

    So the guys who actually need relatively small amounts of highly specialized equipment are fighting an entrenched bureaucracy who wants to preserve the status quo. Think $500 hammers. I believe it's getting better though, at least in some areas, and the process is getting reduced from decades to months. Even so, they are rarely have the ability to on-line order stuff from commercial vendors and pay with a credit card, although that does happen sometimes.

    The guy speaking at the lecture is right - large militaries can't move as fast as small fast moving enemy groups. But when they do move they can usually outspend him by at least 100,000:1. Which probably doesn't help.

    The key is to organize like the bad guys - small groups each with their own budget and freedom to use it without having to go up the chain of command.

  6. Privateers by Beryllium+Sphere(tm) · · Score: 4, Interesting

    Back in the old days, governments would authorize private parties to go out and do bad things to the enemies of the governments.

    http://en.wikipedia.org/wiki/Letter_of_marque

    Reviving that concept might work better than trying to use the military for a task it's not optimized for.

  7. Questionable Qualifications by farploop · · Score: 3, Interesting

    In reviewing this, I find it amazing that Laura Callahan (the former senior deputy director at DHS who resigned in 2004 after an investigation found out that she had received three degrees from a diploma mill in Evanston, Wyoming) is now working again for US Cyber Command as a GS-14 employee as of May 2011. If you google her name, you'll find the entire story of what her lack of qualifications did to several government agencies and the white house (clinton e-mail scandal). My question is that how did someone with a history of misleading investigators get hired for this type of position (which no doubt involves access to classified information ala NIPR/SIPRnet, JWICS, etc) given her previous 'fraudulent' degrees. A check of OPM regulations shows that lying or misleading investigators in the course of a background investigation, including prior bad acts, and falsification of academic credentials is grounds for termination, or being marked ineligible for hiring. I would suggest if the military wants to keep losing ground, all it needs to do is to continue to hire persons like Ms. Callahan and watch the damage unfold. As for the part of outsourcing, you might want to ask Booz Allen Hamilton and IRC federal about their recent break in by Anonymous and the loss of sensitive information and PII.