Slashdot Mirror
GAO Report: DoD Incompetent At Cybersecurity
itwbennett writes "According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said. Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is 'daunting,' GAO concluded."
no shit! also the government spends too much money and ducks fly
just the fact they are still using the term "cyber" should tell anyone with half a brain they are stuck in the 90's, what about Information Highway Border patrol to bring that up to at least earlier last decade
Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.
"We're from the government and we're here to help."
Step #1: We need more funding from tax payers.
Step #2: ????
Step #3:1&2 didn't help matters at all. So, keep repeating 1&2 over and over and tell everyone that nobody else could ever have a chance at doing this as well as we can. In 20 years we'll all be retired and won't care.
— General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.
The overall military attitude is that if it isn't in the 'book', it is worthless. New paradigms confuse the establishment, that's as old as the 'book'. (It's a metaphor, please don't attack this argument as if it refers to a literal 'book').
Use OpenBSD instead. That way, the only persistent security vulnerability is shark attacks.
But seriously, there's only one real solution to military scale security. Use a physically and logically separate network. You can't hack what you're not connected to.
"According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks"
Well, fucking DOH !!!!!!
Hur, hur, hur... govinmints can't do anyfing right. Try to remove your obvious politics from this debate and argue facts. There are arenas where goverment do better than private industry, where 'loss leading' actually ends up with a net benefit for the populace... arenas where private industry will refuse to lead because they will take a short term loss
The goal of most DoD procurement is not to get the item needed to the place it's needed as quickly and cheaply as possible, but instead to ensure very large contracts to a very small number of "defense" contracting companies with political connections.
I am officially gone from
You could have just stopped after "Incompetent"
Can we explicitly name ICE and DHS in there too?
I hear they can't take down the right webpage and only listen to media corporations
You don't want your weapon blueprints getting hacked and stolen? It's a pretty simple and obvious solution. Don't put it on computers that are plugged into a global network. There isn't a "DUH" big enough.
Up against the wall, commie!
We all know the gov is slow to adapt, but it should also be pointed out the methods by which most of the DOD operates.
1. Should we do "it"?
2. Write a directive on how to do "it".
3. Have "it" reviewed and revised ad nauseum until "it" is no longer relevant nor accurate.
4. Give "it" to the newest lowest ranking least trained to implement, as the superiors have already reviewed "it".
5a. Interrupt mission critical operations by implementation gone wrong, resulting in a stop on progress, have a meeting, go back to step 2/3.
5b. Attempt to schedule a known outage and have it postponed indeffinatly as the risk of leaving things "as they are" is less damaging (for now) than interrupting current operations for a preventative change.
--------
That's the basic gist of it anyway.
And if you could name one you would have.
Infrastructure... large capital investments with long tails aren't liked by shareholders... maybe the answer is that I didn't want to get into a stupid argument made by people who don't wish to ackowledge fact over their own personal version of reality.
not so much about removing politics, more about removing kickbacks in all their forms, including plush jobs...
The Cloud - because you don't care if your apps and data are up in the air.
Yeah. OK LOL. Infrastructure .. Like the privately owned pristine highways as opposed to the state run highways.
"I didn't want to get into a stupid argument made by people who don't wish to ackowledge fact.."
"How to Win Friends & Influence People", check it homie.
but not because its apparent in recent hacks, only because of its root-cause.
soldiers are enlisting in the department of defense's military branches because they are genuinely motivated to do so through well-established ideological factors. Hackers and skilled system administrators on the other hand are motivated by money, challenges, work environment, etc.
so riddle me, the skilled sysadmin hacker, this:
why do i want to work for a bureaucratic, bloated, warmongering entity who arguably hasnt protected america in almost forty years from a conceptualized threat? Especially considering their most publicly visible sysadmin has spent the past few months of his life rotting in a prison, presumably facing the death penalty?
why would i work for a company where contracts and lobbyists take precedent over policy and logical process and procedure?
and i dont mean to troll. ive had job opportunities in various islands offered to be by the department of defense, but i still cant commit.
Good people go to bed earlier.
at most big organization PHB run the show and HR running hiring does not help.
Some poor security comes from vender systems and software some that soft ware comes from a golf course meeting and IT does not even get to test it.
Over worked IT taking shortcuts to get the job done VS taking the time to do a better job also is a mess. Also long times to get stuff can lead to working doing what it takes to get there job done even when they have to bypass security.
Keeping old software that needs security holes to work right.
Outside firms running IT are very hit or miss.
The IT manger or manger needs to be a tech guy with FULL hiring, job posting, and firing rights.
Need to hire people for what they know and not WHO they know or at least give some kind of test to see what they know about IT.
IT needs to have testing severs, labs and more.
Some Departments may even need there own IT guys / IT people who work in that department and are also part of the main IT team.
The IT department needs to have power to set rules and more.
NO must have degree rules, better to have IT training.
Because private industry has fucking none of those.
-lol- God you're stupid.
Nice... check out the history of US railways that failed without huge US government investment... maybe look at the Australian NBN... broadband that has lacked investment for 10 years or more because Telstra fails infrstructure without government support. Maybe you should post under a profile instead of being some random who won't attach his name to an argument. HUR HUR HUR LOL. Make a real argument AC. The US model is not the be all, and end all. I don't want to be your friend asshole, I don't want to influence you... maybe you have an unnatural obsession with being someone's friend and manipulating them instead of actually being logical?
Let's give them more money and put them in charge of health care.
Health care was the problem. If the government (specifically the democratic party) had focused their attention on getting this country working again most of the health care issue would have taken care of itself. Then we would have some breathing room to figure out actual health policy. We can not fix the mess we are in until we bring industry back to this country and get people working in decent middle class jobs again. That's how FDR did it and we need to follow his lead. Then again wtf am I talking about; we never learn from history.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
That's the problem with government contracting. They pay for the process, not the end result. I can understand that for single demonstration phase, but network security is commoditized. The flaws and patches are well known. You shouldn't be paying to reinvent the wheel every GD time.
Hire some accomplished network programmers at your headquarters, create a model network and security scheme, and any time you want to add anything, make sure it follows that model.
"I want to set up a network here in the desert. Let me get the checklist. When I make the last check, it's done and we're ready to go."
are military networks even connected to the Internet in the first place? Shouldn't the most important function of government be completely isolated?
Health care was the problem. If the government (specifically the democratic party) had focused their attention on getting this country working again most of the health care issue would have taken care of itself.
If you believe that, you truly don't understand the problem.
Never heard of the Telephone, have you? Or the electrical power grid? Or the highway system?
Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said.
If I were going to have a secure network that is perfectly sustainable over time, I would do exactly the same thing. Increased reward decreases rebellion and acting out against a secret entity.
Announcing "Oh, noz! W3 just been hax0r3ddd and j0o gott teh most secret3d infoz!!!!!1" sates the aggressor.
I'm just sayin'.
What does this say about the hypocrisy of the Thomas Drake prosecution, a guy just trying to point out some of the mismanagement in DOD IT that he was privy to? http://natsecurityeb.blogspot.com/2010/10/thomas-drake.html or what former CIO Kundra said about an IT cartel controlling U.S. gov IT. http://www.computerworld.com/s/article/9218466/Outgoing_federal_CIO_warns_of_an_IT_cartel_?taxonomyId=13&pageNumber=1
The DoD thinks fancy war-machines are sexy. To them, if it isn't powerful and deadly, it isn't sexy. Until they see the consequences of their poor performance, they will continue to take an uneducated approach to information security.
Mod me down, I shall become more off-topic than you could possibly imagine.
Or fundamental research?
I'm always surprised by what information is accessed when systems are compromised from the Internet. Isn't the purpose of SIPRNet to keep classified information off of machines that are connected (in any way) to a public network?
nou
I'm always surprised by what information is accessed when systems are compromised from the Internet. Isn't the purpose of SIPRNet to keep classified information off of machines that are connected (in any way) to a public network?
It would have been nice to mention somewhere in the summary what GAO stands for.
(Note: it's the Government Accountability Office.)
When someone says, "Any fool can see
I guess everyone is entitled to their own opinion. The basic fact is that our govwernment is fractured by party lines and long held ideology. They are so divided that they can't get their shit together to pass one bit of legislation that will put us (and China among others) back at least 30 years if it fails. Oh yeah and we basically let China hack in and steal our state secrets. That's not just a DoD thing either.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
I must ask: Have YOU been on "the inside" of all of what you're speaking of, especially from a U.S. Governmental standpoint?
* It sounds it... let me guess - as a contractor, right?
APK
P.S.=> Just curious & no sarcasm intended...
... apk
It worked for FDR. Bush tried it, didn't work.
Would that be Lulzsec and Anonymous they are referring to?
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
private industry play with their own money, the government, with ours.
The Cloud - because you don't care if your apps and data are up in the air.
Except when it is on the back of your labor that your company's C-level execs and VPs of who-knows-what get to fly around in private jets and live in houses that cost more than you'll make in your entire life.
Coincidentally, I'm training right now to do Cyber Ops for the United States Air Force.
still, nobody's forced to work for them, nor to buy their wares.
with the government, you just HAVE to pay. and comply.
The Cloud - because you don't care if your apps and data are up in the air.
Why is some secure DOD system that houses military blueprints even connected to the internet AT ALL? It should not be reachable from any computer that can also reach the internet, or can even reach another computer that can.
Part of defense security is strategic leaks of "dis-information". Who knows whether these are "Area 51" leaks (USA acting like it was covering up flying saucers in order to confuse Russians)? To borrow a quote from a famous battle of Little Big Horn (from Little Big Man - Custer to Hoffman):
''Still trying to outsmart me, aren't you, mule-skinner. You want me to think that you don't want me to go down there, but the subtle truth is you really *don't* want me to go down there! ''
Gently reply
You can not work for them and then go work for some other company that does the same thing for you. If we want to live in the land of make believe, you can also go get a job at Wendy's and not make enough for the government to take any money from you, or you can emigrate. Those are also technically options beyond paying for what the government is doing.
... or not doing.
The Cloud - because you don't care if your apps and data are up in the air.
of the cost of the average gov organization to do the same thing. Has to be : gov's labor costs are higher, and there is zero incentive to be efficient or to hold down costs. I have worked as a contractor for several gov and semi-gov organizations, I have never seen less concern for productivity, costs, efficiency, effectiveness. Hell, compare the average gov web site with the average business, even small business, and you will see these.
There have been lots of these studies over the years, Google references a lot. However, selecting an article from what you consider an un-biased choice is more of a problem, left to each of you.
Also, Medicare has a huge fraud problem. Are these costs included in 'overhead'?