Slashdot Mirror
GAO Report: DoD Incompetent At Cybersecurity
itwbennett writes "According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said. Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is 'daunting,' GAO concluded."
no shit! also the government spends too much money and ducks fly
just the fact they are still using the term "cyber" should tell anyone with half a brain they are stuck in the 90's, what about Information Highway Border patrol to bring that up to at least earlier last decade
Let's give them more money and put them in charge of health care.
Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.
— General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.
The overall military attitude is that if it isn't in the 'book', it is worthless. New paradigms confuse the establishment, that's as old as the 'book'. (It's a metaphor, please don't attack this argument as if it refers to a literal 'book').
Use OpenBSD instead. That way, the only persistent security vulnerability is shark attacks.
But seriously, there's only one real solution to military scale security. Use a physically and logically separate network. You can't hack what you're not connected to.
"According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks"
Well, fucking DOH !!!!!!
The goal of most DoD procurement is not to get the item needed to the place it's needed as quickly and cheaply as possible, but instead to ensure very large contracts to a very small number of "defense" contracting companies with political connections.
I am officially gone from
You could have just stopped after "Incompetent"
Can we explicitly name ICE and DHS in there too?
I hear they can't take down the right webpage and only listen to media corporations
You don't want your weapon blueprints getting hacked and stolen? It's a pretty simple and obvious solution. Don't put it on computers that are plugged into a global network. There isn't a "DUH" big enough.
Up against the wall, commie!
We all know the gov is slow to adapt, but it should also be pointed out the methods by which most of the DOD operates.
1. Should we do "it"?
2. Write a directive on how to do "it".
3. Have "it" reviewed and revised ad nauseum until "it" is no longer relevant nor accurate.
4. Give "it" to the newest lowest ranking least trained to implement, as the superiors have already reviewed "it".
5a. Interrupt mission critical operations by implementation gone wrong, resulting in a stop on progress, have a meeting, go back to step 2/3.
5b. Attempt to schedule a known outage and have it postponed indeffinatly as the risk of leaving things "as they are" is less damaging (for now) than interrupting current operations for a preventative change.
--------
That's the basic gist of it anyway.
but not because its apparent in recent hacks, only because of its root-cause.
soldiers are enlisting in the department of defense's military branches because they are genuinely motivated to do so through well-established ideological factors. Hackers and skilled system administrators on the other hand are motivated by money, challenges, work environment, etc.
so riddle me, the skilled sysadmin hacker, this:
why do i want to work for a bureaucratic, bloated, warmongering entity who arguably hasnt protected america in almost forty years from a conceptualized threat? Especially considering their most publicly visible sysadmin has spent the past few months of his life rotting in a prison, presumably facing the death penalty?
why would i work for a company where contracts and lobbyists take precedent over policy and logical process and procedure?
and i dont mean to troll. ive had job opportunities in various islands offered to be by the department of defense, but i still cant commit.
Good people go to bed earlier.
at most big organization PHB run the show and HR running hiring does not help.
Some poor security comes from vender systems and software some that soft ware comes from a golf course meeting and IT does not even get to test it.
Over worked IT taking shortcuts to get the job done VS taking the time to do a better job also is a mess. Also long times to get stuff can lead to working doing what it takes to get there job done even when they have to bypass security.
Keeping old software that needs security holes to work right.
Outside firms running IT are very hit or miss.
The IT manger or manger needs to be a tech guy with FULL hiring, job posting, and firing rights.
Need to hire people for what they know and not WHO they know or at least give some kind of test to see what they know about IT.
IT needs to have testing severs, labs and more.
Some Departments may even need there own IT guys / IT people who work in that department and are also part of the main IT team.
The IT department needs to have power to set rules and more.
NO must have degree rules, better to have IT training.
That's the problem with government contracting. They pay for the process, not the end result. I can understand that for single demonstration phase, but network security is commoditized. The flaws and patches are well known. You shouldn't be paying to reinvent the wheel every GD time.
Hire some accomplished network programmers at your headquarters, create a model network and security scheme, and any time you want to add anything, make sure it follows that model.
"I want to set up a network here in the desert. Let me get the checklist. When I make the last check, it's done and we're ready to go."
are military networks even connected to the Internet in the first place? Shouldn't the most important function of government be completely isolated?
Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said.
If I were going to have a secure network that is perfectly sustainable over time, I would do exactly the same thing. Increased reward decreases rebellion and acting out against a secret entity.
Announcing "Oh, noz! W3 just been hax0r3ddd and j0o gott teh most secret3d infoz!!!!!1" sates the aggressor.
I'm just sayin'.
What does this say about the hypocrisy of the Thomas Drake prosecution, a guy just trying to point out some of the mismanagement in DOD IT that he was privy to? http://natsecurityeb.blogspot.com/2010/10/thomas-drake.html or what former CIO Kundra said about an IT cartel controlling U.S. gov IT. http://www.computerworld.com/s/article/9218466/Outgoing_federal_CIO_warns_of_an_IT_cartel_?taxonomyId=13&pageNumber=1
The DoD thinks fancy war-machines are sexy. To them, if it isn't powerful and deadly, it isn't sexy. Until they see the consequences of their poor performance, they will continue to take an uneducated approach to information security.
Mod me down, I shall become more off-topic than you could possibly imagine.
I'm always surprised by what information is accessed when systems are compromised from the Internet. Isn't the purpose of SIPRNet to keep classified information off of machines that are connected (in any way) to a public network?
I'm always surprised by what information is accessed when systems are compromised from the Internet. Isn't the purpose of SIPRNet to keep classified information off of machines that are connected (in any way) to a public network?
It would have been nice to mention somewhere in the summary what GAO stands for.
(Note: it's the Government Accountability Office.)
When someone says, "Any fool can see
I must ask: Have YOU been on "the inside" of all of what you're speaking of, especially from a U.S. Governmental standpoint?
* It sounds it... let me guess - as a contractor, right?
APK
P.S.=> Just curious & no sarcasm intended...
... apk
It worked for FDR. Bush tried it, didn't work.
Would that be Lulzsec and Anonymous they are referring to?
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Coincidentally, I'm training right now to do Cyber Ops for the United States Air Force.
Why is some secure DOD system that houses military blueprints even connected to the internet AT ALL? It should not be reachable from any computer that can also reach the internet, or can even reach another computer that can.
Part of defense security is strategic leaks of "dis-information". Who knows whether these are "Area 51" leaks (USA acting like it was covering up flying saucers in order to confuse Russians)? To borrow a quote from a famous battle of Little Big Horn (from Little Big Man - Custer to Hoffman):
''Still trying to outsmart me, aren't you, mule-skinner. You want me to think that you don't want me to go down there, but the subtle truth is you really *don't* want me to go down there! ''
Gently reply
of the cost of the average gov organization to do the same thing. Has to be : gov's labor costs are higher, and there is zero incentive to be efficient or to hold down costs. I have worked as a contractor for several gov and semi-gov organizations, I have never seen less concern for productivity, costs, efficiency, effectiveness. Hell, compare the average gov web site with the average business, even small business, and you will see these.
There have been lots of these studies over the years, Google references a lot. However, selecting an article from what you consider an un-biased choice is more of a problem, left to each of you.
Also, Medicare has a huge fraud problem. Are these costs included in 'overhead'?