Slashdot Mirror

← Back to Stories (view on slashdot.org)

GAO Report: DoD Incompetent At Cybersecurity

Posted by Soulskill on from the you-have-been-called-out dept.

itwbennett writes "According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said. Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is 'daunting,' GAO concluded."

12 of 104 comments (clear)

  1. So does everyone else by MozeeToby · · Score: 4, Insightful

    Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.

    1. Re:So does everyone else by Sir_Sri · · Score: 4, Interesting

      Security is an odd thing. You can be right 99.99999% of the time, and prevent nearly every attack for years, and no one hears about it. But one guy breaks in and steals 25 files on his estranged wife and you have a 'systematic security failure'. Which leads to reviews and all sorts of changes in policies etc.

      The war department, and the various related departments combine to directly employ millions of people, with millions (if not 10's of millions) more employed indirectly through contractors and so on. You're never going to be error free in that environment. It's also very hard to create and implement new policies rapidly for that many people, and because it's a government agency every time you write new rules you have to waste months begging for the paymasters in parliament or congress to both pay for it, and agree to let you do it at all. *IF* they agree to pay for it, it will come with strings attached. You can't build a new network security office in the Pentagon, it has to be in Wyoming, because the senator from Wyoming hasn't gotten his kickbacks or 're-election support' to his district yet, or some sort of nonsense like that. Big outfits necessarily want to talk to other big outfits, who, themselves have layers of bureaucracy, which adds even more fun.

      Oh and on top of all of that, you have very important, very stupid people (political appointees), who don't know anything about your security procedures, claim themselves too important to be trained because they've been brought in as outsiders to be 'reformers' and IT is left scrambling to keep them connected. Along with keeping everyone else connected, while they're fighting wars, integrate with allied systems, make information open to people who need it, closed to people who don't and leaving a paper trail of accountability so that the GAO, auditor general, national audit office etc. can read everything, and find stuff to complain about. I don't envy any of the people trying to make all of this work, especially on 4 year election cycles when, by the time you get a project going you may find it cut just as you're ready to get it going properly.

      Unfortunately the military doesn't have the ability to go to a black hat conference pick the 5 most promising security experts, slap 3 stars each on their sleeves and ask them to fix it. Most of the people who actually know stuff about security have no desire to go through the long road to leadership in the government, and by the time they can be pulled in from the private sector as political appointees they have no clue what's actually going on.

    2. Re:So does everyone else by scosco62 · · Score: 2

      I think it's more about the nature of complex systems - politics, trolling aside, I would think the larger the internet facing infrastructure, the (exponentially) harder it is to secure....putting the need to service other organizations within that infrastructure, it's a commitment that folks are just coming around to - public and private. My disappointment is not the government so much (as it relates to this topic anyway), but rather the firms that are supposedly securing them. My experience has been that the guiding philosophy with these guys is a) bill as much as you can, without pissing the customer off b) template your approach, creative thinking is risky and c) make your customer just slightly more secure that the next target. This is a generalization, to be sure - but until you have smart people with the skills with the mindset that they need to evolve quick than the threats out there - it's just going to mean more negative publicity as well as more money for substandard contractors. Just my two cents.

    3. Re:So does everyone else by Lifyre · · Score: 2

      All salient points but the biggest issue by far is the last one you pointed to. Getting to the point where you can make a difference in the military takes so long and requires so much focus that the knowledge you did have is now years out of date and no longer relevant. This is in part because those stars would grant authority much beyond the narrow security realm.

      What the services need is the authority to go to a black hat conference and hire those experts and give them authority over security without the broad powers inherent with rank. If those that have stars on their shoulders take this issue seriously it could be done relatively easily and rapidly, though implementation would take time. Unfortunately getting those stars usually means you're more of a political animal than the president...

      --
      I'll meet you at the intersection of "Should be" and "Reality"
  2. Carriers vs Battleships by Dexter+Herbivore · · Score: 3, Insightful
    Aviation is fine as a sport. But as an instrument of war, it is worthless.

    — General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.

    The overall military attitude is that if it isn't in the 'book', it is worthless. New paradigms confuse the establishment, that's as old as the 'book'. (It's a metaphor, please don't attack this argument as if it refers to a literal 'book').

    1. Re:Carriers vs Battleships by malsbert · · Score: 3, Interesting

      'He advocated peace terms that would make Germany unable to pose a threat to France ever again. His words after the Treaty of Versailles, "This is not a peace. It is an armistice for twenty years" would prove prophetic; World War II started twenty years and sixty five days later.' -- Wikipedia.

      You win some, You lose some.

      --
      "Men will never be free until the last king is strangled with the entrails of the last priest." - Denis Diderot.
    2. Re:Carriers vs Battleships by Old97 · · Score: 2

      No one will ever need more than 640k. - Bill Gates (paraphrased) Being wrong != being an idiot. The U.S. military is capable of some amazingly original and innovative thinking. It is also capable of rigid, reactive idiocy. I'm a veteran, have relatives currently in the military and I've worked with the military on a couple of projects. There isn't "an overall attitude" other than "accomplish the mission". If cyber security were seen as "a mission" with definitions for "victory" and "defeat" they'd be right on it. In the meantime they've got enemies with bombs, chemicals and guns to worry about. How do we get the politicians and the military to see cyber security in this light before a cyber security disaster occurs?

      --
      Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
  3. Re:News flash: government is incompetent by Dexter+Herbivore · · Score: 4, Insightful

    Hur, hur, hur... govinmints can't do anyfing right. Try to remove your obvious politics from this debate and argue facts. There are arenas where goverment do better than private industry, where 'loss leading' actually ends up with a net benefit for the populace... arenas where private industry will refuse to lead because they will take a short term loss

  4. Re:Simple solution by NatasRevol · · Score: 2

    Or humans.

    --
    There are two types of people in the world: Those who crave closure
  5. Re:News flash: government is incompetent by Dexter+Herbivore · · Score: 2

    Infrastructure... large capital investments with long tails aren't liked by shareholders... maybe the answer is that I didn't want to get into a stupid argument made by people who don't wish to ackowledge fact over their own personal version of reality.

  6. Re:Simple solution by couchslug · · Score: 2

    "You can't hack what you're not connected to."
    Roger that. It wouldn't be difficult to convert to something different. Tell people to shut up and color. It's called "giving orders" and works a treat!

    BTW I served through the transition from "no computers in most units-send your documents to the keypunch folks" to "Unix terminals in many units" to "shitload of Windows boxes everywhere". (1981-2007)

    Many of us missed the simplicity and speed of entering maintenance data in a terminal. Precise, faster than dropdown menus, and "green text on a black background" was easy to read.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  7. Re:This just in by jo42 · · Score: 2

    "The only competence of any government appears to be the ability to endlessly piss away taxpayer money." - me