The US Army has gaping holes in its information security infrastructure and operates an environment of vulnerability reporting fear, according to current and former members of the department's cyber wing.
Captain Michael Weigand and Captain Rock Stevens make the comments in an academic piece on the Cyber Defense Review, a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command.
So where does this all come from, you might ask? It seems from the top:In it they say most of the Army's systems are underpinned by information technology but are exposed by an absence of centralised patch management and full bug remediation oversight, along with a "ban" on penetration testing.
The US Army men say internal staff who find vulnerabilities have no incentive to report bugs they find and face no repercussions for keeping silent, which amounts to a "do nothing" culture.
Moreover Defence vulnerability researchers work in an atmosphere "fraught with danger and much trepidation" where disclosure is weighed against risk of "reprisal".
Heads should roll.Those risks could include revocation of security clearances, loss of access to IT systems, and "punitive action" under the Uniform Code of Military Justice which they describe as "viable outcomes" for those who "casually stumble" on bugs.