Tuesday, October 27, 2015

U.S. Army computer systems have more security holes than Swiss Cheese

A "do nothing" culture:
The US Army has gaping holes in its information security infrastructure and operates an environment of vulnerability reporting fear, according to current and former members of the department's cyber wing. 
Captain Michael Weigand and Captain Rock Stevens make the comments in an academic piece on the Cyber Defense Review, a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command. 
In it they say most of the Army's systems are underpinned by information technology but are exposed by an absence of centralised patch management and full bug remediation oversight, along with a "ban" on penetration testing. 
So where does this all come from, you might ask?  It seems from the top:
The US Army men say internal staff who find vulnerabilities have no incentive to report bugs they find and face no repercussions for keeping silent, which amounts to a "do nothing" culture. 
Moreover Defence vulnerability researchers work in an atmosphere "fraught with danger and much trepidation" where disclosure is weighed against risk of "reprisal". 
Those risks could include revocation of security clearances, loss of access to IT systems, and "punitive action" under the Uniform Code of Military Justice which they describe as "viable outcomes" for those who "casually stumble" on bugs.
Heads should roll.


matism said...

Which is why I suggest that FreeFor attempt to recruit programmers who have worked on drone systems and pair them with hackers to create an opportunity when the FedGov deploys armed drones stateside. I expect that the operators' workstations are running some Microsoft product, with their known backdoors. A hack that would give FreeFor the ability to take control of an armed drone would present a REAL problem for the evil running this country. No, one would not be able to fly a hacked drone from Cucamonga, CA to the District of Corruption and deliver Hellfire justice. But one SHOULD be able to get control for a few minutes before the enemy realized what had happened. And a Hellfire on a DHS Fusion Center, or courthouse, or mayor's office or home, would send a special message...

burt said...

The US military's problem isn't the computers: it's the ingrained "empire"-based hierarchy that reinforces its "don't rock the boat" environment.

Whistleblowers are not considered a valuable resource: they are considered "boat-rockers". And the way the military currently works, the boat's commander is the one who might not be promoted because of the rocking - even if he/she was not responsible for the way the boat was constructed. Thus, silence is the order of the day.

There's only one way to fix this: change the military advancement system so that "boat-rockers" are counted (in points) TOWARD advancement: the more "boat-rockers" you have, and the more they identify and help fix problems in the command, the faster your path to advancement.

Yeah... like THAT will happen... "loose lips" and such...

Anonymous said...

It's a lot less serious that all that.

1. People who work in the army are NOT anarchists. They have real jobs and alarm clocks and they drag their asses out of bed every morning to get to their jobs. They simply are incapable of thinking like anarchists. They look at their computers as tools to accomplish their jobs and occasionally to look at some Bewbs. They don't come to work thinking, "How can i screw this whole thing up and watch it burn".

2. The creation of operating systems, microchips, patches, and drivers are all way more complex than any small group in the military can make sense of. Most software and hardware giants need large teams of experts plus infrastructure to do what they do. So it is simply not possible for military people, even experts in cyber, to do anything that would be effective in the realm of defense. They trust the big companies who provide them stuff because they are at their mercy. They have no way to see the electrons running the maze. So, even the military Cyber ninjas are really only theorists who might have done some hacking once or twice and they spend their time convincing others in the military that cyber defense "is a big problem". but they don't have a clue about how to fix it.

3. The most obvious way to fix it is: take it off the internet. Put the military system on their own private network. 99% of military internet usage is just plain goofing off. military units don't need facebook, twitter accounts, or fast access to the blogosphere. Everything they do need can be provided on a private network with no dial-in ports.

Divemedic said...

This is typical of a peacetime military. People fight to maintain their careers. (Don't tell me this military is at war. There are just over 2 million people in the military, and less than 10,000 of them are in Afghanistan. )