GAO Report: DoD Incompetent At Cybersecurity 104
itwbennett writes "According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said. Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is 'daunting,' GAO concluded."
Re:So does everyone else (Score:5, Interesting)
Security is an odd thing. You can be right 99.99999% of the time, and prevent nearly every attack for years, and no one hears about it. But one guy breaks in and steals 25 files on his estranged wife and you have a 'systematic security failure'. Which leads to reviews and all sorts of changes in policies etc.
The war department, and the various related departments combine to directly employ millions of people, with millions (if not 10's of millions) more employed indirectly through contractors and so on. You're never going to be error free in that environment. It's also very hard to create and implement new policies rapidly for that many people, and because it's a government agency every time you write new rules you have to waste months begging for the paymasters in parliament or congress to both pay for it, and agree to let you do it at all. *IF* they agree to pay for it, it will come with strings attached. You can't build a new network security office in the Pentagon, it has to be in Wyoming, because the senator from Wyoming hasn't gotten his kickbacks or 're-election support' to his district yet, or some sort of nonsense like that. Big outfits necessarily want to talk to other big outfits, who, themselves have layers of bureaucracy, which adds even more fun.
Oh and on top of all of that, you have very important, very stupid people (political appointees), who don't know anything about your security procedures, claim themselves too important to be trained because they've been brought in as outsiders to be 'reformers' and IT is left scrambling to keep them connected. Along with keeping everyone else connected, while they're fighting wars, integrate with allied systems, make information open to people who need it, closed to people who don't and leaving a paper trail of accountability so that the GAO, auditor general, national audit office etc. can read everything, and find stuff to complain about. I don't envy any of the people trying to make all of this work, especially on 4 year election cycles when, by the time you get a project going you may find it cut just as you're ready to get it going properly.
Unfortunately the military doesn't have the ability to go to a black hat conference pick the 5 most promising security experts, slap 3 stars each on their sleeves and ask them to fix it. Most of the people who actually know stuff about security have no desire to go through the long road to leadership in the government, and by the time they can be pulled in from the private sector as political appointees they have no clue what's actually going on.
Re:Carriers vs Battleships (Score:4, Interesting)
'He advocated peace terms that would make Germany unable to pose a threat to France ever again. His words after the Treaty of Versailles, "This is not a peace. It is an armistice for twenty years" would prove prophetic; World War II started twenty years and sixty five days later.' -- Wikipedia. [wikipedia.org]
You win some, You lose some.