Forgot your password?
typodupeerror
Government Security United States Your Rights Online

GAO Report: DoD Incompetent At Cybersecurity 104

Posted by Soulskill
from the you-have-been-called-out dept.
itwbennett writes "According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said. Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is 'daunting,' GAO concluded."
This discussion has been archived. No new comments can be posted.

GAO Report: DoD Incompetent At Cybersecurity

Comments Filter:
  • no shit! also the government spends too much money and ducks fly

    just the fact they are still using the term "cyber" should tell anyone with half a brain they are stuck in the 90's, what about Information Highway Border patrol to bring that up to at least earlier last decade

    • by jo42 (227475)

      "The only competence of any government appears to be the ability to endlessly piss away taxpayer money." - me

      • Medicare is administrated by the US Government, has lower overhead than any private sector health insurance plan and has the highest satisfaction rating of any health insurance plan in the US.

        You don't write articles about how great the government is at administration, just about when it messes up administration.

        • by jc42 (318812)

          The only competence of any government appears to be the ability to endlessly piss away taxpayer money.

          Medicare is administrated by the US Government, has lower overhead than any private sector health insurance plan and has the highest satisfaction rating of any health insurance plan in the US. You don't write articles about how great the government is at administration, just about when it messes up administration.

          It's part of the American "conservative" ideology, that everything wrong with the world is due to governments, and everything good is due to corporations.

          In reality, the problems are present in all human organizations. If an organization, government or corporate or whatever, pays attention to a topic, they can generally solve it. But it's more common for any human organization to become a "power center", with its own internal ideology and mythology, and punish anyone who goes against the organization's

        • Medicare is administrated by the US Government, has lower overhead than any private sector health insurance plan and has the highest satisfaction rating of any health insurance plan in the US.

          This is very convenient, if both you and your condition happen to be covered by Medicare, and you can find health care providers willing to settle for Medicare payments.

          • I agree that medicare should be expanded to cover everyone, but the satisfaction is unconditional--a random sample of all people covered by Medicare are asked how happy they are with it, and they (presumably) take into account how easy it is to find a covered doctor.

            I'd amend you quote to, "this is very convenient if you are covered by Medicare."

      • by slick7 (1703596)

        "The only competence of any government appears to be the ability to endlessly piss away taxpayer money." - me

        What's the difference between the Boy Scouts and the military?
        The Boy Scouts are run by adults.

    • Would that be Lulzsec and Anonymous they are referring to?

  • by MozeeToby (1163751) on Friday July 29, 2011 @01:00PM (#36923326)

    Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.

    • by Anonymous Coward

      Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.

      Part of the problem is being big. If you're small and don't ruffle any feathers then you don't become a target in the first place.

      • by Sulphur (1548251)

        Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.

        Part of the problem is being big. If you're small and don't ruffle any feathers then you don't become a target in the first place.

        Security by obscurity? Happy size your company.

        • Partially it's also security through having a small attack surface. Any employee who needs access to sensitive data is a potential vector for an attack. In a small company, that's typically a small handful of people, most of whom have some investment in the company. In a large company, it's a huge number of people. It's also a more distributed network, with more weak points.
    • by Sir_Sri (199544) on Friday July 29, 2011 @01:30PM (#36923912)

      Security is an odd thing. You can be right 99.99999% of the time, and prevent nearly every attack for years, and no one hears about it. But one guy breaks in and steals 25 files on his estranged wife and you have a 'systematic security failure'. Which leads to reviews and all sorts of changes in policies etc.

      The war department, and the various related departments combine to directly employ millions of people, with millions (if not 10's of millions) more employed indirectly through contractors and so on. You're never going to be error free in that environment. It's also very hard to create and implement new policies rapidly for that many people, and because it's a government agency every time you write new rules you have to waste months begging for the paymasters in parliament or congress to both pay for it, and agree to let you do it at all. *IF* they agree to pay for it, it will come with strings attached. You can't build a new network security office in the Pentagon, it has to be in Wyoming, because the senator from Wyoming hasn't gotten his kickbacks or 're-election support' to his district yet, or some sort of nonsense like that. Big outfits necessarily want to talk to other big outfits, who, themselves have layers of bureaucracy, which adds even more fun.

      Oh and on top of all of that, you have very important, very stupid people (political appointees), who don't know anything about your security procedures, claim themselves too important to be trained because they've been brought in as outsiders to be 'reformers' and IT is left scrambling to keep them connected. Along with keeping everyone else connected, while they're fighting wars, integrate with allied systems, make information open to people who need it, closed to people who don't and leaving a paper trail of accountability so that the GAO, auditor general, national audit office etc. can read everything, and find stuff to complain about. I don't envy any of the people trying to make all of this work, especially on 4 year election cycles when, by the time you get a project going you may find it cut just as you're ready to get it going properly.

      Unfortunately the military doesn't have the ability to go to a black hat conference pick the 5 most promising security experts, slap 3 stars each on their sleeves and ask them to fix it. Most of the people who actually know stuff about security have no desire to go through the long road to leadership in the government, and by the time they can be pulled in from the private sector as political appointees they have no clue what's actually going on.

      • by Lifyre (960576)

        All salient points but the biggest issue by far is the last one you pointed to. Getting to the point where you can make a difference in the military takes so long and requires so much focus that the knowledge you did have is now years out of date and no longer relevant. This is in part because those stars would grant authority much beyond the narrow security realm.

        What the services need is the authority to go to a black hat conference and hire those experts and give them authority over security without th

    • by scosco62 (864264)
      I think it's more about the nature of complex systems - politics, trolling aside, I would think the larger the internet facing infrastructure, the (exponentially) harder it is to secure....putting the need to service other organizations within that infrastructure, it's a commitment that folks are just coming around to - public and private. My disappointment is not the government so much (as it relates to this topic anyway), but rather the firms that are supposedly securing them. My experience has been that
  • by Dexter Herbivore (1322345) on Friday July 29, 2011 @01:08PM (#36923464) Journal
    Aviation is fine as a sport. But as an instrument of war, it is worthless.

    — General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.

    The overall military attitude is that if it isn't in the 'book', it is worthless. New paradigms confuse the establishment, that's as old as the 'book'. (It's a metaphor, please don't attack this argument as if it refers to a literal 'book').

    • by malsbert (456063) on Friday July 29, 2011 @01:32PM (#36923944)

      'He advocated peace terms that would make Germany unable to pose a threat to France ever again. His words after the Treaty of Versailles, "This is not a peace. It is an armistice for twenty years" would prove prophetic; World War II started twenty years and sixty five days later.' -- Wikipedia. [wikipedia.org]

      You win some, You lose some.

      • I never said that F Foch was always correct, I was merely trying to illustrate that military minds don't always recognise the correct answer. New forms of warfare confuse and irritate the 'old school'.
        • by malsbert (456063)

          I know, And do agree. I just do not see it as a inherent military thing. F Foch was old in 1911, And nothing wrong with that! It just means; he was not as likely to care about tech ,20 some years, Into the future. In 1911, And the near future, Aircraft was "worthless".

          • by St.Creed (853824)

            There were however, a few people who did see the use of the plane as a new weapon. But it was a minority.

            A good book about that (and other things) is "The social history of the machine gun" which is as fun to read as it sounds :) It goes into detail about the conservative attitudes of the officers in the first world war, and links that to their social background (a large number were land owners). The sad part is where it details what happened to the horses. I mean: barbed wire, trenches, machine guns for mi

    • by Old97 (1341297)
      No one will ever need more than 640k. - Bill Gates (paraphrased) Being wrong != being an idiot. The U.S. military is capable of some amazingly original and innovative thinking. It is also capable of rigid, reactive idiocy. I'm a veteran, have relatives currently in the military and I've worked with the military on a couple of projects. There isn't "an overall attitude" other than "accomplish the mission". If cyber security were seen as "a mission" with definitions for "victory" and "defeat" they'd b
      • Please see my parent comment... I did NOT say that 1 comment makes all comments by that individual incorrect.. only that an incorrect comment means that not all comments are RIGHT.
        • by Old97 (1341297)
          I was responding more to your generalization about "military attitude" and the "book". Someone wrote that the military always prepares to fight the last war which is similar in sentiment to what you wrote. The first problem with that is that it's really the military of the winning side that tends to prepare the last war. The losers innovate. However, since Vietnam, the U.S. Military has worked very hard to not repeat this mistake. They've been very good at it as long as next enemy has been identified so
    • Aviation is fine as a sport. But as an instrument of war, it is worthless.

      â" General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.

      All this proves is that Foch was an idiot. Military strategists have known the advantage of the high-ground for thousands of years. "Portable, instant high-ground? Genius," I'm sure was uttered within a year of Kitty Hawk.

      There aren't mass-drivers in LEO only because of lift-costs.

    • by timeOday (582209)
      Did he say, "it is worthless" (as you quoted), or "it will always been worthless and should not be pursued further" (as you interpreted him saying?) Aviation was worthless as an instrument of war in 1911.

      Anyways, I don't know what that has to do with computer security. I don't know any organization the size of DoD that does it as well.

    • Until about 1940, he was right. One usually doesn't append obvious modifiers to their claims like, "right now." or "in it's current state."

      • by jc42 (318812)

        One usually doesn't append obvious modifiers to their claims like, "right now." or "in it's current state."

        That's because, in English and all the other (Indo-)European languages, it isn't necessary. In those languages, and in languages in many other families, verbs have an explicit present tense that means "now".

        The problem is that people take a quote from the past, and misinterpret the verb's present tense as meaning "now, when I repeat the quote". As in the example we've seen here about military aircraft, people very often do this with malice aforethought, knowing full well that the quote doesn't reply to

  • Use OpenBSD instead. That way, the only persistent security vulnerability is shark attacks.

    But seriously, there's only one real solution to military scale security. Use a physically and logically separate network. You can't hack what you're not connected to.

    • by couchslug (175151)

      "You can't hack what you're not connected to."
      Roger that. It wouldn't be difficult to convert to something different. Tell people to shut up and color. It's called "giving orders" and works a treat!

      BTW I served through the transition from "no computers in most units-send your documents to the keypunch folks" to "Unix terminals in many units" to "shitload of Windows boxes everywhere". (1981-2007)

      Many of us missed the simplicity and speed of entering maintenance data in a terminal. Precise, faster than dropdo

  • The goal of most DoD procurement is not to get the item needed to the place it's needed as quickly and cheaply as possible, but instead to ensure very large contracts to a very small number of "defense" contracting companies with political connections.

  • You could have just stopped after "Incompetent"

    Can we explicitly name ICE and DHS in there too?

    I hear they can't take down the right webpage and only listen to media corporations

  • We all know the gov is slow to adapt, but it should also be pointed out the methods by which most of the DOD operates.

    1. Should we do "it"?

    2. Write a directive on how to do "it".

    3. Have "it" reviewed and revised ad nauseum until "it" is no longer relevant nor accurate.

    4. Give "it" to the newest lowest ranking least trained to implement, as the superiors have already reviewed "it".

    5a. Interrupt mission critical operations by implementation gone wrong, resulting in a stop on progress, have a meeting, go

  • but not because its apparent in recent hacks, only because of its root-cause.

    soldiers are enlisting in the department of defense's military branches because they are genuinely motivated to do so through well-established ideological factors. Hackers and skilled system administrators on the other hand are motivated by money, challenges, work environment, etc.

    so riddle me, the skilled sysadmin hacker, this:

    why do i want to work for a bureaucratic, bloated, warmongering entity who arguably hasnt protected a

  • at most big organization PHB run the show and HR running hiring does not help.

    Some poor security comes from vender systems and software some that soft ware comes from a golf course meeting and IT does not even get to test it.

    Over worked IT taking shortcuts to get the job done VS taking the time to do a better job also is a mess. Also long times to get stuff can lead to working doing what it takes to get there job done even when they have to bypass security.

    Keeping old software that needs security holes to w

  • That's the problem with government contracting. They pay for the process, not the end result. I can understand that for single demonstration phase, but network security is commoditized. The flaws and patches are well known. You shouldn't be paying to reinvent the wheel every GD time.

    Hire some accomplished network programmers at your headquarters, create a model network and security scheme, and any time you want to add anything, make sure it follows that model.

    "I want to set up a network here in the d
  • Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said.

    If I were going to have a secure network that is perfectly sustainable over time, I would do exactly the same thing. Increased reward decreases rebellion and acting out against a secret entity.

    Announcing "Oh, noz! W3 just been hax0r3ddd and j0o gott teh most secret3d infoz!!!!!1" sates the aggressor.

    I'm just sayin'.

  • The DoD thinks fancy war-machines are sexy. To them, if it isn't powerful and deadly, it isn't sexy. Until they see the consequences of their poor performance, they will continue to take an uneducated approach to information security.
  • I'm always surprised by what information is accessed when systems are compromised from the Internet. Isn't the purpose of SIPRNet to keep classified information off of machines that are connected (in any way) to a public network?
  • It would have been nice to mention somewhere in the summary what GAO stands for.

    (Note: it's the Government Accountability Office.)
  • Why is some secure DOD system that houses military blueprints even connected to the internet AT ALL? It should not be reachable from any computer that can also reach the internet, or can even reach another computer that can.

  • Part of defense security is strategic leaks of "dis-information". Who knows whether these are "Area 51" leaks (USA acting like it was covering up flying saucers in order to confuse Russians)? To borrow a quote from a famous battle of Little Big Horn (from Little Big Man - Custer to Hoffman):

    ''Still trying to outsmart me, aren't you, mule-skinner. You want me to think that you don't want me to go down there, but the subtle truth is you really *don't* want me to go down there! ''

Thus spake the master programmer: "When a program is being tested, it is too late to make design changes." -- Geoffrey James, "The Tao of Programming"

Working...