• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!

The Pentagon Has More than 250 Cyber Gaps in Its Networks, Watchdog Says

Rogue Valley

Lead or get out of the way
DP Veteran
Joined
Apr 18, 2013
Messages
93,583
Reaction score
81,661
Location
Barsoom
Gender
Male
Political Leaning
Independent
The Pentagon Has More than 250 Cyber Gaps in Its Networks, Watchdog Says

defense-large.jpg


1/14/19
More than 250 cybersecurity vulnerabilities, some more than a decade old, remain unaddressed in the Defense Department’s networks, according to an internal watchdog. Still, auditors found the agency has made significant strides in locking down its tech infrastructure. The Defense Department Inspector General found the Pentagon had yet to correct 266 cyber vulnerabilities highlighted in numerous watchdog reports between July 2017 and June 2018. Some of the issues were identified long ago—two dated back to 2008—but the majority were only discovered in the last year, which auditors acknowledge had given the agency little time to fix them. Most of the vulnerabilities revolved around the agency’s approach to identifying potential gaps in its cyber posture and proactively defending against those threats. Auditors specifically found many shortcomings related to cyber governance, or the policies and practices that help officials monitor risk. “Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems,” the IG wrote in the annual report on the Pentagon’s cyber posture. In the redacted report, auditors detailed a myriad of issues that had gone unaddressed over the previous year.

The department, for instance, has not yet taken steps to comply with the cybersecurity framework developed by the National Institute of Standards and Technology. The Defense Contract Management Agency failed to ensure cyber specialists were properly trained and received necessary certifications, and the Defense Health Agency and Army also failed to consistently secure systems that house electronic health data. The Air Force also couldn’t account for the various digital devices connected to its networks, and branch leaders failed to guarantee cybersecurity was built into the design of various weapons systems. Auditors also reiterated the need to put in place more controls to limit user access and monitor activity across Pentagon networks. The IG on Tuesday published a separate report detailing how inadequate controls left billions of dollars in annual payments potentially vulnerable to bad actors. “Without adequate controls … the [department] cannot ensure that all of its systems, devices, personnel, and vulnerabilities are identified and manages,” auditors wrote.

I believe I posted on this very topic back in June 2018. It's good to learn that significant progress has been made. Our enemies are relying a great deal on their offensive cyber capabilities and we must be prepared to fend off these challenges. However, it should also be acknowledged that with the gargantuan size of the DoD and the rapid speed of digital innovation, Pentagon cyber-defense will always be behind the proverbial eight-ball to some degree.
 
The Pentagon Has More than 250 Cyber Gaps in Its Networks, Watchdog Says

defense-large.jpg




I believe I posted on this very topic back in June 2018. It's good to learn that significant progress has been made. Our enemies are relying a great deal on their offensive cyber capabilities and we must be prepared to fend off these challenges. However, it should also be acknowledged that with the gargantuan size of the DoD and the rapid speed of digital innovation, Pentagon cyber-defense will always be behind the proverbial eight-ball to some degree.

This sounds like a simple topic, but it is not.

A lot of things like this also matter when you look at what system is being discussed. When assigning security and adapting it, it also matters a lot what is vulnerable, and in what way.
This is not a single system, it is tens of thousands of differing systems, all doing different things. Some are open access to everybody, some are highly secured. Some use encryption, some do not. You do not treat all security issues the same, you concentrate on what is most vulnerable and then prioritize from there.

Think of it like your house. You may install alarms, a deadbolt lock, security door, and a camera system on your front and back door. That is fine, that is where most of your possessions and you will be. But do you put that same security into your front gate? Does that much go into the entry to your driveway?

There was a vulnerability we discussed about 2 years ago that the DoD knew about. It was essentially a way that hackers found to gain access into a secure data stream and siphon off information. And they largely left it alone. The data itself was highly encrypted, so the information gathered was essentially worthless, but they monitored it because it gave them information on how and who was doing the penetration.

Most of these flaws are really impossible to secure against, and houses rather unimportant data for the most part. I notice it discusses health records. The issue here is often the fact that databases like this are designed to be accessed by multiple other organizations (VA, civilian insurance companies, civilian health organizations, etc). These are not even classified information areas, but are designated as "For Official Use Only" (FOUO) because they contain personal information, and really nothing else. And the more organizations that have access to such information, the more "leaky" it is going to be.

Ultimately, these kinds of things are really in the hands of the civilians that work for the DoD. They are the ones that do this kind of work, the "military itself" rarely gets involved in these because of the way the DoD is set up in the modern era. Heck, I am not even allowed to run a 15 foot CAT-5 cable from one office to another, we have to schedule a team of civilians to come in and do something like that. All accounts and connectivity for my unit in California is handled by a team of civilians in Florida.

And they are so disconnected form what our unit needs it is a joke. 2 months ago they "killed" all the printers in our building, because we are in the process of moving to a new building. It was scheduled for December, but as typical we are not expected to actually move until April or May. And even though reactivating our printers is little more than throwing a switch, they will not do it because we are scheduled to move.

That is real life in the DoD computer systems.
 
I wonder how many will take the bait. :lol:
 
Back
Top Bottom