The DoD Isn't Fixing Its Security Problems

It has produced several reports outlining what’s wrong and what needs to be fixed. It’s not fixing them:

GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of “cybersecurity hygiene” like this doesn’t directly analyze a network’s hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.

[…]

The report focuses on three ongoing DoD cybersecurity hygiene initiatives. The 2015 Cybersecurity Culture and Compliance Initiative outlined 11 education-related goals for 2016; the GAO found that the Pentagon completed only four of them. Similarly, the 2015 Cyber Discipline plan outlined 17 goals related to detecting and eliminating preventable vulnerabilities from DoD’s networks by the end of 2018. GAO found that DoD has met only six of those. Four are still pending, and the status of the seven others is unknown, because no one at DoD has kept track of the progress.

GAO repeatedly identified lack of status updates and accountability as core issues within DoD’s cybersecurity awareness and education efforts. It was unclear in many cases who had completed which training modules. There were even DoD departments lacking information on which users should have their network access revoked for failure to complete trainings.

The report.

Tags: , , , ,

Posted on April 17, 2020 at 10:35 AM12 Comments

Comments

Clive Robinson April 17, 2020 12:15 PM

@ Bruce,

It has produced several reports outlining what’s wrong and what needs to be fixed. It’s not fixing them:

Bearing in mind the constraints of the current “economics” of Government spending can it realistically do so?

The NSA for instance has way bigger budgets for this sort of activity, but even they fail one way or another.

Whilst I am aware of the reasons Congress wanted to follow the “COTS” path it’s proven to be more than somewhat “ill advised”.

Consumer systems are built to an increadibly low price so that some profit can be made.

Well as we know with both the none Apple phone market and IoT there is nolonger any profit in hardware, thus “collect what you can” has become the standard way of getting some kind of revenue.

For obvious reasons that consumer business model like most others in ICT can not nore ever will be secure.

If the current changes in working practices continue as is expexted by epidemiological modelers such as UoL’s Imperial Collage. Where 2/3rds shutdown over atleast the next three years is considered a likely senario along with a shrinkage of 5% in staff mainly the more experienced “older” staff. The need for a radical change in the way we go about ICT and it’s security will have to happen…

But I suspect that the business models will move even more towards “insecurity by design” almost certainly “actively encoraged” by certain elements of Government.

As was once observed[1],

<

ul>You can’t have your cake and eat it (too)

So you can have cheap technology but you can’t have security at that price

[1] For those not residing in the UK it is a popular English figure of speach or “idiomatic proverb” that is to do with “resources”. Traditionaly the proverb in effect means “you cannot simultaneously have your cake on a plate looking very nice, and be enjoying it’s taste and melting quality in your mouth”. That is once the cake is eaten, it is consumed therefor it is gone and nolonger a feast for either eyes or tounge. However over the last half century or so it’s meaning has broadened to one of “choice” in what “resources” you decide to expend fiscal resources on and now is similar to an acceptance of the fact that you can have “nasty transfat low cost all the same lookalike cakes from the supermarket, or butter and natural ingredient bespke / hand made cakes from a high priced patisserie”.

Raphael April 17, 2020 1:03 PM

Bruce,

I’m not personally familiar with the all 7 points the GAO makes at https://www.gao.gov/products/GAO-20-241 . However, I do know that the DOD struggles with the weight of its existing rules, regulations, and training requirements, each of which creates vulnerability to contractor capture and pushes the DOD towards a compliance mindset.

The Cyber Awareness challenge in recommendations 4 and 5 is available publicly at: https://dl.dod.cyber.mil/wp-content/uploads/trn/online/cyber-awareness-challenge/launchPage.htm . If you complete that training, I would appreciate your opinion on whether ensuring that every person in the DOD has completed it is a good use of DOD CIO, GAO, and every person in the DOD’s time.

La Abeja April 18, 2020 3:04 AM

WONTFIX

GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals.

That is a rather general attitude problem at the DoD. You see, we have hordes of Non-Commissioned Officers who actually draw military payroll in the United States without having been commissioned to any official duties. You know the type. There are too many Masonic decorations and obscure subclassifications of military rank to count. The fraternization of Veterans at the VFW and American Legion halls, which would be quite illegal if they were actually still in the military.

They are Elks, Moose, Eagles, Boy Scout guides. They go hunting and fishing with guns and knives which are generally made illegal for civilians to possess anymore.

It’s the same old boys’ networks we’ve been complaining about all along: the no-bid non-competitive contracts within the Military-Industrial Complex and now the Prison-Industrial Complex with our skyrocketing and grossly underreported incarceration rate.

1&1~=Umm April 18, 2020 12:34 PM

@La Abeja:

“You see, we have hordes of Non-Commissioned Officers who actually draw military payroll in the United States without having been commissioned to any official duties.”

It’s clear that not only have you never been in the armed forces, you have an embarrassing lack of knowledge about how they are structured at a fundemental level or why.

La Abeja April 18, 2020 3:14 PM

@1&1~=Umm

If you call yourself “non-commissioned,” then you are denying your oath of office for whatever your position is on the government payroll.

Army bureaucracy is notorious for paper-pushing middle managers, most of whose duties are more of a civilian rather than military status anyways.

It’s just government, government, and more government. It’s maddening. They’re just bureaucrats who happen to have a military rather than civil service classification on the government office of personnel management’s payroll system, but they’re doing the same job as the government bureaucrats in other departments because they have not been officially commissioned to any “actual service” in a combative capacity that would have any bearing whatsoever on our country’s readiness to fight off foreign and domestic enemies.

La Abeja April 18, 2020 11:23 PM

@Mike D.

please read up on the function of NCOs in modern militaries.

UN, NATO, the EU, Europol, Interpol, the Bilderberg Group, and the Trilateral Commission are all friending us on Facebook etc.

They smoke too dam much weed in Amsterdam. They’re full of sh1t and they don’t think modern “militaries” should be allowed to have jobs or carry weapons at all.

NATO limited the caliber of NATO small arms ammunition to .223″=5.56mm inadequate in range, velocity, and penetration on a competitive nation-state infantry battlefield, and they let the Russians have the bigger guns, AK-47s etc.

1&1~=Umm April 19, 2020 7:05 AM

@La Abeja:

“If you call yourself “non-commissioned,” then you are denying your oath of office for whatever your position is on the government payroll.”

You are just making your lack of knowledge even more glaringly obvious. ‘Non-Commissioned’ has a very specific meaning in military service.

It does not in the slightest mean what you are trying to distort it to.

By the way all military personnel take an oath to the “chain of command” via their oath to what is the pinnacle of the National Governmental Hierarchy, be it a nominal figure head such as a monarch, an elected representative who stands instead of a monarch or a dictator or tyrant who would usually exact an oath to themselves as an individual thus trying to cement their place as absolute ruler.

All of this goes back thousands of years, to times before even nation states existed. It is part of the ‘feudal system’ that is also usually hereditary thus ‘inbred’ from a ‘closed stud’ breeding catalogue. Also the system frequently uses the excuse of a diety to assume absolute power by ‘Devine Right’. It’s why you do not have any claims to be atheists or humanitists in political circles as it weekens them. It’s also why in the US you have the expression ‘Wrapped themselves in the flag’.

From this you can see that all ‘guard labour’ only has one duty and that is to the figure head or it’s representative in the chain of command, not the actual nation or it’s citizens. It’s a point many do not realise when they call for assistance from ‘guard labour’ it’s why I do not allow ‘guard labour’ onto my property or any other governmental representative untill the terms of entry have been fully agreed. It’s also a point not lost on the framers of the US Constitution and subsequent Amendments, and something modern politicians and their fiscal and media backers do not want you being realy cognizant of, because they wish to turn the citizens who have legaly defined rights into serfs who just accept what is done to them by their supposed ‘betters’.

It’s a point not lost on our host either, although Bruce tends not to speak about it these days (for obvious reasons). He has previously written essays on the subject and how he sees it’s reemergence.

La Abeja April 19, 2020 9:28 AM

@Mike D.
@1&1~=Umm

‘Non-Commissioned’ has a very specific meaning in military service.

There’s a Constitution that specifies that the President “shall take Care that the Laws be faithfully executed, and shall Commission all the Officers of the United States.”

That is all the officers. Military and non-military. Without exception.

Commissioned realtors and stockbrokers in the private sector don’t get paid unless they do a very specific job: make a certain sale or transaction go through as requested or agreed to by the buyer and seller.

The Oath is to the Constitution, not a chain of command. Otherwise you have a boss or a manager, but even then there is a distinction between “lawful orders” and “unlawful orders” — and too many NCOs are caught up in a gigantic case of “unlawful orders” coming in from an enemy chain of command to direct U.S. troops in combat against U.S. citizens to destroy our lives without cause.

UN, NATO, EU, Bilderberg, Trilateral, Interpol, and Europol are our ENEMIES. They want us dead. I know for a fact they want me specifically, dead.

Brandon April 20, 2020 11:08 AM

@La Abeja:

Non-commissioned officers have a history dating back hundreds of years before the Constitution. It’s a premise we borrowed from the British military.

As a very simplistic explanation, a commissioned officer can resign their commission and leave at any time once they meet their initial obligation. NCOs can’t.

They are enlisted soldiers. They serve an enlistment to completion and then either leave or re-enlist. They also cannot technically give “orders” as orders only come from commissioned officers. They give guidance and direction but their authority is derived from their commissioned officers who appoint them to their positions.

Commissioned officers are promoted by the President of the United States. NCOs are promoted by their branch of service.

I also don’t know where you get the idea that they don’t have jobs because they’re not commissioned. They are assigned specific roles based on the needs of the organization which are centrally managed by the headquarters command (which decides what roles are needed by each organization based on their size, type and mission). The roles are re-affirmed monthly by the commissioned officers at each level (assigning each servicemember into a specific role).

The point about ammo is also incorrect. There are NATO 5.56mm and NATO 7.62mm ammo types, both used by the US military. The military chooses to use 5.56mm in their small arms weapons because it reduces collateral damage and is still effective out to 450m, which is significantly further than most small arms combat takes place (<100m).

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.