Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

GAO Report: DoD Incompetent At Cybersecurity

Soulskill posted about 3 years ago | from the you-have-been-called-out dept.

Government 104

itwbennett writes "According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said. Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is 'daunting,' GAO concluded."

cancel ×

104 comments

Sorry! There are no comments related to the filter you selected.

This just in (1)

Osgeld (1900440) | about 3 years ago | (#36923284)

no shit! also the government spends too much money and ducks fly

just the fact they are still using the term "cyber" should tell anyone with half a brain they are stuck in the 90's, what about Information Highway Border patrol to bring that up to at least earlier last decade

Re:This just in (2)

jo42 (227475) | about 3 years ago | (#36924906)

"The only competence of any government appears to be the ability to endlessly piss away taxpayer money." - me

Re:This just in (1)

gumbi west (610122) | about 3 years ago | (#36925506)

Medicare is administrated by the US Government, has lower overhead than any private sector health insurance plan and has the highest satisfaction rating of any health insurance plan in the US.

You don't write articles about how great the government is at administration, just about when it messes up administration.

Re:This just in (1)

jc42 (318812) | about 3 years ago | (#36928672)

The only competence of any government appears to be the ability to endlessly piss away taxpayer money.

Medicare is administrated by the US Government, has lower overhead than any private sector health insurance plan and has the highest satisfaction rating of any health insurance plan in the US. You don't write articles about how great the government is at administration, just about when it messes up administration.

It's part of the American "conservative" ideology, that everything wrong with the world is due to governments, and everything good is due to corporations.

In reality, the problems are present in all human organizations. If an organization, government or corporate or whatever, pays attention to a topic, they can generally solve it. But it's more common for any human organization to become a "power center", with its own internal ideology and mythology, and punish anyone who goes against the organization's culture.

This story is basically about that problem, as applied to computer security issues. If you follow discussions of that topic, you invariably find a strong desire to respond to information about a security problem by 1) pretending that it's not a real problem, and 2) punishing anyone who demonstrates an exploit.

Government agencies do this, and so do corporations. You can see the results all around you. The only organizations that have achieved any reasonable level of security are those who hire and listen to people with expertise in the topic. But most organizations automatically react to demonstrated security problems by labeling the messenger a "hacker", and treating them as a criminal. This gets a message across to people who discover problems: "Kept it quiet, or we'll punish you, too."

In any case, this has little to do with the "government" label. It's a failure of all human organizations. Pretending that only one sort of organization (government) has a real problem is merely trying to impose an ideology rather than solve the problems.

Re:This just in (1)

Thad Zurich (1376269) | about 3 years ago | (#36929096)

Medicare is administrated by the US Government, has lower overhead than any private sector health insurance plan and has the highest satisfaction rating of any health insurance plan in the US.

This is very convenient, if both you and your condition happen to be covered by Medicare, and you can find health care providers willing to settle for Medicare payments.

Re:This just in (1)

gumbi west (610122) | about 3 years ago | (#36929318)

I agree that medicare should be expanded to cover everyone, but the satisfaction is unconditional--a random sample of all people covered by Medicare are asked how happy they are with it, and they (presumably) take into account how easy it is to find a covered doctor.

I'd amend you quote to, "this is very convenient if you are covered by Medicare."

Re:This just in (1)

slick7 (1703596) | about 3 years ago | (#36930432)

"The only competence of any government appears to be the ability to endlessly piss away taxpayer money." - me

What's the difference between the Boy Scouts and the military?
The Boy Scouts are run by adults.

Re:This just in (0)

Anonymous Coward | about 3 years ago | (#36925002)

Y'all don't worry. Me and some of my patriotic buddies here in the border states are already pressuring our elected officials to build a cyber-fence along the border, and we're forming squads of "cyber minutemen" who will regularly get together to patrol our cyber border (and drink beer), keeping our nation safe from all kinds of them brown people intent on doing us harm.

stateless terror organizations? (1)

Dan541 (1032000) | about 3 years ago | (#36928142)

Would that be Lulzsec and Anonymous they are referring to?

News flash: government is incompetent (-1, Offtopic)

Kohath (38547) | about 3 years ago | (#36923304)

Let's give them more money and put them in charge of health care.

Re:News flash: government is incompetent (1)

EraserMouseMan (847479) | about 3 years ago | (#36923426)

"We're from the government and we're here to help."

Step #1: We need more funding from tax payers.

Step #2: ????

Step #3:1&2 didn't help matters at all. So, keep repeating 1&2 over and over and tell everyone that nobody else could ever have a chance at doing this as well as we can. In 20 years we'll all be retired and won't care.

Re:News flash: government is incompetent (4, Insightful)

Dexter Herbivore (1322345) | about 3 years ago | (#36923538)

Hur, hur, hur... govinmints can't do anyfing right. Try to remove your obvious politics from this debate and argue facts. There are arenas where goverment do better than private industry, where 'loss leading' actually ends up with a net benefit for the populace... arenas where private industry will refuse to lead because they will take a short term loss

Freeze! (1)

ThatsNotPudding (1045640) | about 3 years ago | (#36924068)

There are arenas where goverment do better than private industry, where 'loss leading' actually ends up with a net benefit for the populace...

Up against the wall, commie!

Re:Freeze! (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924146)

Up against the wall, commie!

Only if said wall has been made by the hands of the proleteriat!

Re:News flash: government is incompetent (1)

Anonymous Coward | about 3 years ago | (#36924138)

And if you could name one you would have.

Re:News flash: government is incompetent (2)

Dexter Herbivore (1322345) | about 3 years ago | (#36924260)

Infrastructure... large capital investments with long tails aren't liked by shareholders... maybe the answer is that I didn't want to get into a stupid argument made by people who don't wish to ackowledge fact over their own personal version of reality.

Re:News flash: government is incompetent (0)

Anonymous Coward | about 3 years ago | (#36924478)

Yeah. OK LOL. Infrastructure .. Like the privately owned pristine highways as opposed to the state run highways. "I didn't want to get into a stupid argument made by people who don't wish to ackowledge fact.." "How to Win Friends & Influence People", check it homie.

Re:News flash: government is incompetent (0)

Anonymous Coward | about 3 years ago | (#36924716)

-lol- God you're stupid.

Re:News flash: government is incompetent (0)

Anonymous Coward | about 3 years ago | (#36925270)

nou

Re:News flash: government is incompetent (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924720)

Nice... check out the history of US railways that failed without huge US government investment... maybe look at the Australian NBN... broadband that has lacked investment for 10 years or more because Telstra fails infrstructure without government support. Maybe you should post under a profile instead of being some random who won't attach his name to an argument. HUR HUR HUR LOL. Make a real argument AC. The US model is not the be all, and end all. I don't want to be your friend asshole, I don't want to influence you... maybe you have an unnatural obsession with being someone's friend and manipulating them instead of actually being logical?

Re:News flash: government is incompetent (1)

realityimpaired (1668397) | about 3 years ago | (#36925088)

Never heard of the Telephone, have you? Or the electrical power grid? Or the highway system?

Re:News flash: government is incompetent (1)

Nadaka (224565) | about 3 years ago | (#36925198)

Or fundamental research?

Re:News flash: government is incompetent (1)

obarthelemy (160321) | about 3 years ago | (#36924332)

not so much about removing politics, more about removing kickbacks in all their forms, including plush jobs...

Re:News flash: government is incompetent (1)

cforciea (1926392) | about 3 years ago | (#36924556)

Because private industry has fucking none of those.

Re:News flash: government is incompetent (1)

obarthelemy (160321) | about 3 years ago | (#36928690)

private industry play with their own money, the government, with ours.

Re:News flash: government is incompetent (1)

cforciea (1926392) | about 3 years ago | (#36929048)

Except when it is on the back of your labor that your company's C-level execs and VPs of who-knows-what get to fly around in private jets and live in houses that cost more than you'll make in your entire life.

Re:News flash: government is incompetent (1)

obarthelemy (160321) | about 3 years ago | (#36931260)

still, nobody's forced to work for them, nor to buy their wares.

with the government, you just HAVE to pay. and comply.

Re:News flash: government is incompetent (0)

shoehornjob (1632387) | about 3 years ago | (#36924842)

Let's give them more money and put them in charge of health care.

Health care was the problem. If the government (specifically the democratic party) had focused their attention on getting this country working again most of the health care issue would have taken care of itself. Then we would have some breathing room to figure out actual health policy. We can not fix the mess we are in until we bring industry back to this country and get people working in decent middle class jobs again. That's how FDR did it and we need to follow his lead. Then again wtf am I talking about; we never learn from history.

Re:News flash: government is incompetent (1)

Jawnn (445279) | about 3 years ago | (#36925024)

Health care was the problem. If the government (specifically the democratic party) had focused their attention on getting this country working again most of the health care issue would have taken care of itself.

If you believe that, you truly don't understand the problem.

Re:News flash: government is incompetent (1)

shoehornjob (1632387) | about 3 years ago | (#36925502)

I guess everyone is entitled to their own opinion. The basic fact is that our govwernment is fractured by party lines and long held ideology. They are so divided that they can't get their shit together to pass one bit of legislation that will put us (and China among others) back at least 30 years if it fails. Oh yeah and we basically let China hack in and steal our state secrets. That's not just a DoD thing either.

You mean we should join or start a war? (1)

Quila (201335) | about 3 years ago | (#36928042)

It worked for FDR. Bush tried it, didn't work.

So does everyone else (4, Insightful)

MozeeToby (1163751) | about 3 years ago | (#36923326)

Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.

Re:So does everyone else (1)

Anonymous Coward | about 3 years ago | (#36923518)

Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.

Part of the problem is being big. If you're small and don't ruffle any feathers then you don't become a target in the first place.

Re:So does everyone else (1)

Sulphur (1548251) | about 3 years ago | (#36924422)

Seriously, is there any large organization that doesn't suck at security? We need to spotlight companies that do it right and show everyone else what they're doing, because it seems to me that far, far more people suck at it than are good at it.

Part of the problem is being big. If you're small and don't ruffle any feathers then you don't become a target in the first place.

Security by obscurity? Happy size your company.

Re:So does everyone else (1)

TheRaven64 (641858) | about 3 years ago | (#36925158)

Partially it's also security through having a small attack surface. Any employee who needs access to sensitive data is a potential vector for an attack. In a small company, that's typically a small handful of people, most of whom have some investment in the company. In a large company, it's a huge number of people. It's also a more distributed network, with more weak points.

Re:So does everyone else (4, Interesting)

Sir_Sri (199544) | about 3 years ago | (#36923912)

Security is an odd thing. You can be right 99.99999% of the time, and prevent nearly every attack for years, and no one hears about it. But one guy breaks in and steals 25 files on his estranged wife and you have a 'systematic security failure'. Which leads to reviews and all sorts of changes in policies etc.

The war department, and the various related departments combine to directly employ millions of people, with millions (if not 10's of millions) more employed indirectly through contractors and so on. You're never going to be error free in that environment. It's also very hard to create and implement new policies rapidly for that many people, and because it's a government agency every time you write new rules you have to waste months begging for the paymasters in parliament or congress to both pay for it, and agree to let you do it at all. *IF* they agree to pay for it, it will come with strings attached. You can't build a new network security office in the Pentagon, it has to be in Wyoming, because the senator from Wyoming hasn't gotten his kickbacks or 're-election support' to his district yet, or some sort of nonsense like that. Big outfits necessarily want to talk to other big outfits, who, themselves have layers of bureaucracy, which adds even more fun.

Oh and on top of all of that, you have very important, very stupid people (political appointees), who don't know anything about your security procedures, claim themselves too important to be trained because they've been brought in as outsiders to be 'reformers' and IT is left scrambling to keep them connected. Along with keeping everyone else connected, while they're fighting wars, integrate with allied systems, make information open to people who need it, closed to people who don't and leaving a paper trail of accountability so that the GAO, auditor general, national audit office etc. can read everything, and find stuff to complain about. I don't envy any of the people trying to make all of this work, especially on 4 year election cycles when, by the time you get a project going you may find it cut just as you're ready to get it going properly.

Unfortunately the military doesn't have the ability to go to a black hat conference pick the 5 most promising security experts, slap 3 stars each on their sleeves and ask them to fix it. Most of the people who actually know stuff about security have no desire to go through the long road to leadership in the government, and by the time they can be pulled in from the private sector as political appointees they have no clue what's actually going on.

Re:So does everyone else (2)

Lifyre (960576) | about 3 years ago | (#36924982)

All salient points but the biggest issue by far is the last one you pointed to. Getting to the point where you can make a difference in the military takes so long and requires so much focus that the knowledge you did have is now years out of date and no longer relevant. This is in part because those stars would grant authority much beyond the narrow security realm.

What the services need is the authority to go to a black hat conference and hire those experts and give them authority over security without the broad powers inherent with rank. If those that have stars on their shoulders take this issue seriously it could be done relatively easily and rapidly, though implementation would take time. Unfortunately getting those stars usually means you're more of a political animal than the president...

Re:So does everyone else (0)

Anonymous Coward | about 3 years ago | (#36927392)

What the services need is the authority to go to a black hat conference and hire those experts and give them authority over security without the broad powers inherent with rank.

And here comes your next problem: get someone who regularly attends black hat conferences a security clearance. Prepare for fun!

Re:So does everyone else (1)

Lifyre (960576) | about 3 years ago | (#36929690)

True. I actually know quite a few people who attend but don't typically talk or would be considered a top hacker...

Kudos (best post on the page so far imo)... apk (0)

Anonymous Coward | about 3 years ago | (#36927450)

I must ask: Have YOU been on "the inside" of all of what you're speaking of, especially from a U.S. Governmental standpoint?

* It sounds it... let me guess - as a contractor, right?

APK

P.S.=> Just curious & no sarcasm intended...

... apk

Re:So does everyone else (2)

scosco62 (864264) | about 3 years ago | (#36924020)

I think it's more about the nature of complex systems - politics, trolling aside, I would think the larger the internet facing infrastructure, the (exponentially) harder it is to secure....putting the need to service other organizations within that infrastructure, it's a commitment that folks are just coming around to - public and private. My disappointment is not the government so much (as it relates to this topic anyway), but rather the firms that are supposedly securing them. My experience has been that the guiding philosophy with these guys is a) bill as much as you can, without pissing the customer off b) template your approach, creative thinking is risky and c) make your customer just slightly more secure that the next target. This is a generalization, to be sure - but until you have smart people with the skills with the mindset that they need to evolve quick than the threats out there - it's just going to mean more negative publicity as well as more money for substandard contractors. Just my two cents.

Carriers vs Battleships (3, Insightful)

Dexter Herbivore (1322345) | about 3 years ago | (#36923464)

Aviation is fine as a sport. But as an instrument of war, it is worthless.

— General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.

The overall military attitude is that if it isn't in the 'book', it is worthless. New paradigms confuse the establishment, that's as old as the 'book'. (It's a metaphor, please don't attack this argument as if it refers to a literal 'book').

Re:Carriers vs Battleships (3, Interesting)

malsbert (456063) | about 3 years ago | (#36923944)

'He advocated peace terms that would make Germany unable to pose a threat to France ever again. His words after the Treaty of Versailles, "This is not a peace. It is an armistice for twenty years" would prove prophetic; World War II started twenty years and sixty five days later.' -- Wikipedia. [wikipedia.org]

You win some, You lose some.

Re:Carriers vs Battleships (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924040)

I never said that F Foch was always correct, I was merely trying to illustrate that military minds don't always recognise the correct answer. New forms of warfare confuse and irritate the 'old school'.

Re:Carriers vs Battleships (1)

malsbert (456063) | about 3 years ago | (#36924860)

I know, And do agree. I just do not see it as a inherent military thing. F Foch was old in 1911, And nothing wrong with that! It just means; he was not as likely to care about tech ,20 some years, Into the future. In 1911, And the near future, Aircraft was "worthless".

Re:Carriers vs Battleships (1)

St.Creed (853824) | about 3 years ago | (#36926530)

There were however, a few people who did see the use of the plane as a new weapon. But it was a minority.

A good book about that (and other things) is "The social history of the machine gun" which is as fun to read as it sounds :) It goes into detail about the conservative attitudes of the officers in the first world war, and links that to their social background (a large number were land owners). The sad part is where it details what happened to the horses. I mean: barbed wire, trenches, machine guns for miles behind the first line, and the officers thought they could charge through on horseback... at the first real charge they ended up as hamburger. All of them.

But to get back to Foch: it wasn't inherently military to be conservative about airplanes. However, the military leadership at the time was made up of inherently conservative people - like Foch. So: horses, mass attacks over the wall, no airplanes. And millions of dead. Even if that has changed, the social background of much of the military is conservative, not progressive. Which influences how the military works. This is different in draft armies, where more of the population is represented (the Dutch army even has its own trade union, dating from the time most soldiers were drafted).

Which means I would expect a less conservative military in, for instance, Israel than in the US, and a slow change in political outlook in the armies of countries that have switched from one type of army to another. Although the general political outlook of the population from which you can draft would ofcourse exert influence as well.

Re:Carriers vs Battleships (2)

Old97 (1341297) | about 3 years ago | (#36924230)

No one will ever need more than 640k. - Bill Gates (paraphrased) Being wrong != being an idiot. The U.S. military is capable of some amazingly original and innovative thinking. It is also capable of rigid, reactive idiocy. I'm a veteran, have relatives currently in the military and I've worked with the military on a couple of projects. There isn't "an overall attitude" other than "accomplish the mission". If cyber security were seen as "a mission" with definitions for "victory" and "defeat" they'd be right on it. In the meantime they've got enemies with bombs, chemicals and guns to worry about. How do we get the politicians and the military to see cyber security in this light before a cyber security disaster occurs?

Re:Carriers vs Battleships (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924426)

Please see my parent comment... I did NOT say that 1 comment makes all comments by that individual incorrect.. only that an incorrect comment means that not all comments are RIGHT.

Re:Carriers vs Battleships (1)

Old97 (1341297) | about 3 years ago | (#36924814)

I was responding more to your generalization about "military attitude" and the "book". Someone wrote that the military always prepares to fight the last war which is similar in sentiment to what you wrote. The first problem with that is that it's really the military of the winning side that tends to prepare the last war. The losers innovate. However, since Vietnam, the U.S. Military has worked very hard to not repeat this mistake. They've been very good at it as long as next enemy has been identified so they can analyze the threat and come up with ways of defeating it. The realm of "cyberspace" (I hate that term) is still sort of a sideshow for them like posting guards around a military base or arms depot. They and their civilian bosses haven't yet bought into the idea that the sort of threat exists here that could be far more than annoyance. So they focus on enemies they know can kill us versus threats that can annoy us. Frankly, I don't see that the "cyber threat" is our biggest worry either. I'm wondering why we aren't building a national intranet for infrastructure, finance and government that is separate from the internet. Leave the internet to be the playground, shopping mall and public library for civilians.

Re:Carriers vs Battleships (1)

bill_mcgonigle (4333) | about 3 years ago | (#36925358)

Aviation is fine as a sport. But as an instrument of war, it is worthless.

â" General Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guere, 1911.

All this proves is that Foch was an idiot. Military strategists have known the advantage of the high-ground for thousands of years. "Portable, instant high-ground? Genius," I'm sure was uttered within a year of Kitty Hawk.

There aren't mass-drivers in LEO only because of lift-costs.

Re:Carriers vs Battleships (1)

timeOday (582209) | about 3 years ago | (#36925572)

Did he say, "it is worthless" (as you quoted), or "it will always been worthless and should not be pursued further" (as you interpreted him saying?) Aviation was worthless as an instrument of war in 1911.

Anyways, I don't know what that has to do with computer security. I don't know any organization the size of DoD that does it as well.

Re:Carriers vs Battleships (1)

gumbi west (610122) | about 3 years ago | (#36925586)

Until about 1940, he was right. One usually doesn't append obvious modifiers to their claims like, "right now." or "in it's current state."

Re:Carriers vs Battleships (1)

jc42 (318812) | about 3 years ago | (#36928984)

One usually doesn't append obvious modifiers to their claims like, "right now." or "in it's current state."

That's because, in English and all the other (Indo-)European languages, it isn't necessary. In those languages, and in languages in many other families, verbs have an explicit present tense that means "now".

The problem is that people take a quote from the past, and misinterpret the verb's present tense as meaning "now, when I repeat the quote". As in the example we've seen here about military aircraft, people very often do this with malice aforethought, knowing full well that the quote doesn't reply to their current situation. I you ask them, you'll usually find that they fully understand verbal present tenses, and they know that the quote they misused wasn't meant to apply to the distant future. But they have an agenda, and making a previous "expert" look like an idiot fits their agenda.

In this case, the agenda is pretty clear: The writers are trying to discredit all military experts. It's easy to find historical quotes that were correct when said, but are no longer correct. This suffices to show that one person was wrong in the past. And this obviously applies to the current experts, right?

In the current topic, it might be useful to reflect that the Internet wouldn't exist if it hadn't been pushed (and mostly funded) by the US military. The business and corporate worlds that are trying to claim the Internet as their invention were dragged into it ("kicking and screaming" ;-) in the early 1990s. Most government agencies jumped on board almost as an afterthought, when they had lots of employees that knew how to use the Internet and pushed internally for agency web sites. But the Internet's prime movers were military people from the same DoD that is now being declared imcompetent.

I'm not quite sure what this says about the current topic. Maybe the lesson is that the DoD should be listening to their own people. Especially those who have retired, but who directed the building of the stuff they're now having such problems with.

Simple solution (1)

Annirak (181684) | about 3 years ago | (#36923476)

Use OpenBSD instead. That way, the only persistent security vulnerability is shark attacks.

But seriously, there's only one real solution to military scale security. Use a physically and logically separate network. You can't hack what you're not connected to.

Re:Simple solution (0)

Anonymous Coward | about 3 years ago | (#36923536)

They already do that and it still gets hacked all the time.

Re:Simple solution (1)

Annirak (181684) | about 3 years ago | (#36923606)

If it got hacked, it either wasn't physically separate, or it wasn't logically separate. If your computer can't connect to their computer, no hacking will occur unless there's a physical breach of the network. On that topic, don't use wireless.

Re:Simple solution (2)

NatasRevol (731260) | about 3 years ago | (#36923798)

Or humans.

Re:Simple solution (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36923926)

Or the Human factor... oh wait, someone already said that. Did you ever consider that most succesful hacking is social engineering? Separabilty is useless when the weak point is the operator.

Re:Simple solution (1)

NatasRevol (731260) | about 3 years ago | (#36924164)

Whiiiiiich was my point.

Re:Simple solution (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924286)

Oh... BTW, I was agreeing with you and arguing with the GP(Annirak).

Re:Simple solution (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924202)

Did I just agree with a 6 digit UID Satanist???? Gah, never mind. :D

Re:Simple solution (1)

NatasRevol (731260) | about 3 years ago | (#36925302)

No, just an old college nickname.

Re:Simple solution (1)

Annirak (181684) | about 3 years ago | (#36924506)

The point, though, is just that. Take the infrastructure out of the equation. If the only vulnerability is staffing, then we're at the same level of security as we had in WWII. The US Gov't already knows how to do counter intelligence. It's just a matter of deploying counter-intel assets in the right locations, which they may not be doing.

Re:Simple solution (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924782)

"FAWNING" Agreed...

Re:Simple solution (1)

bberens (965711) | about 3 years ago | (#36923920)

On that topic, don't use wireless.

Or USB devices of any sort, or DVDs/CDROMS you didn't burn yourself, etc with source code you have read. And for the love of all things holy don't let an actual human being know any of the access passwords, those human beings are the biggest security holes ever made.

Re:Simple solution (0)

Anonymous Coward | about 3 years ago | (#36923670)

Not a bad idea at all. Any information that's classified goes on its own network that does not connect to the internet. Any information transfer is done by physical media from within the building, and goes one way (non secure to secure only). Anyone using physical media to place data on the "secret" network must be actively monitored during the process.

If any leaks occur, the list of suspects is extremely narrow. No one can access the network from outside of the physical building, therefore the network is as secure as it theoretically can be.

If this sounds like that much of a pain in the rear end, keep in mind that you can have your secure PC directly next to the internet browsing laptop, so that this is theoretically functional. As long as everything in this theoretical setup is vigilantly monitored, it will VASTLY improve security.

Re:Simple solution (0)

Anonymous Coward | about 3 years ago | (#36923898)

This is already precisely how it works.

The primary means of security for highly classified stuff is computers that are NOT on the internet, and guarded by soldiers with M16s.

A bullet in the back of the head is a better countermeasure than any of your cyber lulzsec bullshit.

Re:Simple solution (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924106)

Sigh... I hate to say this, but parent has some insight and probably should be modded up.

Re:Simple solution (1)

TheRaven64 (641858) | about 3 years ago | (#36925284)

When I worked in defence, my desktop wasn't connected to the Internet (or the network at all, in fact), and I had to remove the hard drive and lock it up before I went home every day. Because it wasn't on the network, I had to move files between it and the lab machine on ZIP disks. One day, when I got home, I discovered that I still had a ZIP disk in my pocket. Fortunately, it didn't have anything classified on it, but it easily could have had. I went straight out through the gates with it, past the armed guards, without being stopped.

Re:Simple solution (1)

blizz017 (1617063) | about 3 years ago | (#36925196)

As already stated.. this is precisely how it works now. You've practically described it to a T. In fact, we further segregate networks based on the level of classified information they carry; all of which are airgapped.

Re:Simple solution (1)

gumbi west (610122) | about 3 years ago | (#36925630)

There is this thing called an embassy and they are supposed to be able to communicate sensitive information in real time with HQ...

Re:Simple solution (0)

Anonymous Coward | about 3 years ago | (#36923968)

Use OpenBSD instead. That way, the only persistent security vulnerability is shark attacks.

But seriously, there's only one real solution to military scale security. Use a physically and logically separate network. You can't hack what you're not connected to.

I don't think the U.S. can use OpenBSD due to the encryption laws in the U.S. that OpenBSD utilizes

Re:Simple solution (2)

couchslug (175151) | about 3 years ago | (#36924734)

"You can't hack what you're not connected to."
Roger that. It wouldn't be difficult to convert to something different. Tell people to shut up and color. It's called "giving orders" and works a treat!

BTW I served through the transition from "no computers in most units-send your documents to the keypunch folks" to "Unix terminals in many units" to "shitload of Windows boxes everywhere". (1981-2007)

Many of us missed the simplicity and speed of entering maintenance data in a terminal. Precise, faster than dropdown menus, and "green text on a black background" was easy to read.

Re:Simple solution (1)

Annirak (181684) | about 3 years ago | (#36924812)

IMO, menus are the bane of modern UI design. I don't know why someone decided these were a good idea, but they are always a pain to navigate.

Re:Simple solution (1)

Lifyre (960576) | about 3 years ago | (#36925082)

Just a point of note you might find interesting they are starting to make the terminal available again and making the GUI optional, though it all runs inside of Windows XP, frequently only on IE 6 (though that is starting to change), and will often insult your mother if you hit the wrong button.

Re:Simple solution (1)

couchslug (175151) | about 3 years ago | (#36929774)

That is interesting.

This mess has probably not changed much. It was ongoing in 2007:

http://gcn.com/Articles/1995/09/18/Troubled-AF-systems-are-kept-alive-by-generous-lawmakers.aspx [gcn.com]

Re:Simple solution (1)

Lifyre (960576) | about 3 years ago | (#36931996)

Probably not, it was in the Marine Corps but it would certainly explain the existence of many things.

actively trying to penetrate our military networks (0)

Anonymous Coward | about 3 years ago | (#36923508)

"According to a scathing report from the GAO (PDF) released July 25, the Department of Defense only started to take cyberwar seriously during the past two or three years, after ignoring warnings for about 2 decades. And when we say, 'take it seriously' we mean 'throw gobs of money at it' — to little effect. 'According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks"

Well, fucking DOH !!!!!!

Yup, that sure sounds like the DoD to me (0)

dkleinsc (563838) | about 3 years ago | (#36923616)

The goal of most DoD procurement is not to get the item needed to the place it's needed as quickly and cheaply as possible, but instead to ensure very large contracts to a very small number of "defense" contracting companies with political connections.

Stop While You're Ahead (0)

jimmerz28 (1928616) | about 3 years ago | (#36923640)

You could have just stopped after "Incompetent"

Can we explicitly name ICE and DHS in there too?

I hear they can't take down the right webpage and only listen to media corporations

Don't plug it in, duh. (0)

Anonymous Coward | about 3 years ago | (#36923832)

You don't want your weapon blueprints getting hacked and stolen? It's a pretty simple and obvious solution. Don't put it on computers that are plugged into a global network. There isn't a "DUH" big enough.

Re:Don't plug it in, duh. (0)

Anonymous Coward | about 3 years ago | (#36924140)

There isn't a "DUH" big enough.

Agreed. You can get that from watching Battlestar Galactica, for crying out loud.

DoD Priorities.... (1)

xianzombie (123633) | about 3 years ago | (#36924134)

We all know the gov is slow to adapt, but it should also be pointed out the methods by which most of the DOD operates.

1. Should we do "it"?

2. Write a directive on how to do "it".

3. Have "it" reviewed and revised ad nauseum until "it" is no longer relevant nor accurate.

4. Give "it" to the newest lowest ranking least trained to implement, as the superiors have already reviewed "it".

5a. Interrupt mission critical operations by implementation gone wrong, resulting in a stop on progress, have a meeting, go back to step 2/3.

5b. Attempt to schedule a known outage and have it postponed indeffinatly as the risk of leaving things "as they are" is less damaging (for now) than interrupting current operations for a preventative change.

--------

That's the basic gist of it anyway.

Re:DoD Priorities.... (1)

Dexter Herbivore (1322345) | about 3 years ago | (#36924348)

What's it? What is it? [wikipedia.org]

Re:DoD Priorities.... (1)

poofmeisterp (650750) | about 3 years ago | (#36925156)

...have a meeting...

Exactly. You got it. :)

this shouldnt come as a shock. (1)

nimbius (983462) | about 3 years ago | (#36924496)

but not because its apparent in recent hacks, only because of its root-cause.

soldiers are enlisting in the department of defense's military branches because they are genuinely motivated to do so through well-established ideological factors. Hackers and skilled system administrators on the other hand are motivated by money, challenges, work environment, etc.

so riddle me, the skilled sysadmin hacker, this:

why do i want to work for a bureaucratic, bloated, warmongering entity who arguably hasnt protected america in almost forty years from a conceptualized threat? Especially considering their most publicly visible sysadmin has spent the past few months of his life rotting in a prison, presumably facing the death penalty?

why would i work for a company where contracts and lobbyists take precedent over policy and logical process and procedure?

and i dont mean to troll. ive had job opportunities in various islands offered to be by the department of defense, but i still cant commit.

at most big organization PHB run the show and HR (1)

Joe_Dragon (2206452) | about 3 years ago | (#36924534)

at most big organization PHB run the show and HR running hiring does not help.

Some poor security comes from vender systems and software some that soft ware comes from a golf course meeting and IT does not even get to test it.

Over worked IT taking shortcuts to get the job done VS taking the time to do a better job also is a mess. Also long times to get stuff can lead to working doing what it takes to get there job done even when they have to bypass security.

Keeping old software that needs security holes to work right.

Outside firms running IT are very hit or miss.

The IT manger or manger needs to be a tech guy with FULL hiring, job posting, and firing rights.

Need to hire people for what they know and not WHO they know or at least give some kind of test to see what they know about IT.

IT needs to have testing severs, labs and more.

Some Departments may even need there own IT guys / IT people who work in that department and are also part of the main IT team.

The IT department needs to have power to set rules and more.

NO must have degree rules, better to have IT training.

DoD pays for the doing, not the result (1)

Beeftopia (1846720) | about 3 years ago | (#36924916)

That's the problem with government contracting. They pay for the process, not the end result. I can understand that for single demonstration phase, but network security is commoditized. The flaws and patches are well known. You shouldn't be paying to reinvent the wheel every GD time.

Hire some accomplished network programmers at your headquarters, create a model network and security scheme, and any time you want to add anything, make sure it follows that model.

"I want to set up a network here in the desert. Let me get the checklist. When I make the last check, it's done and we're ready to go."

Why the F (0)

Anonymous Coward | about 3 years ago | (#36924950)

are military networks even connected to the Internet in the first place? Shouldn't the most important function of government be completely isolated?

Re:Why the F (1)

ahabswhale (1189519) | about 3 years ago | (#36925250)

Classified material is not allowed to be placed on any network physically connected to the internet. Every time I hear these horror stories I never hear about any real classified material that gets leaked. Not that it matters since good old fashion spying has worked like a champ for the Chinese over the last couple of decades.

Working model. And? :) (1)

poofmeisterp (650750) | about 3 years ago | (#36925122)

Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised,' the report said.

If I were going to have a secure network that is perfectly sustainable over time, I would do exactly the same thing. Increased reward decreases rebellion and acting out against a secret entity.

Announcing "Oh, noz! W3 just been hax0r3ddd and j0o gott teh most secret3d infoz!!!!!1" sates the aggressor.

I'm just sayin'.

hypocrisy of Drake prosecution (1)

feynmanfan1 (1803416) | about 3 years ago | (#36925152)

What does this say about the hypocrisy of the Thomas Drake prosecution, a guy just trying to point out some of the mismanagement in DOD IT that he was privy to? http://natsecurityeb.blogspot.com/2010/10/thomas-drake.html [blogspot.com] or what former CIO Kundra said about an IT cartel controlling U.S. gov IT. http://www.computerworld.com/s/article/9218466/Outgoing_federal_CIO_warns_of_an_IT_cartel_?taxonomyId=13&pageNumber=1 [computerworld.com]

Let's face IT (1)

otaku244 (1804244) | about 3 years ago | (#36925172)

The DoD thinks fancy war-machines are sexy. To them, if it isn't powerful and deadly, it isn't sexy. Until they see the consequences of their poor performance, they will continue to take an uneducated approach to information security.

SIPRNet? (0)

Anonymous Coward | about 3 years ago | (#36925258)

I'm always surprised by what information is accessed when systems are compromised from the Internet. Isn't the purpose of SIPRNet to keep classified information off of machines that are connected (in any way) to a public network?

SIPRNet? (1)

bastia (145202) | about 3 years ago | (#36925314)

I'm always surprised by what information is accessed when systems are compromised from the Internet. Isn't the purpose of SIPRNet to keep classified information off of machines that are connected (in any way) to a public network?

GAO (1)

Translation Error (1176675) | about 3 years ago | (#36925432)

It would have been nice to mention somewhere in the summary what GAO stands for.

(Note: it's the Government Accountability Office.)

Re:GAO (1)

Dan541 (1032000) | about 3 years ago | (#36928128)

Government Accountability Office?

Isn't that Wikileaks?

Cyber Systems Operations (0)

Anonymous Coward | about 3 years ago | (#36930108)

Coincidentally, I'm training right now to do Cyber Ops for the United States Air Force.

WHY IS IT ON THE INTERNET??? (1)

brunes69 (86786) | about 3 years ago | (#36931906)

Why is some secure DOD system that houses military blueprints even connected to the internet AT ALL? It should not be reachable from any computer that can also reach the internet, or can even reach another computer that can.

They don't want us not to THINK it's not secure? (1)

retroworks (652802) | about 3 years ago | (#36932814)

Part of defense security is strategic leaks of "dis-information". Who knows whether these are "Area 51" leaks (USA acting like it was covering up flying saucers in order to confuse Russians)? To borrow a quote from a famous battle of Little Big Horn (from Little Big Man - Custer to Hoffman):

''Still trying to outsmart me, aren't you, mule-skinner. You want me to think that you don't want me to go down there, but the subtle truth is you really *don't* want me to go down there! ''

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>