Offensive strategies are good if (and only if) you have an identifiable, small, number of foes that you can dominate.
As soon as you’ve got to worry about getting mobbed from several directions, you need to start worrying about how to cover your vulnerable parts while you attack each foe in sequence and defeat them in detail. Anyone who expects conflict that is more than a first strike followed by a one-shot victory, needs to defend themselves against attack. Unless you’re the US, that is. [npr]
Cyber Tests Showed ‘Nearly All’ New Pentagon Weapons Vulnerable To Attack, GAO Says
Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense’s newest weapons systems, according to the Government Accountability Office.
The flaws are highlighted in a new GAO report, which found the Pentagon is “just beginning to grapple” with the scale of vulnerabilities in its weapons systems.
Whenever you talk to the agencies they’ll all tell you that they don’t have enough money to do anything defensive, which is odd since the DoD hasn’t even been able to make an accounting of how and where they spend the money congress gives them. But they know they need one thing, and that is “more!” Nobody wants to ask if it’s being well-spent because when GAO did that a few years ago, the DoD replied, “fuck you.”
Drawing data from cybersecurity tests conducted on Department of Defense weapons systems from 2012 to 2017, the report says that by using “relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected” because of basic security vulnerabilities.
The GAO says the problems were widespread: “DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development.”
When I started reading the article, I thought, “it’s probably not that bad. GAO probably did a vulnerability scan behind the firewall and discovered that the network’s interior is a mess – just like everyone else’s. So I thought I’d have a look at the GAO report and that’s when things started to go off the wall. Apparently GAO has decided to cast their description of the problem in terms of Space Force. What?! [gao]
That looks like a Fer-De-Lance from Elite Dangerous. Or, it looks like someone trying to explain computer security to a very, very ignorant person.
DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do.
Typical development environments – whether military or no – seem to have horrible security. Developers are incredibly sloppy with code, systems, authentication, and privilege management. Normally this is treated as insignificant but when you’re worried about someone injecting code into your deployed system it’s not so funny anymore. That’s the problem – the DoD’s model for developing anything entails parting out the pork so that as many different contractors have their hands in it as possible. The end result is a system that nobody should trust.
It completely boggles my mind that the same government which sponsors the NSA “equation group” going around developing trapdoors in CPUs and hard drive BIOS, jiggering the cryptography in widely-used transaction security, and compromising the key exchange protocols in major vendors’ VPN products – to say nothing of developing hacks into Cisco’s firmware – how could they not see this coming?
DOD struggles to hire and retain cybersecurity personnel, particularly those with weapon systems cybersecurity expertise. Our prior work has shown that maintaining a cybersecurity workforce is a challenge government-wide and that this issue has been a high priority across the government for years. 53 Program officials from a majority of the programs and test organizations we met with said they have difficulty hiring and retaining people with the right expertise, due to issues such as a shortage of qualified personnel and private sector competition.
Getting good people is a problem, for sure. The government used to be a place where you could work your 20 years and retire with a pension – and not work very hard, at that, unless you wanted to. I knew a lot of old-timer NSA guys who went that route, then retired to work for Booz Allen Hamilton for 3 times what they were getting working for the government. I’m not saying they were great hires or very good, they just knew the ropes really well. Today, the federal work-force feels that the guarantee of a nice comfy job and a good exit track has been broken – so why not cut to the chase and work for Booz Allen Hamilton now? In my mind, the only people who should hire those people, anyway, is Booz: they do not belong at Intel or Oracle or Microsoft – I don’t trust them to build reliable systems. It’s like hiring a safe-cracker to make safes: they’ve been on the other side for years, why assume they’ve switched sides?
We’ve already seen how difficult it is to keep your cyberweapons in your pants when they’re being developed by sekrit skwirrel contractors. Yet, the government’s IT is largely outsourced, now, because they have realized that they cannot run systems reliably themselves, anymore. That means that the “attack surface” – the number of points where a hostile agent could try to penetrate – has gotten vastly larger. A spy no longer needs to get an NSA badge, soon all they’ll need is “Amazon Web Services” on their resume and they’ll have system privileges at a beltway bandit, just like Edward Snowden did. I’m a big fan of not letting governments keep big nasty secrets, but that’s a different problem from building systems that are not full of great, big, holes. The systems that people depend on should be reliable. And they aren’t.
The federal government has spent a lot of money playing offense and suddenly they are shocked to find their defenses are weak. In the annals of warfare, that’s situation awareness that’s about as bad as the Trojans hauling that big wooden horse in without examining it a little bit.
Back around 2000, I was doing a panel at a conference and someone said “you seem to be pretty ‘down’ on Federal IT management.” I replied that I think most Federal IT managers don’t do anything except read Powerpoint – they can’t even write a deck in Powerpoint without a contractor doing it for them, none of them can manage a system or operate a compiler or understand security at all. OK, “none” is a bit broad but all of the good technical people left to go make fortunes working for contractors. When I said that, all the contractors nodded.
Trojan horse: I don’t believe the legend, not for a second. It’s too dumb. Quiet ladders or buying your way in is much more likely. Good information security people would be the ones saying, “sure let’s bring that big wooden horse in here – we’re gonna have a fantastic bonfire in the town square – and let’s invite a company of archers and a company of spearmen to supervise the fun.”