The DoD Isn't Fixing Its Security Problems
It has produced several reports outlining what’s wrong and what needs to be fixed. It’s not fixing them:
GAO looked at three DoD-designed initiatives to see whether the Pentagon is following through on its own goals. In a majority of cases, DoD has not completed the cybersecurity training and awareness tasks it set out to. The status of various efforts is simply unknown because no one has tracked their progress. While an assessment of “cybersecurity hygiene” like this doesn’t directly analyze a network’s hardware and software vulnerabilities, it does underscore the need for people who use digital systems to interact with them in secure ways. Especially when those people work on national defense.
[…]
The report focuses on three ongoing DoD cybersecurity hygiene initiatives. The 2015 Cybersecurity Culture and Compliance Initiative outlined 11 education-related goals for 2016; the GAO found that the Pentagon completed only four of them. Similarly, the 2015 Cyber Discipline plan outlined 17 goals related to detecting and eliminating preventable vulnerabilities from DoD’s networks by the end of 2018. GAO found that DoD has met only six of those. Four are still pending, and the status of the seven others is unknown, because no one at DoD has kept track of the progress.
GAO repeatedly identified lack of status updates and accountability as core issues within DoD’s cybersecurity awareness and education efforts. It was unclear in many cases who had completed which training modules. There were even DoD departments lacking information on which users should have their network access revoked for failure to complete trainings.
The report.
Clive Robinson • April 17, 2020 12:15 PM
@ Bruce,
Bearing in mind the constraints of the current “economics” of Government spending can it realistically do so?
The NSA for instance has way bigger budgets for this sort of activity, but even they fail one way or another.
Whilst I am aware of the reasons Congress wanted to follow the “COTS” path it’s proven to be more than somewhat “ill advised”.
Consumer systems are built to an increadibly low price so that some profit can be made.
Well as we know with both the none Apple phone market and IoT there is nolonger any profit in hardware, thus “collect what you can” has become the standard way of getting some kind of revenue.
For obvious reasons that consumer business model like most others in ICT can not nore ever will be secure.
If the current changes in working practices continue as is expexted by epidemiological modelers such as UoL’s Imperial Collage. Where 2/3rds shutdown over atleast the next three years is considered a likely senario along with a shrinkage of 5% in staff mainly the more experienced “older” staff. The need for a radical change in the way we go about ICT and it’s security will have to happen…
But I suspect that the business models will move even more towards “insecurity by design” almost certainly “actively encoraged” by certain elements of Government.
As was once observed[1],
<
ul>You can’t have your cake and eat it (too)
So you can have cheap technology but you can’t have security at that price
[1] For those not residing in the UK it is a popular English figure of speach or “idiomatic proverb” that is to do with “resources”. Traditionaly the proverb in effect means “you cannot simultaneously have your cake on a plate looking very nice, and be enjoying it’s taste and melting quality in your mouth”. That is once the cake is eaten, it is consumed therefor it is gone and nolonger a feast for either eyes or tounge. However over the last half century or so it’s meaning has broadened to one of “choice” in what “resources” you decide to expend fiscal resources on and now is similar to an acceptance of the fact that you can have “nasty transfat low cost all the same lookalike cakes from the supermarket, or butter and natural ingredient bespke / hand made cakes from a high priced patisserie”.