Department of Defense: Troubling News about Security

February 21, 2022

It looks like a lack of resources and opaque commercial cloud providers are two factors hampering the DOD’s efforts to keep the nation cyber-safe. Breaking Defense discusses recent research from the Pentagon’s Director of Operational Test and Evaluation (DOT&E) in, “Pentagon’s Cybersecurity Tests Aren’t Realistic, Tough Enough: Report.” We encourage anyone interested in this important topic to check out the article and/or the report itself. Reporter Jaspreet Gill summarizes:

“[The report] states DoD should refocus its cybersecurity efforts on its cyber defender personnel instead of focusing primarily on the technology associated with cyber tools, networks and systems, and train them to face off against more real threats earlier in the process. For now, cybersecurity ‘Red Teams’ are stretched too thin and the ones that do test military systems are doing it with one hand tied behind their back compared to what actual adversaries would do, the report said.”

Enabling these teams to do their best work would mean giving them more time on the network to test vulnerabilities, more extensive toolsets, realistic rules of engagement, and better end-to-end planning, the report explains. In addition, it states, cyber security training must be expanded to include mission defense teams, system users, response-action teams, commanders, and network operators. We also learn that current funding practices effectively prohibit setting up offices dedicated to cyber technology effectiveness and training. Seriously? See the write-up for more recommendations that should be obvious.

The following bit is particularly troubling in this age of increasing privatization and corporate power. Gill informs us:

“The assessment also found DoD’s cyber concerns increasingly mirror those in the commercial sector due to increasing reliance on commercial products and infrastructure, especially with cloud services. The report recommends the Pentagon renegotiate contracts with commercial cloud providers and establish requirements for future contracts. ‘The DOD increasingly uses commercial cloud services to store highly sensitive, classified data, but current contracts with cloud vendors do not allow the DOD to independently assess the security of cloud infrastructure owned by the commercial vendor, preventing the DOD from fully assessing the security of commercial clouds. Current and future contracts must provide for threat-realistic, independent security assessments by the DOD of commercial clouds, to ensure critical data is protected.’”

Well yes—again that seems obvious. Public-private partnerships should be enacted with a dash of common sense. Unfortunately, that can be difficult to come by amidst bureaucracy.

Cynthia Murrell, February 21, 2022

Comments

Comments are closed.

  • Archives

  • Recent Posts

  • Meta