back to article US Army bug hunters in 'state of fear' that sees flaws go unreported

The US Army has gaping holes in its information security infrastructure and operates an environment of vulnerability reporting fear, according to current and former members of the department's cyber wing. Captain Michael Weigand and Captain Rock Stevens make the comments in an academic piece on the Cyber Defense Review, a …

  1. Pascal Monett Silver badge

    Disclosure could lead to revocation of access ?

    Wow, talk about shooting the messenger. No wonder the military network is in such a sorry state. If nobody can raise the issue, it obviously won't ever get fixed.

    But having one's career negatively impacted for doing one's job ? That things got to that point is simply incredible. I wonder how the second invasion of Iraq would have gone in the media if the locals had been able to override the tanks' network and stopped them all in their tracks. In front of the media. That would have been one hell of a show.

  2. Robert Helpmann??
    Childcatcher

    Idealistic, much?

    Most of the linked article's recommendations address things that already have mandated solutions but that are not uniformly implemented. Simply centralizing control or coming out with redundant orders will not improve the current situation but will shift where many of the issues are. Of note is that the authors of the linked paper are both captains and are very careful to avoid anything critical of leadership and instead point to their not having enough information rather than acknowledging there are plenty of feeds for patching levels that are simply ignored or not acted upon. Interesting, too, is that there is no mention of DISA. They hit the nail on the head, though, when addressing issues of adopting and implementing new ideas.

    "Administrators often forego patching and updating these systems because they are non-redundant; the systems are a single point of failure within a specialized function." This is brought up as an issue but not addressed. Also related and not addressed are the in-house-developed systems that patching will break. A big source of push-back when it comes to patching is that systems are built to spec, but there are not enough resources to maintain them when the operating environment changes through the upgrade or patching of their operating systems (I'm looking at you .NET and Java). Having an Army-wide enterprise SCCM solution will mean that patches will be deployed no matter what, but that a lot of mission critical systems will break and there will not be resources to bring them back. Enterprise solutions will lead to lower cost of implementation and greater homogeneity, but will not necessarily provide increased quality of service.

  3. amanfromMars 1 Silver badge

    Bug bounties are as sweets for children. Solutions are the domain of fortune hunters.

    Is the route and root problem, BASIC*, and in the flawed fundamental premise that past seemingly successful established practices and resultant exclusive executive hierarchies/SCADA Operating Systems are future fit for more generous mature expansive purpose, whenever in fact they are rather more unseemly and ultimately inevitably catastrophically destructive at an ever increasing rate?

    And if one is in the military and/or military-minded, is it not only natural to expect The U.S. military simply isn’t able to keep up with threats generated by hackers and cyber spies, an Army official said Oct. 14. for such a virtual space place is definitely quite alien and akin to a postmodern Area 51, albeit with roles somewhat reversed ‽ . :-)

    * .... Beginner's All-purpose Symbolic Instruction Code

    Oh, and the aforementioned difficulties and revisions for Future Greater CyberIntelAIgent Game Services are ubiquitous, and invade all theatres of operations with clones of the flawed fundamental premise active.

    1. Sorry that handle is already taken. Silver badge

      Re: Bug bounties are as sweets for children. Solutions are the domain of fortune hunters.

      Between the up and down vote buttons there needs to be a "confused" button.

      Don't ever change, amanfromMars.

  4. Destroy All Monsters Silver badge
    Mushroom

    FULFILL MISSION OBJECTIVES!

    These are people who have been trained to think that problems yield to willpower and a forceful attitude, that being "gung-ho", "aggressive" and a "team player" will ensure success. The lack of neocortical reasoning power often does not help. It's like a special school for attack dog PHBs from hell with a medal ribbon. Never work for these guys.

    1. Dave 126 Silver badge

      Re: FULFILL MISSION OBJECTIVES!

      The US generals we have seen in recent years seem a lot more capable of critical thought than their political masters.

      1. amanfromMars 1 Silver badge

        Re: Re: FULFILL MISSION OBJECTIVES! @ Dave 126

        The US generals we have seen in recent years seem a lot more capable of critical thought than their political masters. ... Dave 126

        Hmmm? However, does the fact that they seem to do the bidding of their political masters somewhat explode and flash crash smash that myth to smithereens, Dave 126, and they be just as cuckolds in feathering nests of vipers/snakeoil salespersons/past grand masters of the Great Game and who be at their right dodgy work in NonREST and Virtual Reality Play?

        They are the fields to master which so easily are able to be enabled and defeat them. And do you imagine that is Classified TS/SCI and/or an open source of relentless force?

        1. Dave 126 Silver badge

          Re: FULFILL MISSION OBJECTIVES! @ Dave 126

          [after some fuzzy logic parsing of the above]

          >Hmmm? However, does the fact that they seem to do the bidding of their political masters somewhat explode and flash crash smash that myth to smithereens,

          Cause one to question said myth, certainly, but immediately explode it? No; there are some causative steps missing.

          Basically, some US military commanders are given an extensive and perpetual education in history, geopolitics, philosophy, responsibility, humanities etc. whereas the politicians merely won a popularity contest.

          The responses to this article are interesting:

          http://contraryperspective.com/2014/12/17/americas-military-academies-are-seriously-flawed/

    2. allthecoolshortnamesweretaken

      Re: FULFILL MISSION OBJECTIVES!

      "lack of neocortical reasoning power" have an upvote for this little gem...

      Also, a very accurate description of the mindset. Problem is, a lot of other guys you could end up working for have pretty much the same mindset, i.e. corporation types. It starts with calling them(selves) officers.

      1. allthecoolshortnamesweretaken

        Afterthought

        Large organisations have something else in common with the military: it may be the officers who command things, but it is the NCOs that run things. And it is the grunts that get it in the neck when it is charlie foxtrot time.

  5. Anonymous Coward
    Anonymous Coward

    Ain't it great?

    DARPA is such a marvellous organization that it actually hurts. Oh, sure! They gave us the internet, but just look at it! It leaks like a sieve. Can you say: "Not quite ready for prime time?"

    1. allthecoolshortnamesweretaken

      Re: Ain't it great?

      DARPA gave us DARPANET.

      CERN gave us Internet.

      DARPANET was developed so that even in the event of all-out global thermonuclear war we could still access porn. The Internet was developed so that we, um - can I get back to you?

      1. PhilBuk

        Re: Ain't it great?

        CERN gave us www. The internet existed before Tim's contribution.

        Phil.

  6. Crisp
    Coat

    Is this going to be a standup fight, sir, or another bughunt?

    When else are you ever going to get the chance to use that line?

  7. John Smith 19 Gold badge
    Unhappy

    So the mystery of Bradley Manning is in fact

    That he appears to be the only one who got away with so much US comms traffic.

  8. fajensen

    Missile launchers and NMAP

    What could possibly go wrong with this?

  9. Anonymous Coward
    Anonymous Coward

    The blind...

    ...leading the criminally insane.

  10. Destroy All Monsters Silver badge
    Mushroom

    Battlestar Erratica!

    Funny thing are the juvenile wet dreams of playing Darth Vader and having everything under machine management from the belowdecks meditation room, controlled from Earth Orbit and targeted using machine analytic Big Data 24/7 "unblinking stare" 360° operational awareness shit and autonomous intelligence up the wazoo while the fa**ots are using "0000000000" as password to the Minuteman launch grid and cannot even manage to discover they are bombing a hospital for a full hour because "our combat management system is down, awww". The Uniformed Bukkakeed-by-Neocon Ones are even now starting to realize the fact that they are actively committing war crimes in Yemen by blockading the coast and tankering Saudi F-15s. Great stuff.

  11. Dr. Ellen
    Big Brother

    Bosses

    Bosses do not want to hear what they do not want to hear, and they have a regrettable tendency to take vengeance upon the person who says it. No amount of rule- or procedure-changing will affect that.

  12. channel extended

    Big Brass one's

    Face it, the big brass never likes to be embarrassed in public. Petty, vicious, and malignant personalities are those that get promoted. So I should risk it?

    This is the face of the military.

  13. ecofeco Silver badge

    No surprise to me

    After having worked a few gov contracts, this is no surprise to me.

    The gov will never never attract and keep decent IT talent, let good to excellent. Whether in house or contractors.

    We are living through the beginning of the end of gov as we know it.

    1. amanfromMars 1 Silver badge

      Re: No surprise to me

      Better flash that message again across to Nos 10 and 11, ecofeco, for they appear not to have understood the upper house memo. They certainly received it. ....... Osborne, the Fluffer

      Oh, and with regard to .....

      Skidmore and other members of the Osborne camp have one powerful argument in their armoury – that the blow was delivered by unelected peers who have overturned votes in favour of the cuts by MPs.

      ...... Skidmore and other members of the Osborne camp would do very well to remember and never forget that they only serve at the pleasure of unelected peers, who be you and me and not they.

      Only a ignorant shipful of arrogant fools would embark on a journey to do vainglorious battle in such stormy seas of that. It will be enlightening to witness the future unfold and prove the disreputable fact is no errant fiction.

  14. Anonymous Coward
    Anonymous Coward

    "Do Nothing" culture....

    It's the "do nothing" culture other government agencies are preying on.

    As it turns out it's more valuable to the NSA to keep quiet about security flaws, than reminding others to patch them.

    Zero Day exploits are only a small percentage as compared to millions of unpatched systems.

    These systems are being catalogued right now - for future exploitation.

    There's another reason Army IT professionals don't feel compelled to report security vulnerabilities.

    The rewards for discovering a security vulnerability are after hours and weekend work, applying patches. Yeah!!!

    I think the Army is consciously accepting the risk of unpatched systems. It's hard enough to keep systems patched within a small organisation. They'll take a more reactive approach and just send another tank, plane, drone, soldier etc...

  15. Anonymous Coward
    Anonymous Coward

    A perspective from the inside

    Sounds like the US Army. I'm posting anonymously because I know people who are still serving, though its getting to be a dwindling number and I don't want any of my friends taking shit because I'm a loudmouth. It happened enough when I was still serving.

    I left almost two years ago as soon as I could take my retirement, I served as an Enlistedman and as a Warrant Officer in both the Active component and in the Army Reserve. Unless you have been in it, you have no concept of how it works. You may have a vague idea, but you don't know just how bad it really is. Some of you are talking out of your asses and have no concept of how things are. Some of you have been close, so I'm suspecting there's some experience here from people who were in a NATO Army; maybe the US Army, maybe the British Army, maybe the Canadian Army or the Bundeswehr's Heer but one of them. Especially accurate was whoever mentioned after hours work, it happens enough to Enlistedmen as it is, you have to serve a Staff Duty shift at least once a month and in most units its a hell of a lot more than that (For example Male Drill Sergeants at TRADOC have to do it at least once a week for two years and maybe three if you're good at it).

    From my experience most of the people who are in a position to do something in regard to the shit with the Army's information Management infrastructure are Junior Enlisted and Non-Commissioned Officers with a very rare Warrant Officer around here and there who is a technical expert with precisely zero decision making power in practice. Especially when there's some smartass 23 year old 2LT or 28 year old Captain who thinks they know everything running the company, and they won't do a damned thing about it even though they know its fucked up because doing something not only means more work for them, it also makes some Commissioned Officer (who may very well be an extremely insecure and petty son of a bitch that holds grudges as long as God) in your chain look like they're not doing their job, and making someone who will most likely be sitting on your promotion board look bad is a dumb idea if you're planning on staying in longer than a "four year queer". Occasionally you'll get someone usually coming back to a CONUS garrison from a forward unit who doesn't fucking care and will try to do something to correct issues but that's pretty damned rare.

    These same commissioned officers were branched into signal because they probably lacked the brains for engineering or intelligence and lacked the balls for combat arms but still did their five years at West Point or four years in ROTC and have to be employed somewhere for at least five years. This is why I got lucky in the units I was in, When I was Enlisted we were usually left alone by the Commissioned Officers to do our job the way our first lines (who were NCOs) wanted us to, and when I got my warrant, my commissioned officers listened to us and the NCOs. I wish that was common. It isn't outside of Combat Arms and SF (I was not SF, and I was not Combat Arms. I was just fucking lucky).

    If they'd let the NCOs and Warrant Officers do their damned job without 2LT Pimplyfaced R. Shitforbrains and CPT Mouthbreather W. Point IV countermanding nearly every decent decision that gets made further down because they don't like Sergeant Sierra and CW3 Hotel because they won't kiss their asses and constantly tell them how great they are, it wouldn't be that bad but it rarely happens.

    The only good thing about ARCYBER taking more responsibility is that MI might finally get to make more real decisions regarding security aside from telling TRADOC what to put in the FMs, TTPs and TCs that never get read outside of AIT and PME, but I doubt signal will ever let that happen. Look at how long the UAS programs lasted inside of MI, Aviation felt threatened and INSCOM caved because MI has no balls.

    1. amanfromMars 1 Silver badge

      Re: A perspective from the inside ... @AC

      Thanks for your service in supplying that vivid information, AC. The only cold crumb of comfort might be that all militaries are very much in the same boat whenever it comes to dealing with virtual invasion and dark web cyber penetration of strategic assets.

      And when it be ripped from stem to stern below the waterline, is there a titanic problem and quantum opportunity to exploit with zerodays.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like