
The Pentagon’s Cybersecurity Priorities Haven’t Changed in a Decade - SEJeff
https://warisboring.com/believe-it-or-not-the-pentagons-cybersecurity-priorities-haven-t-changed-in-a-decade-aeee59d60ed3
======
gaius
I've never understood why supposedly secure networks are accessible from the
public Internet _at all_. Presumably there is a better reason than so officers
can check their Facebook during the day? Why is there not an airgap requiring
an attacker to physically attach something to gain access, that can be
defended against by physical means, something the military is _very good_ at?
Genuinely curious.

~~~
cs02rm0
Systems behind air gaps are a pain to maintain and super expensive. Often the
software behind air gaps needs to be maintained and developed. Trying to
develop software behind an air gap puts you at a substantial competitive
disadvantage.

There are ways to balance it and it is a balance, giving users access in one
location to air gapped and internet-connected systems for example, but there's
a context-switching cost (and risk) there. To keep up with and even ahead of
the curve though it's so much easier to do as much as you can without an air
gap.

I've worked with people who've spent decades behind an air gap and it can be
like working with people from the past. Imagine being a developer in 2016 who
doesn't understand how Google, let alone Stackoverflow, can help their work.

~~~
Bromskloss
Do you have to do the development on an air-gapped system too?

~~~
cs02rm0
Depends whether the software is sufficiently sensitive that you want it air
gapped too. Doing development for an air gapped system on a different network
without that data has a different set of challenges.

------
Cuuugi
I've never understood why military computer people need to wear camouflage.
You are in an office. I see you.

~~~
tr1ck5t3r
Its to install conformity and obedience just like school uniforms.

~~~
semi-extrinsic
Yes, armies generally tend to do this. It's not like that's unknown when you
enlist.

When you want to have a rigid chain of command and people who all essentially
always follow orders, you need conformity and obedience.

------
sandworm101
Cybersecurity isn't the Pentagon's job. The military does security like any
other large organization, but they are not the bleeding edge for technology or
innovation. That's the domain of intelligence agencies, specifically the NSA
and its private partners.

The article is critical of the military for prioritizing service continuity,
but that is what large organizations dealing with continual attacks must do.
They are not on a war footing, ready to throw down everything for total
victory. Cutting off online attacks in wartime is different than in peace. Got
a boat with an anchor? The navy does.

Their priorities haven't changed because their conflict space hasn't changed.

~~~
SEJeff
Cybersecurity is the Department of Defense's job. Guess where they're based
out of? The Pentagon.

~~~
sandworm101
Lol. Don't tell the NSA that, or the FBI, or DHS or the NYPD or the latest
"Cyber Threat Intelligence Integration Center". Everyone says "cyber" is their
thing. They all fight for dollars. The reality is that most of them do nothing
more than defend themselves as would any other large organization.

------
Bromskloss
Assuming that it's inadequate now, why was it adequate ten years ago?

