Hacker News new | past | comments | ask | show | jobs | submit login
The Pentagon’s Cybersecurity Priorities Haven’t Changed in a Decade (warisboring.com)
41 points by SEJeff on June 19, 2016 | hide | past | web | favorite | 31 comments

I've never understood why supposedly secure networks are accessible from the public Internet at all. Presumably there is a better reason than so officers can check their Facebook during the day? Why is there not an airgap requiring an attacker to physically attach something to gain access, that can be defended against by physical means, something the military is very good at? Genuinely curious.

Systems behind air gaps are a pain to maintain and super expensive. Often the software behind air gaps needs to be maintained and developed. Trying to develop software behind an air gap puts you at a substantial competitive disadvantage.

There are ways to balance it and it is a balance, giving users access in one location to air gapped and internet-connected systems for example, but there's a context-switching cost (and risk) there. To keep up with and even ahead of the curve though it's so much easier to do as much as you can without an air gap.

I've worked with people who've spent decades behind an air gap and it can be like working with people from the past. Imagine being a developer in 2016 who doesn't understand how Google, let alone Stackoverflow, can help their work.

The Galactica was a ship from the past, non-networked and seemingly out of date. It was about to be turned into a museum when the cylons took out the rest of the fleet through a very intimate social engineering attack that took out all networked defenses. The Galactica, because of it's air gaps, become the ark that gave humanity a chance for survival.

As the physical and virtual worlds blend more and more into one another, as bits become more capable of effecting atoms, we become more like the colonies on the eve of the attack.

Have there been any demonstrations of machine learning to either detect or initiate networked systems breach? All my internet connected servers are probed by automated bots trying to brute force their way in. It will be interesting to see how this develops.

I do know our systems are very fragile and we are incredibly vulnerable. In 2016 computing is just not secure enough for the tasks we are assigning it.

People developed software long before cutting and pasting from Stack Overflow became a thing.

A former boss told me about his time in the RAF, they had one machine in their office that could connect to the Internet, it was at one end of the office and hooked up to a big screen, so everyone could see that you weren't I dunno, browsing the Russian Embassy's website or something.

Do you have to do the development on an air-gapped system too?

Depends whether the software is sufficiently sensitive that you want it air gapped too. Doing development for an air gapped system on a different network without that data has a different set of challenges.

Some are air gapped, allot of them are not actually accessible over the internet but just go over mixed infrastructure (which makes them vulnerable to some attacks), but also allot of these networks are have to be accessible over the internet by soldiers, civilian workers, contractors etc.

It's not like the nuclear launch system is accessible over the internet, but for example the procurement and logistical system is because it's the only real way to assure that every contractor and supplier can easily access it, as well as every logistical unit in the armed forces can easily access it from everywhere not just the few bases that would be hard wired to connect to the pentagon.

It's really easy to come and say just air gap things but when you have networks that span not only an entire country but the entire globe that need to be accessible to millions of people from both the military and the public sector you can't just do it.

Lay your own cables. Really.

It's not that simple, and are you going to lay your cables to every contractor and supplier? many of which can be fairly small niche businesses?

Military networks are fairly secured, while the article does bring a few interesting anecdotes it's quite hyperbolic.

Also I would like to point out that every big hack today, especially those from state actors used fairly common and even "outdated" attacks and vulnerabilities, they were masterfully executed but it's not like they used some super new exploits and attack vectors that no one heard of before.

Military doctrines take time to develop, even in "cyber warfare", military computer systems also don't tend to be the latest and greatest as far as hardware and software goes but they are often reliable.

Building defenses around what you know and what your attackers are able to do is a good strategy, knowing when and what to airgap and what to protect is also critical because not every military network is secret nor critical. You focus your resources on an effective strategy the 80–20 rule applies even to military and defense networks.

That only adds a small amount of physical security. Much more security can be achieved by using cryptography.

Except when it doesn't and hackers waltz in - anything connected is vulnerable .

A large network by definition cannot be air gapped.

I'm sure if you are able to design a network spanning the continental US, Hawaii, Alaska, US Territories, US bases around the globe, allowing both military personnel, civilian workers, contractors and suppliers to securely connect to it while being both economical on any order of magnitude close to the current cost and being effectively "air gapped" and secure the pentagon would award you a contract to build it in a heartbeat.

Until then let's all stop being literally arm chair generals and assume that while it surely has allot of room for improvement someone at the pentagon might just know what they are doing and they are doing the best as they can or fairly close to it considering all the constraints they have to operate against.

It's far easier to just tap the cables than break TLS. How many times has TLS been broken?

There are different levels of security. Some secret stuff is online and some classified stuff is online via SIPRNET. Precious little of the JWICS (top secret Internet) is connected to the "main" internet and where it is the access is pretty draconian. It has to be connected in some areas due to things mentioned my others throughout this thread. Even entirely airgapped systems aren't fully secure, see Iran's Natanz nuclear facility and Stuxnet as proof. Also, on the airgapped scada networks, all software tends to be woefully out of date. It is a hard problem to solve and throwing more money at it won't reply solve it.

As an example of what you mentioned, most of the TS/SCI dark fiber is at a minimum enclosed in pressurized pipes. When the pressure in any segment of those pipes drops below a threshold, armed goons come see what's going on in a hurry. I know this anecdotally as one of my cousins works on a construction crew near Ft Mead. His company's backhoe punctured one of those pressurized and unmarked pipes and they came in 10 minutes.

I've never understood why military computer people need to wear camouflage. You are in an office. I see you.

It's a uniform. Apparently, they all started wearing the ACU uniform when mass deployment to Afghanistan and Iraq happened, as institutional acknowledgement that even if you're in the Pentagon, you're part of an organization that is also fighting in the field.

>> even if you're in the Pentagon, you're part of an organization that is also fighting in the field.

9/11 demonstrated that the Pentagon is the field.

> 9/11 demonstrated that the Pentagon is the field.

Yes, but in a way that still makes the camouflage irrelevant.

More irrelevant than wearing a suit? Ties became silly once shirts with buttons were invented. It's all just fashion.

What was tie used for before that?

Without a top button, you used a piece of cloth around the neck to hold up the shirt. Then an infamous french king liked the look (he also basically invented men wearing wigs) and ties became fashion.

Obviously, for the same reason cyber-criminals need to wear masks when hacking stuff:


I don't think wearing a mask very crazy. I looks like good backup for the day the postit falls off the webcam.

Its to install conformity and obedience just like school uniforms.

Yes, armies generally tend to do this. It's not like that's unknown when you enlist.

When you want to have a rigid chain of command and people who all essentially always follow orders, you need conformity and obedience.

Won't agree with downdotes, I think it is an interesting distinction however. In school it's mostly about conformity to some 'business wear ethics' and avoidance of distracting flamboyant costumes, not obedience unliss teachers also wear uniforms to signal different rank.

In military they do have to institute obedience (you can get executed on the place for disobedience) and they already has an elaborate system of costumes to wear under different conditions.

To add to these another field/office distinction would

(1) increase cognitive load, (2) will bother those officers who work in the office since they'll be looked at as 'second-class' just from heir looks, and (3) camo isn't unfit for the office which (as sandworm101 have noted) can suddenly turn into a battlefield if they attack the building.

Overall, one less decision to make, and that decision would only benefit those in the field. Which are, by definition, not the highest-ranking.

Cybersecurity isn't the Pentagon's job. The military does security like any other large organization, but they are not the bleeding edge for technology or innovation. That's the domain of intelligence agencies, specifically the NSA and its private partners.

The article is critical of the military for prioritizing service continuity, but that is what large organizations dealing with continual attacks must do. They are not on a war footing, ready to throw down everything for total victory. Cutting off online attacks in wartime is different than in peace. Got a boat with an anchor? The navy does.

Their priorities haven't changed because their conflict space hasn't changed.

It seems like they're trying to change their approach to cyber security with the new cyber protection teams [1].

[1] http://www.govtech.com/security/US-Cyber-Commands-Launches-1...

Cybersecurity is the Department of Defense's job. Guess where they're based out of? The Pentagon.

Lol. Don't tell the NSA that, or the FBI, or DHS or the NYPD or the latest "Cyber Threat Intelligence Integration Center". Everyone says "cyber" is their thing. They all fight for dollars. The reality is that most of them do nothing more than defend themselves as would any other large organization.

Assuming that it's inadequate now, why was it adequate ten years ago?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact