I had the opportunity to tour the "USS BONHOMME RICHARD," as well as talk to visiting sailors and marines, this weekend during SF Fleet Week.
My takeaway impressions (other than that god damn do these people drink and holy shit are they young), especially after talking to the mechanics and network IT folks, is that a ton of their systems are old, the manpower turnover is between 1-2 years as they get cycled between boats (or 4 max as most of these kids are just putting in their 4), and training is extremely specialized. Most parts of the systems (this especially from the mechanics) usually perform to about 10% their pitched lifespan from whoever made them before they fail, repeatedly.
The windshield wipers on all Ospreys (those dank helicopter/plane things, think Ghost in the Shell) have been disabled/removed because their motors would catch fire in inaccessible places near the pilot's feet.
The only thing preventing access to a boat's network is standing orders and the threat of punishment. You can just plug right in.
Every system runs on the same network. This includes radar, weapons systems, anti-air, emergency comms, in-ship cameras...
This on top of the fact that half the people I talked to, the ones actually running these systems, are overworked 19 year olds with circles under their eyes. The only people over 25 seemed to be officers and pilots, maybe those guys know about the systems and can offer expertise? I'm not sure, I didn't get to talk to any of them.
I'm hoping my perception of the military is completely wrong, which is entirely possible because I didn't get to talk to that many people, maybe like 4 or 5 mechanics, a couple marines, and a couple of the network IT people, all relatively low rank. But, as of right now, I have absolutely no confidence in the military to withstand a full on cyberattack from a similarly provisioned military.
> The windshield wipers on all Ospreys (those dank helicopter/plane things, think Ghost in the Shell) have been disabled/removed because their motors would catch fire in inaccessible places near the pilot's feet.
Well, this is not related to the main point about cyber security. If true, it's just a piece of equipment that was found to be flawed. It is a non-essential system that was made INOP.
The Osprey is a marvelous piece of engineering that is difficult to replicate by other nations.
> Every system runs on the same network. This includes radar, weapons systems, anti-air, emergency comms, in-ship cameras...
Physical network or logical network?
> The only thing preventing access to a boat's network is standing orders and the threat of punishment. You can just plug right in.
And then do what once you are in? Unless we are assuming there is zero security, this doesn't mean much. Besides, you have to be on the ship already.
I'm not saying that the systems are adequately protected, they may not (as the article states), but there's too much information missing for us to play the role of security auditors.
That's a problem if you just encounter the ship on open sea, but if you anticipate a conflict it shouldn't be hard to turn one of the literally thousand people crewing the ship. Just find one person who you can force/incentivize to plug an LTE enabled network device in and start hacking from a safe distance (bring your own LTE base station for hacking on open sea).
Based on my first-hand experience as a solider in the US Army, talking to 4-5 low-ranked sailors is unlikely to give a meaningful picture of the whole system. I don't have specific experience with Navy systems to judge the technical details of
komali2's post, but I would caution against taking a summary of second-hand accounts from operators as fact.
I would take his recollection with a grain of salt but what they told him most likely was more true than false.
So that leaves a number of specific statements which you could each refute, in part or in their entirety. Judging from the title of this article and a number of other anecdotes in this thread (some by other people that served) it seems his anecdote is entirely believable.
That you can't extrapolate to all of the army would be a given.
First, most IT personnel on ships (especially one as ancient as the Bonhomme Richard) do not work on weapon systems. Most of them would not even be able to discuss where on the ship they are intelligently, let alone what they connect to.
The people you talked to simply aren't informed. You even note that you were talking to 19 year old kids, and they're not generally the ones who know what's going on.
People named jki275 that post one-sentence replies on Hackernews? ;)
What kind of work do you do? You're in the military? What's your rank / job description? That's the kind of information I'm curious about. If the answer is "I can't tell you because it'll expose personal information," well, I'm not the one that outed you lol.
I gave very specific comments above, and explained that I have many years of experience with these systems. No, I'm not going to give you details other than that I'm a very senior person in the field. And I'm not 19 years old...
My takeaway impressions (other than that god damn do these people drink and holy shit are they young), especially after talking to the mechanics and network IT folks, is that a ton of their systems are old, the manpower turnover is between 1-2 years as they get cycled between boats (or 4 max as most of these kids are just putting in their 4), and training is extremely specialized. Most parts of the systems (this especially from the mechanics) usually perform to about 10% their pitched lifespan from whoever made them before they fail, repeatedly.
The windshield wipers on all Ospreys (those dank helicopter/plane things, think Ghost in the Shell) have been disabled/removed because their motors would catch fire in inaccessible places near the pilot's feet.
The only thing preventing access to a boat's network is standing orders and the threat of punishment. You can just plug right in.
Every system runs on the same network. This includes radar, weapons systems, anti-air, emergency comms, in-ship cameras...
This on top of the fact that half the people I talked to, the ones actually running these systems, are overworked 19 year olds with circles under their eyes. The only people over 25 seemed to be officers and pilots, maybe those guys know about the systems and can offer expertise? I'm not sure, I didn't get to talk to any of them.
I'm hoping my perception of the military is completely wrong, which is entirely possible because I didn't get to talk to that many people, maybe like 4 or 5 mechanics, a couple marines, and a couple of the network IT people, all relatively low rank. But, as of right now, I have absolutely no confidence in the military to withstand a full on cyberattack from a similarly provisioned military.