I hesitated about posting on this subject since it’s a bit out of my comfort zone. You are presumably aware that a recent “bug-finding” event found 238 security vulnerabilities in the Army’s systems. Brad D. Williams reports at Breaking Defense:
WASHINGTON: The third annual Hack the Army event uncovered 238 security vulnerabilities — 102 rated “high” or “critical” — in Army tech.
The bug bounty event, which began in January and ran for six weeks, invited military and civilian security researchers to find vulnerabilities within a limited time frame. This allows the Army to proactively fix the prospective cyber targets, ideally before a bad guy can exploit them.
For perspective, Hack the Pentagon found 138 unique, validated vulnerabilities in 2017, Hack The Army found 118 late fall, and Hack the Air Force found 207, according to a story Sydney did on the program.
“We cannot afford a ‘next time we will do better’ mentality. I strongly believe a proactive approach is critical, which means finding potential problems and addressing them before they are realized,” said the Defense Digital Service’s Maya Kuang, who participated.
This year’s event included 40 military and civilian participants. Eligible civilian security researchers received more than $150,000 in total bounty payouts.
The reason I was moved to remark on this is the several recent, highly-publicized ransomware incidents. There have been a number of suggestions of using Cyber Com to oppose these exploits.
Now, you might think that for legal and cultural reasons our military was well-positioned to protect itself against cyber-security threats. The discovery of so many vulnerabilities suggests that just isn’t the case.
What’s the issue? Lax discipline? Cyber-security just not a priority? They don’t have the capacity to deal with the situation? If any of those is the case it doesn’t exactly bode well for our military’s ability to protect the civilian sector against attack if they can’t even protect themselves. Consider physical analogies and you’ll see what I mean.