In 2011 the U.S. federal government spent at least $13 billion on IT security. A full $10 billion of that money was spent by the Department of Defense. Most of it seems to have gone to snazzy new patches for the various cyber-commands because the DoD’s own assessment team says the military’s IT security is still atrocious.
"During exercises and testing, DoD red teams, using only small teams and a short amount of time, are able to significantly disrupt the 'blue team’s' ability to carry out military missions. Typically, the disruption is so great, that the exercise must be essentially reset without the cyber intrusion to allow enough operational capability to proceed. These stark demonstrations contribute to the Task Force’s assertion that the functioning of DoD’s systems is not assured in the presence of even a modestly aggressive cyber-attack."
This is just one of the many astounding quotes to be found in The Defense Science Board’s report on American tax dollars going straight down the tube. Here are a few more:
- "After conducting an 18-month study, this Task Force concluded that the cyber threat is serious and that the United States cannot be confident that our critical Information Technology systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities."
- "The Task Force could not find a set of metrics employed by DoD or industry that would help DoD shape its investment decisions. A qualitative comparison of resources and DoD level of effort in relation to the success rate of red teams is clear evidence of the lack of useful metrics." Translation: The Task Force has absolutely no way to determine if DoD's efforts have been successful.
- "This Task Force recommends improving the cyber resiliency of a mix of the following systems for assured operation in the face of a full spectrum adversary: global selective strike systems e.g. penetrating bombers, submarines with long range cruise missiles…" Translation: It would be nice if DoD could use some of the weapons it already paid for.
- "Our nuclear deterrent is regularly evaluated for reliability and readiness. However most of the systems have not been assessed (end-to-end) against a Tier V-VI cyber attack to understand possible weak spots. A 2007 Air Force study addressed portions of this issue for the ICBM leg of the U.S. triad but was still not a complete assessment against a high-tier threat." Translation: Do you remember the Maginot Line?
The report doesn't contain all bad news. The team did take a moment to commend the Pentagon’s efforts to prevent people from stealing guns, tanks and aircraft carriers before returning to the main theme.
"While DoD takes great care to secure the use and operation of the 'hardware' of its weapon systems, these security practices have not kept up with the cyber adversary tactics and capabilities."
Sadly the Defense Science Board didn't explain what happened to all that money allegedly spent on IT security. Perhaps that’s because while $10 billion sounds like a lot of money, it’s a normal cost overrun when it comes to the Pentagon. In fact it is exactly half the amount the military spent on one year of air conditioning for U.S. troops in Iraq and Afghanistan.
If it is any consolation to anyone (and it shouldn’t be) the report provides evidence that U.S. IT security has always been terrible:
"A recently declassified example of a [then] high-tier exploitation is a Soviet Union operation against the United States during the Cold War designated by the United States as Project GUNMAN. In the 1970s and early '80s, the IBM Selectric typewriter was considered an advanced electromechanical 'computer' of its day. Soviet 'cyber warriors' managed to replace the comb support bar of the typewriter with a device that externally looked the same but was cleverly modified to enable the transmission in plain text of nearly every typed key to a nearby Soviet listening post. Between 1976 and 1984, sixteen of these typewriters found their way into the U.S. Embassy in Moscow and the U.S. Mission in Leningrad."
As was stated in the classic Stanley Kubrick flick Dr. Strangelove: "Well, I've been to one world fair, a picnic, and a rodeo, and that's the stupidest thing I ever heard come over a set of earphones."
PS: Andrew Conte has a very good story on the entire report here.