In today's "geez, it's about time" moment, the Pentagon confirmed a March hack attack lost the U.S. military its exclusivity over 24,000 files and that the U.S. military would be changing the way it defends against cyberattacks.
The defense contractor that got hacked in March remains unnamed in the Pentagon report, though Lockheed Martin admitted it had been attacked in May, along with the CIA, Senate, the Pentagon itself and half the rest of the government.
And Booz Allen Hamilton was hit this week, proving vulnerability is a characteristic that lasts far longer than anyone finds it endearing.
The files that were copied or stolen were sensitive and important enough that the Pentagon may require the redesign of some of its existing weapons systems, according to its statement.
Until now the Pentagon's response to sudden attacks or long-term penetrations has been "way too predictable" and "purely defensive," General James Cartwright, vice chairman of the joint chiefs of staff told reporters Thursday.
"There is no penalty for attacking us now. We have to figure out a way to change that," Cartwright said.
That sounds like something all those military minds might have thought of earlier, but may not reflect an actual strategy.
"Hours later [after Cartwright's statement] the deputy defence secretary, William Lynn, presented a strategy whose thrust, he said, is defensive and focused on "denying the benefit of an attack," according to the British Guardian newspaper's version of the new strategy, which may make it hard for the Pentagon to avoid tripping over its own feet, let alone maneuvering to attack the enemy.
The Pentagon spends 90 percent of its IT security time on better firewalls and 10 percent to deterring attack, according to Cartwright, who said the reverse would be closer to an ideal strategy.
The new plan's defensive portion, in addition to firewalls, depends on network sensors and software to detect behavior within Pentagon systems that indicate a penetration after it occurs to help stop attackers from doing any damage even if they do penetrate the outer wall.
Unfortunately, our military is organized to favor rigid adherence to procedure and the forceful execution of a plan whether or not it's hopelessly out of date.
Very important when you do all the boring, routine stuff that keeps butter and bullets getting to troops under fire. Even more important on a wide-open battlefield where artillery and planes are blowing up things they can't see directly and all the shooters on your side have to be in places they won't get blown up.
Not so good when the army that's attacking could be a division of Chinese non-coms trained in spear phishing one day and a bunch of script kids with a set of SQL injection tools and a lot of attitude the next.
"Adapt, improvise, overcome," goes the unofficial motto of the Marines. Even they never adapted or improvised quickly or completely enough to respond to the digital threats they and the rest of the U.S. military faces every day.
Imagine running an IT department trying to keep up with the speed of business "in an enterprise with 18 or so layers of management between the top and the most junior employee" the Wall Street Journal posits. "Now imagine...it can take literally decades to buy new equipment and that you can be jailed for having dirty footwear."
I don't see that being a great formula for online invulnerability.
People who live in their moms' basement, live on pizza and don't own shoes that aren't sneakers just aren't afraid of anti-hackers in shiny shoes and military trade-school training in Unix administration.