Despite its recent efforts to build security good enough to keep teenage hactivist groups out of its servers, let alone organized cadres of foreign cyberwarriors, the U.S. Department of Defense has spent so long delaying any effort to come up to speed on digital attack and defense that it has a long slog to just catch up to the present, let alone prepare for the future, according to a damning new report.
In a long-awaited evaluation of DoD's digital security and warfare capabilities, the Government Accountability Office (GAO) reported July 25 that the DoD began taking cyberwar seriously only during the past two or three years, after ignoring warnings since at least 1991 that it was putting itself and the nation's digital infrastructure at risk by not taking the threat seriously.
That has changed in recent years, to the point that the Pentagon just launched a new Web site dediated to its "new" cybersecurity policy, which a general described as being more focused on offensive capability and deterrence through fear, at the same time a Congressman involved in funding for the program praised its tighter focus on defense.
Confusion and lack of a central unifying force or clearly defined enemy caused the DoD to allow its cybersecurity infrastructure rot. Pentagon systems have been hacked repeatedly almost every year for the past two decades; it has done almost nothing to deter, stop or even slow down the attack on and penetration of U.S. government information systems by foreign intelligence agencies, criminal groups, individual hackers and terrorist groups, the report concluded.
The oh-so-understated "DoD Faces Challenges in Its Cyber Activities" (PDF) released July 25, is the GAO's answer to questions Congress began sending it in 2008 in an effort to get an evaluation of DoD's abilities more realistic than reports the Pentagon put out while clearly not taking the threat seriously.
Pentagon brass are taking it seriously now, GAO reported, especially since Pentagon got its act together to create a coherent statement of policy called the National Military Strategy for Cyberspace Operations, which was published in 2006.
In the five years since, the Pentagon has thrown tremendous resources into preparing for cyberwar, but has not been successful in catching up to the level of current threat or made progress in preparing for future threats, the GAO report concluded.
"According to DoD, a large number of intelligence agencies and foreign militaries are actively trying to penetrate our military networks. These networks are scanned millions of times a day and probed thousands of times a day. Over the past several years, DoD has experienced damaging penetration to these networks...[including] blueprints of weapons systems that have already been compromised," the report said.
The creation of a centralized U.S. Cyber Command to integrate online efforts of all four services was a big step forward, but fissures between the services and even within the cyber command make it hard to come up with timetables to update policies, response plans and technology roadmaps.
The number of service people working online has ballooned, as has the budget for cyber security and cyberwar systems. Both are still far too small even maintain a secure posture online, let alone catch up to the neglect of the past, the report concluded.
The Pentagon's rigid and traditional reporting structure is one culprit.
Even with a semi-independent Cyber Command to direct the Pentagon's overall effort the four services have such distinct priorities, lines of command and priorities that it's often difficult to know who is in charge of what, who really has the authority to make decisions that affect more than one fiefdom and whose job it is to make sure critical projects aren't left half finished or, worse, completed, but in a way that does no good to anyone.
The bad news in a more general governmental context is that "DoD has been characterize as one of the best-prepared federal agencies to defend against cybersecurity threats." Without serious changes it may not keep that lead. Or, at least, may not be able to make the leap into competence from its current status as best of a bad lot among government agencies.
Even for an organization with the budget and security awareness of DoD, the prospect of having to keep pace with the steady increase in threats from smaller countries and stateless terror organizations is "daunting," GAO concluded.
The risk is more than just losing blueprints to top secret weapons systems. National power and IT infrastructures could be disrupted, attacks on financial-services companies or exchanges could damage the economy, attacks on flight-control systems could put aircraft in danger.
The overall picture the GAO paints is of fragmented military organization with no clear direction or goal to pursue in cybersecurity. The problem begins at so fundamental a level within the military, in fact, that the GAO's recommendations for fixing it also sound unfocused or at least far too basic. They begin more like a tutor recommending a high school senior repeat middle-school math before trying for acceptance to the Ivy League:
The first recommendation is that DoD create a schedule and series of deadlines under which it will standardize the publications describing its doctrine and practice of cyberwar – meaning all the policy and instructional material for all four services have to be retooled to the point they don't actively conflict with each other.
Then all those non-conflicting doctrines have to be propagated through the rest of all four organizations in manuals and training guides, which are the real medium through which knowledge filters through a giant organization that is fundamentally more comfortable with doing things than talking about how to do them.
The second recommendation asks DoD to "clarify command and control relationships regarding cyberspace operations" and create another timeline defining who is responsible for making sure which balls are not dropped.
Telling the managers of any organization they have to figure out who's in charge and tell the uber-bosses after they figure it out is pretty serious criticism. If the uber-bosses haven't appointed a leader, and can't even tell by examination who is supposed to be in charge, there aren't a lot of ways to argue the place was being adequately managed.
For an organization as pathologically hierarchical as the military, it is as damning a criticism as it is possible to offer to say not only that the leaders are not leaders, but that there's no way to tell how long it might take to figure out who those leaders should be or what steps they should take to damp down the chaos.
In a military context that's like taking down all the signs warning strollers not to wander out on the business end of a rifle range, or neglect to mention to those learning to fire a mortar that they should point the weapons any direction but directly at a nearby road.
DoDcritics don't know where to start
The final two recommendations are the ones you'd expect to come first in any evaluation of an organization's effectiveness: assess your weaknesses in the area of competence being examined, then develop a plan and funding strategy to address those weaknesses.
The real problem with DoD is that the GAO found so little direction in the Pentagon's cyberwar efforts its analysts felt they couldn't make recommendations on how to make forward progress without mentioning the DoD couldn't even figure out how to sit down if it didn't first learn how to find its but with both hands.
Much of the GAO's own research had to start by figuring out how DoD's cybersecurity was actually organized, because none of the reality appeared to match any of the assumptions, documentation or expectations of any of the people involved.
Then GAO analysts had to figure out what the DoD actually was trying to do. More accurately, since organizations are usually built with a single goal in mind, and are structured to address that goal, the GAO had to figure out whether the DoD actually had a goal toward which it was building and what the haphazard organization it ended up building was constitutionally capable of accomplishing.
Then, having been forced to define what the DoD's lack of overall cybersecurity organization was concerned with doing, it had to compare what the Cyber Command was actually capable of doing and whether those abilities were sufficient to even address the current level of threat.
Although individual officers and some cybersecurity groups certainly knew what they were doing within their own little spheres –and individual services were more coherent in their internal cyberwar efforts than the Pentagon as a whole – it's clear that those theoretically in charge of the overall DoD cyberwar efforts knew less about what the Pentagon was doing to prepare for cyberattacks than those who were attacking.
There is a military term for armies so uncertain of their own skills, resources, strategy and command that the enemy is able to find out more from spying missions than the commanders can by asking questions:
The term is "loser."
That doesn't mean loser in the thumb-and-finger-on-the-forehead sense. Not in the "ha ha, you suck" sense. It means "Loser" in the historical sense; the archeological sense. The tragic, bloody, end-of-an-era, Napoleon after Waterloo sense; like Poland after the Blitzkrieg. The sense that the victim of an obviously inevitable tragedy became even more vulnerable by refusing to admit the validity of a growing threat, and was crushed by it without even enough time to complain that everything was happening too fast.
Losers of this kind don't get fired. They are buried on the field where they fell and disappear from history because they didn't recognize the invincibility of a Russian winter or German tanks or typhus or yellow fever or starvation or the inevitable result of marching into battle against thousands of enemy while carrying hundreds of bullets and lacking any way to go back for more.
The DoD recognizes losers of that type from its history books, but doesn't see them in itself because it can't bring itself to consider as dangerous an enemy that might operate out of its mom's basement, even when the evidence is clear that childhood fears that untold horrors lurk down there in the dark is very very clear.
Cyberwar isn't like a shooting war. The Pentagon is good at those, and at modifying itself to fight different kinds of real war using the same preparation it uses for the king-sized, mechanized war for which it has prepared for more than a century.
That kind of war allows an organization filled with guys and guns to change what kinds of guys and what kinds of guns it uses, so it can fight house to house to quell an insurgency, rather than nation-to-nation to settle an argument. It can do the job it knows how to do even when the it's more appropriate to accessorize with grenades rather than artillery, dodge RPGs rather than long-range missiles, or consider as a major battle one really bad day in a village in the middle of nowhere rather than one that flattens cities and devastates countrysides.
You can disassemble a giant, factory-made army, and send little pieces of it into smaller places to wage nano war rather than Total War.
You can't take it apart so completely you can easily repurpose the protectiveness and aggression but leave the blood-and-guts behind.
Most of war doesn't involve actual fighting. Most of it involves getting shooters to the fight feeding and arming them while they're in it, and then bringing them home again. And of supplying, transporting and feeding all the people who do the supply, transport and feeding of everyone else.
An army is a supply chain with that ends in the barrel of a gun. It is a long, predictable event-driven linear workflow with identifiable triggers, predictable responses and a few tricks to make it look more ad hoc than it really is.
The U.S. military is very good at running its supply chain and redirecting the gun barrel to cover new targets or customers when necessary.
It is a telling sign of the U.S. military's unwillingness to take on the responsibility of cyberwar that it has failed for 21 solid years to respond successfully to warning s it had a huge hole in its digital defenses.
Successful armies don't let big holes remain in their defenses for 21 years.
Successful armies spend most of their time fixing up their main defenses and in making themselves brave enough and well equipped enough to roll out on the field where a stranger's tanks can shoot at them. They' don't sit in an operations center, on hair-trigger alert to squash a SQL injection attack or port scan or spear-phishing attempt.
That's not what it has been practicing to do for 200 years or what it and each individual member of it has had to become to accomplish its goals – goals that require very specific emotional, instinctual and organizational adaptations.
It's oxymoronic to say it, but the extreme adaptations needed by those chosen by an otherwise peaceful society to do what killing is necessary are not easy to reverse or reorient to the point of considering an sustained DDOSing as being just as valid an attack as an artillery barrage.
It may be time to consider having someone other than the military take over primary responsibility for attack and defense of the United States in cyberspace, despite the often sincere effort of many in the military to duct-tape good cyberwar capabilities onto an organization exquisitely well designed to deliver death and destruction at a great distance for a long, long time in the face of fierce opposition rather than sit in a chair with its forehead stuck to a screen.
You don't need a giant naval gun to fight off the Ravening Hordes from Some Other Mom's Basement. They might be fun, but they're not really helpful.
You need to stay up late at night, eat pizza, drink caffeine and keep poking at someone else's servers until they roll over and give up the root.
The DoD wants its server pokers to get up early in the morning, go for a run and speak in military gibberish rather than speaking good, old-fashioned Geekish.
I'm not sure it's a language the Pentagon even knows how to translate without misinterpreting because it doesn't understand the context. The cultural differences are vast.
The GAO makes clear that the Pentagon is way out of its depth in the effort to build a credible cyberwar capability. It's not clear to me whether it will ever be able to swim its way out, or learn how to do more than just tread water while the bad guys zoom around in Somali pirate boats.
I wonder if it's time to let someone else have a crack at defending the U.S. against cyberattack.
So far the DoD hasn't built much of a defense, or become feared enough to be much of a deterrent. In some ways, it literally doesn't know what it is doing about cyberwar
The sad part is that, even after long and painful examination, neither does the GAO. The danger is that, of all the entities who might have a clear understanding of U.S. weaknesses in cyberwar, the most clear and most complete may very well be a military organization, one that has spent nearly as much time in U.S. military systems as the DoD itself. Unfortunately, that sharp, aggressive, well-trained, well-funded band of cyberwarriors don't work in the Pentagon. They just visit there virtually, and, when they log off, go back home to China.