"When Microsoft or Adobe comes out with a patch, the bad guys are using that stuff too, so they know where the vulnerable areas are," said Bowman, who is the Joint Chief of Staff's director of command, control, communications and computers (J-6).
"We have these combatant command readiness checks, and it appears to be an episodic thing, where a whole lot of work goes on when you're getting ready to be inspected."
While Bowman didn't discuss any particular security lapse, he said that, over and over again, he's seen routine fixes that were simply ignored or security measures that weren't taken seriously leading to breaches.
"We're all reading about breaches in security, and every one that I can think of is related to poor network hygiene, some patch that somebody didn't put in, some weak password that somebody had, some systems administrator that had a simple password that could be hacked," Bowman said. "These are simple things; this is our job."
A lapse in addressing vulnerabilities was just one of the weak spots Bowman discussed. The Defense Information Systems Agency (DISA) is in charge of coordinating and streamline the disparate IT systems of the DoD into a more unified, secure system known as the Joint Information Enterprise (JIE).
Bowman said he was unhappy with the pace of progress on the project. He cited disputes over control and territory as delaying the development of command and control DOD Information Networks (DODIN) which is supposed to take of the defensive work of US Cyber Command.
"There's been a lot of talk about progress, a lot of people are happy with where we are — I'm not," Bowman said. "No matter what we do for our next operation, no matter whether it's humanitarian assistance."
He described a lack of unity over sharing control over the various parts of the massive undertaking.
"I don't know why. What we really need is end-to-end visibility, and if we got people worrying about what they control and where they are in the network, that's a problem."
Bowman also spoke about the Joint Regional Security Stacks — the network hubs that make up the JIE. The JRSS project is a collection of servers, switches and software tools meant to give DOD network operators a clearer view of traffic. Bowman said the stacks aren't being rolled out quickly enough for his liking.
The stacks project "is a must-do this year, but we got people looking at it and reading the homework and deciding we don't really want to do that," he said, also citing a lack of sufficiently qualified personnel to do the work.
The Joint Chiefs official also said the Pentagon was encountering resistance to efforts to exert more control over networks
"We're seeing people push back" on those efforts, Bowman said.
"People think they own their own network; they don't own any networks. This is all part of the Department of Defense networks, and we need to realize that… and then act like that."
Bowman's comments came just days after the US Office of Personnel Management (OPM) told Congress it cannot afford a $93 million IT upgrade to prevent future cybersecurity breaches like the one announced in early June that compromised the sensitive personal data of nearly 18 million prospective, current and former federal employees.
On the heels of the largest breach of personal information in federal government history, the funds to counter such breaches were lacking, OPM Assistant Inspector General for Audit Mike Esser told a Senate Financial Services and General Government hearing on Tuesday.
"The cost of this work is likely to be substantial and the lack of the dedicated funding source increases the risk that the project will fail to meet its objectives," Esser stated.
"Its estimate of $93 million includes only the initial phases of the project, which covers tightening up the security controls and building a new shell environment," he added.
OPM is the US government’s human resource department charged with recruiting and training the workforce of the federal civil service.
