US DOD Has Become Overconfident in Its Cybersecurity Protocols – Security Expert

© AP PhotoThis is an aerial view of the five-sided Pentagon building, headquarters of the United States Department of Defense, in Arlington, Va., in 1975
This is an aerial view of the five-sided Pentagon building, headquarters of the United States Department of Defense, in Arlington, Va., in 1975 - Sputnik International
A Government Accountability Office report says that a US Department of Defense weapons system could be hacked in one hour and it could take hackers only one day to take full control of the system. It also warned that despite previous warnings, the Pentagon is just beginning to grapple with the scale of its vulnerabilities, dating back to the 1990s.

Sputnik talked about cybersecurity at the Pentagon with Daniel Wagner, the CEO of Country Risk Solutions and author of the book "Virtual Terror."

Sputnik: How surprising or how worrisome would you say the findings of the Government Accountability Office are?

Daniel Wagner: Well in some respects it's completely surprising and in other respects, it's not surprising at all. Cybersecurity has been a priority at the GAO since 1997 and it has been issuing reports ringing the alarm bells since that time, but what is surprising is that an institution like the Department of Defense, the DOD, would be found to be so vulnerable this late in the process.

U.S. President Donald Trump signs a memorandum to security services directing them to defeat the Islamic State in the Oval Office at the White House in Washington, U.S. January 28, 2017 - Sputnik International
Trump's Cybersecurity Directive 'Graded as a Fail' – Security Expert
There are several reasons for this, chief among them, is that an entire generation of systems was built and continue to operate without being oriented toward the current threat of cyber attacks, some of this technology is as old as the 1970s. As hard as it may be to believe, some passwords have never been changed since the manufactures installed them and many of the newer passwords were found to be in the report to be completely inadequate for today's cyber threats.

So the DOD has become overconfident in the cybersecurity protocols, as many parts of the US government and other governments, I should add, have become prior to the 2015 discovery of the hack of the Office of Personnel Management, which was a wakeup call for many parts of the US government. The GAO report is a real blessing I would say, I hope that America's lawmakers and managers throughout the government pay close attention to what is being said.

READ MORE: ‘An Investigation Into Google Has Started Already' — Cybersecurity Specialist

Sputnik: In keeping with what you've said that some of these programs and passwords being from the 1970s, how much money, time and resources can we imagine it would take to update this system to correspond to current cyber risks?

Daniel Wagner: Well, of course, the threat is ongoing and the amount of money and resources is never-ending. I think the real challenge is to be realistic about what is required, any government would say the same thing, any military would say the same thing, most militaries are going to say: "No amount of money is ever enough," but one of the things that concern me is the amount of money that is being thrown at the Department of Defense in the Trump era.

I think they're in danger of getting used to simply having more and more money, they have to be held to account to spend those dollars wisely and to make cyber security the front burner issue that it really deserves to be. It may take hundreds of billions of dollars to get this right, but whatever it takes, it needs to be spent.

READ MORE: GAO's Report Indicates NASA's 'Wide Cybersecurity Risks'

Sputnik: When you hear about this, I'm a layman, I don't know about weapons, I don't know a lot about cybersecurity, but what I hear is that there's a problem with US weapons systems and cybersecurity. Does this mean that the magic button that could send nuclear weapons could somehow be compromised within an hour? Is that what we are talking about?

United States Vice President Mike Pence speaks during the Munich Security Conference in Munich, Germany - Sputnik International
Pence Calls on US Senate to Establish DHS Cybersecurity Agency
Daniel Wagner: It seems rather unlikely but, of course, people like yourself and me, who are not inside the Pentagon can't know the real answer to that question. What I would say is this: here's a simple example, in the post 9/11 era in the United States, every year they have tests of the strength of the Transportation Security Administration — this is the administration that oversees the airports and a lot of travel related issues. Every year, 90-95% of the time, they fail and this is 15 years plus after 9/11.

If that kind attention is being paid to the TSA and the amount of money that is being spent on the TSA, you can imagine the magnitude of the problem for a military and it's not just the military in the US, it could be a military anywhere.

I would say that unless this becomes a front-burner issue unless lawmakers do what they need to do, decision-makers do what they need to do and hold themselves and the employees of these institutions accountable, and produce the adequate protocols to make it meaningful, then it's never going to get right.

READ MORE: Twitter in Disgust as Clinton Compares Russia's Alleged Meddling to 9/11 Attacks

Sputnik: Recently there was a problem with personal data and they had Mark Zuckerberg testify in front of Congress and it was found out then that many of the members of Congress really didn't know much about cybersecurity or the business model. How much do members of government know about cybersecurity and how competent are they in really taking appropriate action? Do they need to create a new organ that will have qualified people that would inform and report?

Cybersecurity - Sputnik International
US Hacking Charges, Sharing Cyberweapons With NATO Inflame Danger of ‘Real War’
Daniel Wagner: This is really all about education at the end of the day. While it is certainly true that many of America's lawmakers and I daresay lawmakers around the world, may not even understand how social media works, they certainly don't understand, most of them, how cybersecurity works. This is a top-down issue that needs to occur in education across the board, on the basics, on things like what is an appropriate password, not only for yourself but for the institutions that you work for.

How often should you be updating your security; how often should you be updating your software? In places like the Pentagon, it should be every hour, the threats are that fast, that evolutionary, that really it needs to be occurring on a totally ongoing basis and I dare say that's not occurring here.

READ MORE: Google, Facebook, and the Manipulation of Society

Sputnik: The Department of Defense has been warned about these vulnerabilities before and it seems that if action was taken, it wasn't sufficient because they still have these vulnerabilities. What do you think is the problem with this is? Is it not being acknowledged or is there just not enough attention, funding, and manpower being put towards a resolution of these vulnerabilities?

Daniel Wagner: Well the Pentagon has been receiving warnings about the state of its cybersecurity from something called the US National Research Council since 1991, but many of these warnings have either been ignored or have not been sufficiently acted upon. Part of the problem here is the interconnectivity between aspects of the DOD‘s operations internally and externally.

It is actually a common problem with many organizations that outsource their operations, they do not or cannot vet the cybersecurity protocols of their vendors, which often leads to a heightened state of vulnerability; the Pentagon has tens of thousands of such vendors, which leaves it highly vulnerable.

Views and opinions expressed in the article are those of Daniel Wagner and do not necessarily reflect those of Sputnik.

To participate in the discussion
log in or register
Заголовок открываемого материала