In a June 4 report by the Department of Defense Inspector General (IG), the independent watchdog agency found that the Joint Regional Security Stacks (JRSS) program wasn’t adequately protecting US networks in the Joint Information Environment (JIE).
JIE is basically a command, control, communications and computing hub operated by the DoD’s Defense Information Systems Agency (DISA). Most US commands have at least one hub, including Northern, European, Pacific and Central commands, according to a November 2018 information document by the agency.
Overall, the report found that the JRSS was “achieving the expected outcomes” of limiting access points, having already reduced them by 2,700. However, it’s falling short in other areas. Unfortunately, two specific outcomes JRSS is intended to meet are redacted in the report released to the public.
“The JRSS is not meeting other JIE outcomes because DoD officials did not ensure that all JRSS tools met users’ needs and that JRSS operators were trained prior to JRSS deployment,” according to the report. “In addition, although the JRSS was estimated to cost over $520 million, DoD officials considered the JRSS to be a technology refresh and, therefore, not subject to DoD Instruction 5000.02 requirements.”
“Had DoD Instruction 5000.02 requirements been applied, the JRSS would qualify as a major automated information system acquisition because it is projected to cost $1.7 billion more than the $520 million threshold, and DoD officials would have been required to develop formal capability requirements, an approved test and evaluation master plan, and a training plan for operators during the development of the JRSS.”
In other words, because of how the Pentagon categorizes the JRSS program, it doesn’t have the same kind of oversight as others whose funding is authorized in a more typical way, which requires the Pentagon to provide a program plan that’s been proven to be the most cost-effective way of achieving its goals, as well as provide Congress with regular progress reports.
The penalty suffered by US forces for this continued protection gap could be severe, the audit notes.
“The JRSS is the most critical near‑term element of the DoD’s JIE. Therefore, if the JRSS is not operationally effective, secure, and sustainable, the DoD may not achieve the JIE vision, which includes achieving greater security on the (DoD Information Network). In addition, without adequate security safeguards for the JRSS, weaknesses identified in this report could prevent network defenders from obtaining the information necessary to make timely decisions, and could lead to unauthorized access to the DoDIN and the destruction, manipulation, or compromise of DoD data.”
This is far from the first time the DoD has been called out for failing to plug its cyber vulnerabilities. Sputnik reported in January on the major weaknesses in Pentagon cybersecurity, based on the Defense Department's director of operational test and evaluation (DOT&E) and the DoD IG.
"DoD testers routinely found mission-critical vulnerabilities in systems under development, and in some cases, repeatedly over the years," and program officials "tended to discount the scale and severity of the problem,” Government Accountability Office Director Cristina Chaplain told Bloomberg at the time.
In one shocking instance, the Air Force failed to follow previous recommendations to change the passwords on the computer on its F-35 Joint Strike Fighters, which Pentagon hackers cracked in just nine seconds.
The same report noted cybersecurity weaknesses in the Army’s Stryker armored vehicles, which is slated to become the bread-and-butter vehicle forUS rifle and scout forces in Europe.
Likewise, US Cyber Command chief Gen. Paul Nakasone, who also heads the US National Security Agency (NSA), told the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities in March that CYBERCOM would be taking full advantage of its 10% funding boost this year to plug cybersecurity vulnerabilities as well as sharpen the US’ ability to strike back following a cyberattack.