Security Audit Weaknesses Offer a Silver Lining

Very disappointing, some might even say demoralizing, security findings were made public this week in a report from a U.S. Government Accountability Office cybersecurity study regarding the Defense Department’s newest weapons systems.

Why was this audit report created, and what was the scope? According to the report highlights:

“DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do.

GAO was asked to review the state of DOD weapon systems cybersecurity. This report addresses (1) factors that contribute to the current state of DOD weapon systems’ cybersecurity, (2) vulnerabilities in weapons that are under development, and (3) steps DOD is taking to develop more cyber resilient weapon systems.

To do this work, GAO analyzed weapon systems cybersecurity test reports, policies, and guidance. GAO interviewed officials from key defense organizations with weapon systems cybersecurity responsibilities as well as program officials from a non-generalizable sample of nine major defense acquisition program offices. …”

While the GAO did not make any recommendations at this time, the results of this study are quite alarming. Put more bluntly, all of the arguments about cybersecurity “return on investment” or “more justifications needed for stronger action” go out the window when this eye-opening report is read in detail.  

Media coverage of the GAO report was widespread and (not surprisingly) harsh.

National Public Radio (NPR) offered major coverage starting with the headline, “Cyber Tests Showed ‘Nearly All’ New Pentagon Weapons Vulnerable To Attack, GAO Says.”

Here’s an excerpt: “Passwords that took seconds to guess, or were never changed from their (Read more...)

*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: