“The Department’s most consequential strategic competitor and the pacing challenge for the Department, the People’s Republic of China,3 as well as other state-sponsored adversaries and individual malicious actors often breach the Department’s defensive perimeter and roam freely within our information systems.”
This statement from the actual PDF really is telling for how far the DoD has dropped the ball on protection- maybe spend less time fleshing out offensive capabilities and more time on defense of your citizens?
You’re aware that the DoD is more than just the navy, yes? Also, the defender’s having missed a bunch of intrusions is literally exactly what this report is saying. Sorry to be the one to tell you.
I could see that being the case, drumming up the situation so they get more funding to fix the problem. At least I hope that is the case, over the alternative.
Not really? Cyber threat intelligence is an incredibly overblown industry, remarkably similar to the xkcd about crypto. Offensive capabilities are for Natanz.
Everyone seems to think they need super ninja threat intel to protect them from elite nation state hackers, meanwhile they’re being randomware’d with metasploit modules from 8 months ago.
Run A/V and patch, that’ll be $1.7million, thanks.
They are. The entire purpose of the zero trust push is that it is nearly impossible to completely prevent perimeter breaches, so instead design in such a way that an actor inside your perimeter is not automatically trusted.
You can almost entirely prevent perimeter breaches (from untrusted attacks) by implementing authenticate-before-connect with strong identity incl. closing all inbound ports at source and destination.
No it's just that the NSA used to work to make American companies more secure. Now they instead they find zero-days to then secretly exploit for as long as possible.
It's gotten so bad, that their recommendations for crypto are regarded with a significant degree of skepticism because of past history of deliberately undermining crypto systems which is a Terrible state of things.
> their recommendations for crypto are regarded with a significant degree of skepticism
Indeed. Once you start talking about magical constants and extremely convoluted math concepts... that's zero trust in my book.
Integer factorization is a grade school concept in most developed nations. The edge cases are far more obvious than with something like ECC, which has entire classes of no-good constants that would require a PhD in math to fully grok.
Prime factorization is one of the great unsolved problems in mathematics and if you can solve it there is a million dollar prize with your name on it. There are all kinds of issues with implementing crypto safely on top of it (google “Fermat factorization”), some related to bad constants. Being well known doesn’t make the math easy.
They do both, but it has been the case for a while that the NSA prioritizes offense. You can agree with that stance or not, but it is there, criticism on this point goes back at least a decade.
I agree that the security environment is awful, but that doesn't excuse NSA making it worse.
Also, outside of SCIF environments (which do get prioritized), there isn’t a whole lot that is feasible for DOD or other gov’t agencies to do while still using civilian technology or working habits, which they don’t really have an option on right now.
The whole industry and economy needs to be upleveled software wise in a lot of ways for meaningfully better security to be economically possible.
Typically that requires a serious crisis and/or war. Hopefully not the case here.
Of course it does. Thinking about it in terms of ROI doesn't consider externalities. When the OPM gets hacked, nobody at the NSA worries about their budget.
Reason #7893 "run government like a business" is a self-describing category error.
everyone uses ROI calculations somewhere (just not necessarily using cash as the return metric) or they are flying blind.
The underlying issue is that large organizations have low trust (some worse than others!), and therefore large organizations tend to coarse numeric metrics, and game those metrics to look better, which makes even more low trust (and hence backstabbing, empire building, etc.) between divisions.
As a reaction, leadership also tends to err towards coarse,
harder to game metrics (like ‘reduce breaches by xx%’ rather than relying on judgement and trust like ‘ensure we don’t have an unreasonable number of breaches, and work to reduce them in the ecosystem’.
Which of course provides strong incentives for chasing the number by throwing all the babies out with the bathwater, and often making the real problem worse.
It’s a size of the organization problem. Changing metrics/mission will shuffle up the specific babies being thrown out, and what is considered the bath water, but the underlying problem remains.
Solid, consistent leadership makes the problem better. That tends to be expensive and not want to deal with the political BS common in Gov’t, at least in the US.
The government does a ton of pure research, including in computer science and security, which is explicitly not about ROI but rather about advancing our understanding of basic science.
None of that is what I’m talking about, no. I know many researchers who are quite proud of the fact that their research is never going to make money but is super interesting from a scientific perspective.
The crazy amount of skepticism this always draws is simultaneously very funny and very saddening.
Can you please share a source? This isn’t laziness. I know I can search — and I will —- but I cannot know what sources _you_ are intending, which provides context.
> No it's just that the NSA used to work to make American companies more secure
1. I'm interested in that history; e.g. how it came about and how it worked.
2. Evidence that this is no longer (or less of) a goal: policy, internal priorities, spending? Congressional testimony, legislation, or guidance? Leaks?
It seems to be that $100B spent by NSA on offensive operations will reap far greater security benefits than spending $100B “to make American companies more (cyber)secure”.
Knowing what your adversaries are up to is invaluable.
Here’s one concern highlighting the value of broad defenses. A targeted software-based attack may trigger supply chain disruptions with significant (even if only short-term) impacts. If combined / coordinated, multi-billion dollar disruption is within reach.
This statement from the actual PDF really is telling for how far the DoD has dropped the ball on protection- maybe spend less time fleshing out offensive capabilities and more time on defense of your citizens?