WASHINGTON — The Defense Department is struggling to apply software patches for known vulnerabilities in a timely way, leaving systems open to hackers, a senior Pentagon official said Wednesday.
Instead of daily network hygiene, problems are being dealt with on an "episodic" basis, said Army Lt. Gen. Mark Bowman, the Joint Staff J6, and director or command, control, communication, computers/cyber, speaking at an industry event.
"When Microsoft or Adobe comes out with a patch, the bad guys are using that stuff too, so they know where the vulnerable areas are," Bowman said. "We have these combatant command readiness checks, and it appears to be an episodic thing, where a whole lot of work goes on when you're getting ready to be inspected."
Though Bowman did not mention a specific incident that linked a security flaw, he said several simple security flaws, easily avoided, have opened the door to breaches.
"We're all reading about breaches in security, and every one that I can think of is related to poor network hygiene, some patch that somebody didn't put in, some weak password that somebody had, some systems administrator that had a simple password that could be hacked," Bowman said. "These are simple things; this is our job."
Bowman outlined several growing pains for the Defense Department's overarching network modernization effort. The Defense Information Systems Agency (DISA) is leading the charge to collapse DoD's sprawling, disparate networks into a more cost-effective, defendable structure known as the Joint Information Enterprise (JIE).
One is immature command and control processes and software for the JIE, called the Joint Management System. The software is critical for running data analytics and evaluating and predicting cyber threats.
Another problem is that territorial disputes are delaying the work of the Joint Task Force-DoD Information Networks, meant to take over the defensive work of US Cyber Command, and efforts to build the network hubs that make up the JIE, called joint regional security stacks (JRSS). The JRSS are a collection of servers, switches and software tools meant to give DoD network operators a clearer view of network traffic.
"There's been a lot of talk about progress, a lot of people are happy with where we are — I'm not," Bowman said. "No matter what we do for our next operation, no matter whether it's humanitarian assistance."
DISA created the task force, and it had reached initial operating capability in January, but Bowman said he was unhappy with the pace of progress, saying, "We're seeing people push back. People think they own their own networks," he said. "They don't own any networks. This is all part of the Department of Defense networks. We need to realize that."
The Air Force is lagging behind the Army in implementing the JRSS at its testing ground, Joint Base San Antonio in Texas, Bowman said. Progress has been slowed by the Air Force's "desire on the part of some to raise the level of control up."
Bowman argued that the JIE had been getting a bad rap for escalating costs, saying unrelated equipment upgrades are being lumped in with the JIE.
"A basic law of accounting is if your debits don't match your credits, your assets' in jail," Bowman quipped.
Staffing delays have also held up the implementation of JRSS, Bowman said. The Army and Air Force have each dedicated 20 people, the Marine Corps has dedicated two and the Navy none.
"That's the long pole in the tent on JRSS," he said. "What we have to do is just get on with it."