US Government Accountability Office (GAO) published a report finding critical vulnerabilities in the US military security systems. The report found that a “red teamer” was able to crack into the US Department of Defense system and reboot it, cause popups to appear and – perhaps more dangerously – find serious security holes in the nine weapons systems programs it tested.
Sherban Naum, SVP, Corporate Strategy and Technology at Bromium:
“The US government has a massive budget for defense spending, yet that isn’t reflected in security provisions implementing trust decisions in real time, a must for weapons systems, communications infrastructure and related supply chain needs. If the government doesn’t make cybersecurity a priority from the offset, this leaves critical architectural vulnerabilities that need to be addressed immediately. If the Government Accountability Office is raising the issue, then nation states and cybercriminals know of them already, leveraging yet to be known net-new vulnerabilities. It’s important the Department of Defense implement layered dynamic defenses at the beginning, building in security protocols and protections as the government systems are being operated, allowing to modulate trust in real time, staying ahead of aggressors and adversaries.
“A vulnerability being exposed at the federal level is so much costlier than at the enterprise level. We can replace credit card records or restore customer loyalty. We can’t undo a rival nation state potentially roaming undetected inside weapons systems because there were insufficient security investments in modular, run-time security. This reflects the core challenge of legacy systems being built with Trust Decisions at Buy Time, rather than a modern approach of Trust at Run Time. Systems were designed, built and operated based on architectural and technical limitation decisions years ago, and as such, trust was decided upon contract award. A modern architecture must reflect the ability to make trust decisions at the time processes are executed, limiting trust to fine grained execution at run time, built upon a dynamic root of trust rather than static. Software defined hardware is not a new concept, yet systems were hard coded with a limited ability to adjust to real time threats. It’s time for the federal government to make cybersecurity a national priority, and ensure it is treated as such during the development of systems outlined in the GAO report.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.