The Pentagon: Incompetent on Cybersecurity
October 11, 2018
This article originally appeared in the American Conservative on October 9, 2018.
Over the past decade, massive cybersecurity hacks have become yet another thing for America to worry about, especially if the IRS has information on you (read: everyone) or if you have a Social Security number (again read: everyone). Now we’ve learned that the problem starts right at the top. The Department of Defense (DoD) reportedly relied on compromised technology to undergird data centers and relay drone information—and Americans don’t even know how much of their data was exposed.
Despite this major breach, however, top brass at the DoD are suggesting that the Pentagon take on an even more prominent role in America’s cybersecurity. Defense Secretary Mattis recently suggested that, in the future, the DoD may provide cyber services to businesses and individuals. Currently, the Pentagon offers protections for “critical infrastructure” (under a pilot program in the fiscal year 2019 NDAA), which includes election verification and could extend to institutions such as hospitals. But the Pentagon clearly isn’t ready to take on more cyber protection, and any move to do so could jeopardize private-sector efforts. Instead of becoming a business, the Pentagon needs to focus on national defense.
One could be forgiven for thinking that, after the Pentagon relied on compromised technology for years, leadership would eat its humble pie and work to improve situational awareness. This recent episode is not an isolated incident. The Office of the Inspector General (IG), for instance, found that the wireless access points used by the Pentagon to process and transmit sensitive information were not properly accounted for because of miscommunication and a lack of compliance with existing guidance. Without continuous monitoring of access points, a rogue employee could easily wreak havoc with vital Pentagon communications. An additional report citedby the IG noted that the Composite Health Care System and Defense Medical Logistics Standard Support management personnel failed to set up local standards for network security monitoring, assess system risks, and set up appropriate controls.
It is, of course, all too easy to nitpick governmental failures while overlooking private companies’ shortfalls. But according to SecurityScorecard, governments tend to be “bottom performers” in overall cybersecurity, and collectively rank second-to-last in endpoint security.
In fact, the Pentagon scores dead last in federal information technology management rankings. This reveals woeful risk management and technology modernization. It’s all the more inexcusable when the DoD’s budgetary leeway is taken into account. The Pentagon easily has the loosest federal budgetary oversight, readily funneling money in and out of earmarks, slush funds, and classified accounts.
Because of the DoD’s wide reach and treasure trove of resources, it is deeply unsettling to imagine them involved in the private cybersecurity business. Governments determined to compete with private companies may not offer the best resources, but they can easily price competitors out of the market by subsidizing prices with taxpayer money. Consider the nationalized oil companies of many OPEC nations, government-run banks, and subsidized package delivery from the U.S. Postal Service. Expertise and timeliness often suffer from these government forays, but who can argue with dirt-cheap gas and loans? In the case of cybersecurity, however, playing dangerous games with the economy runs the additional risk of undercutting crucial and capable expertise in the private sector.
Perhaps the most feasible option would be the wholesale contracting out of private cybersecurity protection to leading firms in the industry (think Cisco and Symantec). A monopoly or oligopoly of firms would provide Pentagon-subsidized services to a wide swath of American businesses and individuals. Yet this makes about as much sense as if the federal government had decided in the 1960s that it would make sure all Americans had washing machines by underwriting Sears purchases. Had it done that, Sears would still be a market leader today—and washing machines would be of far worse quality. The point is that private businesses have better cybersecurity than their public counterparts because of the threat of competition and losing business in the wake of hacks. Undercutting that through government guarantees will only increase risk, at considerable taxpayer expense. The private sector has been a leader in this field. The Pentagon should leave cybersecurity to the experts outside the Beltway.