Earlier this month, Wired’s Danger Room blog covered the computer virus infecting the U.S. drone program (my commentary is here and here). Danger Room continues to cover what, to me, is increasingly looking like a cover up of sloppy cyber security and its consequences.
Danger Room reported here that officials at Creech Air Force Base in Nevada knew they were infected, but they kept quiet. Those responsible for the Air Force’s cyber security (the 24th Air Force) learned of the infection two weeks later when Danger Room published its story.
Danger Room went on to describe the unfortunate cyber security situation within the Air Force and the U.S. military as a whole. The 24th Air Force (located in San Antonio) does not have a centralized system to manage the Air Force’s networks. The major commands do not have formal agreements for carrying other’s network traffic. I assume such agreements are reached informally? The network systems and hardware are not standardized. Each base and each unit has their own version of a “geek squad.” Although there is a plan to formalize the Air Force’s network infrastructure, no real action has taken place. As a result, the Air Force’s cyber security is largely run on the “honor system.”
Looking at the U.S. military as a whole, the four branches each has a dedicated cyber security unit that has responsibility for protecting against cyber threats. These units are supposed to send personnel and information to the U.S. Cyber Command, which oversees the entire military’s network defense. One can only guess at the state of the other branches’ security and that of the military as a whole.
Yesterday, Danger Room reported that the Air Force was changing its story slightly. Despite other reports, the Air Force insists the virus has been contained, that the 24th Air Force knew of the infection right away, and that it was never more than a “nuisance.” Air Force officials did clarify that the virus was not a keylogger, but “‘a credential stealer,’ transmitted by portable hard drives.” The Associated Press commented that this sort of malware “is routinely used to steal log-in and password data from people who gamble or play games like Mafia Wars online.” Air Force officials did not respond to this comment.
Looking at the two Danger Room stories together, I cannot help but reach a few conclusions. First, the Air Force’s cyber security is in need of dramatic improvement. Second, in an organization as large as the Air Force, there will undoubtedly be people who take advantage of an “honor system,” perhaps by playing online games while on the job. Third, the Air Force, likely to experience budget cuts in the very near future, knows that now is not the time to look bad. Fourth, and finally, I assume, therefore, the Air Force is trying to nip this story in the bud because if the Air Force can’t be responsible with its toys, Congress is not likely to give them a check for new ones.
What do you think of this story? What conclusions are you drawing?