An Experiment Showed that the Military Must Change Its Cybersecurity Approach
Two years ago, two naval operatives decided to attack their network. A year he did not only once or twice during scheduled training, but much more often without notice. Now they are trying to get the rest of the Navy and the Pentagon to do the same.
According to Aaron Weiss, the Navy's Chief Information Officer, in their experiments, automated red teams frequently identified which vulnerabilities were most dangerous, most exploitable for attackers, and had the greatest impact. It has been shown to clarify Or Scott Bischoff, CIO, and command intelligence officer at the Naval Postgraduate School
It's also far more effective than the way the Department of Defense currently handles cybersecurity. Checklist of actions taken, patch implementation, etc
"It's a very compliance-driven mentality, like an audit...and it's wrong," Weis told Defense One. “Cybersecurity is not a compliance issue.
By treating cybersecurity like a checklist, the employee, team, or company responsible for "cybersecurity" did its job at an agreed level of performance, essentially a contractual condition or task. While this is an approach that works well for bureaucracies, it is not the best way to actually secure your network
“We have a … 15 to 20 year track record and the compliance mindset that it doesn’t work, right? Because we continue to be exercised by opponents in cyberspace,” he said. I go
Weiss says the Department of Defense should measure the combat readiness of its network the same way it measures soldiers, sailors, tanks and ships: through the concept of military readiness. Such an approach means prioritizing the biggest problems first and slowly fixing secondary or complex problems
"Tonight we are preparing for battle
We manage our day-to-day readiness and it depends on many things,” he said. "Do we have the right people? Are they trained? Are they qualified or lacking? Do you have gear?
But Weiss had to show that achieving "readiness" in cyberspace was a matter of constant testing and training, rather than filling out compliance forms
He needed a safe place to understand operational readiness without exposing his adversaries to serious trouble or taking critical naval networks offline .”..t.”..s offline.
#experiment #science #machine
No comments: