US Army bug hunters in 'state of fear' that sees flaws go unreported
Army academics recommend proper patching, pen tests, and bug bounties
The US Army has gaping holes in its information security infrastructure and operates an environment of vulnerability reporting fear, according to current and former members of the department's cyber wing.
Captain Michael Weigand and Captain Rock Stevens make the comments in an academic piece on the Cyber Defense Review, a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command.
In it they say most of the Army's systems are underpinned by information technology but are exposed by an absence of centralised patch management and full bug remediation oversight, along with a "ban" on penetration testing.
They call for various changes including the introduction of bug bounties.
Vulture South understands similar informal calls for a bug bounty have been made within information security types in Australia's Department of Defence.
The US Army men say internal staff who find vulnerabilities have no incentive to report bugs they find and face no repercussions for keeping silent, which amounts to a "do nothing" culture.
Moreover Defence vulnerability researchers work in an atmosphere "fraught with danger and much trepidation" where disclosure is weighed against risk of "reprisal".
Those risks could include revocation of security clearances, loss of access to IT systems, and "punitive action" under the Uniform Code of Military Justice which they describe as "viable outcomes" for those who "casually stumble" on bugs.
"The most unfortunate outcome is that service members who become aware of vulnerabilities feel helpless to positively affect the situation. Meanwhile, those who wish to do harm to our nation are free from such worries," the duo say. Here's some of their findings:
Additionally, no US Government program exists that permits active security assessments of networks or software solutions using custom tools or techniques. Most importantly, the Army does not have a single entity that tracks discovered issues from initial report through the remediation process to ensure vulnerability resolution in a timely manner.
Most of the Army’s critical systems are underpinned by networked software — from tanks and missile launchers to battle command and communication systems. The Army does not have one central location for responsibly disclosing software vulnerabilities across all of its systems. Without a means to report vulnerabilities in Army software or networks, vulnerabilities go unreported and leave our information systems exposed to adversarial attacks.
They propose platforms to enable service people to report bugs free of risk of retribution, and say penetration tests should be promoted as vulnerability scans are inadequate.
If a bug bounty is too hard, external programs should be sought such as the Zero Day Initiative or Bug Crowd.
Patches should be applied according to strict guidelines and timeframes, with verification made after to ensure systems are protected
Some parts of their proposed Army Vulnerability Response Program could be implemented immediately, while many others would require policy, oversight, and infrastructure changes. ®