Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

US Army bug hunters in 'state of fear' that sees flaws go unreported

Army academics recommend proper patching, pen tests, and bug bounties

The US Army has gaping holes in its information security infrastructure and operates an environment of vulnerability reporting fear, according to current and former members of the department's cyber wing.

Captain Michael Weigand and Captain Rock Stevens make the comments in an academic piece on the Cyber Defense Review, a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command.

In it they say most of the Army's systems are underpinned by information technology but are exposed by an absence of centralised patch management and full bug remediation oversight, along with a "ban" on penetration testing.

They call for various changes including the introduction of bug bounties.

Vulture South understands similar informal calls for a bug bounty have been made within information security types in Australia's Department of Defence.

The US Army men say internal staff who find vulnerabilities have no incentive to report bugs they find and face no repercussions for keeping silent, which amounts to a "do nothing" culture.

Moreover Defence vulnerability researchers work in an atmosphere "fraught with danger and much trepidation" where disclosure is weighed against risk of "reprisal".

Those risks could include revocation of security clearances, loss of access to IT systems, and "punitive action" under the Uniform Code of Military Justice which they describe as "viable outcomes" for those who "casually stumble" on bugs.

"The most unfortunate outcome is that service members who become aware of vulnerabilities feel helpless to positively affect the situation. Meanwhile, those who wish to do harm to our nation are free from such worries," the duo say. Here's some of their findings:

Additionally, no US Government program exists that permits active security assessments of networks or software solutions using custom tools or techniques. Most importantly, the Army does not have a single entity that tracks discovered issues from initial report through the remediation process to ensure vulnerability resolution in a timely manner.

Most of the Army’s critical systems are underpinned by networked software — from tanks and missile launchers to battle command and communication systems. The Army does not have one central location for responsibly disclosing software vulnerabilities across all of its systems. Without a means to report vulnerabilities in Army software or networks, vulnerabilities go unreported and leave our information systems exposed to adversarial attacks.

They propose platforms to enable service people to report bugs free of risk of retribution, and say penetration tests should be promoted as vulnerability scans are inadequate.

If a bug bounty is too hard, external programs should be sought such as the Zero Day Initiative or Bug Crowd.

Patches should be applied according to strict guidelines and timeframes, with verification made after to ensure systems are protected

Some parts of their proposed Army Vulnerability Response Program could be implemented immediately, while many others would require policy, oversight, and infrastructure changes. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like