Sputnik talked about cybersecurity at the Pentagon with Daniel Wagner, the CEO of Country Risk Solutions and author of the book "Virtual Terror."
Sputnik: How surprising or how worrisome would you say the findings of the Government Accountability Office are?
Daniel Wagner: Well in some respects it's completely surprising and in other respects, it's not surprising at all. Cybersecurity has been a priority at the GAO since 1997 and it has been issuing reports ringing the alarm bells since that time, but what is surprising is that an institution like the Department of Defense, the DOD, would be found to be so vulnerable this late in the process.
So the DOD has become overconfident in the cybersecurity protocols, as many parts of the US government and other governments, I should add, have become prior to the 2015 discovery of the hack of the Office of Personnel Management, which was a wakeup call for many parts of the US government. The GAO report is a real blessing I would say, I hope that America's lawmakers and managers throughout the government pay close attention to what is being said.
Sputnik: In keeping with what you've said that some of these programs and passwords being from the 1970s, how much money, time and resources can we imagine it would take to update this system to correspond to current cyber risks?
Daniel Wagner: Well, of course, the threat is ongoing and the amount of money and resources is never-ending. I think the real challenge is to be realistic about what is required, any government would say the same thing, any military would say the same thing, most militaries are going to say: "No amount of money is ever enough," but one of the things that concern me is the amount of money that is being thrown at the Department of Defense in the Trump era.
I think they're in danger of getting used to simply having more and more money, they have to be held to account to spend those dollars wisely and to make cyber security the front burner issue that it really deserves to be. It may take hundreds of billions of dollars to get this right, but whatever it takes, it needs to be spent.
Sputnik: When you hear about this, I'm a layman, I don't know about weapons, I don't know a lot about cybersecurity, but what I hear is that there's a problem with US weapons systems and cybersecurity. Does this mean that the magic button that could send nuclear weapons could somehow be compromised within an hour? Is that what we are talking about?
If that kind attention is being paid to the TSA and the amount of money that is being spent on the TSA, you can imagine the magnitude of the problem for a military and it's not just the military in the US, it could be a military anywhere.
I would say that unless this becomes a front-burner issue unless lawmakers do what they need to do, decision-makers do what they need to do and hold themselves and the employees of these institutions accountable, and produce the adequate protocols to make it meaningful, then it's never going to get right.
Sputnik: Recently there was a problem with personal data and they had Mark Zuckerberg testify in front of Congress and it was found out then that many of the members of Congress really didn't know much about cybersecurity or the business model. How much do members of government know about cybersecurity and how competent are they in really taking appropriate action? Do they need to create a new organ that will have qualified people that would inform and report?
How often should you be updating your security; how often should you be updating your software? In places like the Pentagon, it should be every hour, the threats are that fast, that evolutionary, that really it needs to be occurring on a totally ongoing basis and I dare say that's not occurring here.
Sputnik: The Department of Defense has been warned about these vulnerabilities before and it seems that if action was taken, it wasn't sufficient because they still have these vulnerabilities. What do you think is the problem with this is? Is it not being acknowledged or is there just not enough attention, funding, and manpower being put towards a resolution of these vulnerabilities?
Daniel Wagner: Well the Pentagon has been receiving warnings about the state of its cybersecurity from something called the US National Research Council since 1991, but many of these warnings have either been ignored or have not been sufficiently acted upon. Part of the problem here is the interconnectivity between aspects of the DOD‘s operations internally and externally.
It is actually a common problem with many organizations that outsource their operations, they do not or cannot vet the cybersecurity protocols of their vendors, which often leads to a heightened state of vulnerability; the Pentagon has tens of thousands of such vendors, which leaves it highly vulnerable.
Views and opinions expressed in the article are those of Daniel Wagner and do not necessarily reflect those of Sputnik.