Friday, October 12th, 2018 AP News reported that the Pentagon revealed a cyber breach releasing over 30,000 travel records that included personal information belonging to US Military and Civil Employees. The Government losing our private information is becoming the status quo. It has become acceptable for our Government to be “compliant” instead of protecting our people. Here at ICISI, we hear every day how hard it is to defend against these hackers. It just isn’t true. The US Government is spending billions of dollars on “compliance” models that are not performing. The model is broken and based on results we can see it doesn’t work. We are in dire need of a principles-based approach that matures agencies beyond a checklist.
In defense of the agencies that are being compromised, they have nowhere to turn for performance-based results. There are 100s of companies out there who can help, but compliance has gotten in the way of actual performance. In the article, it was stated that the breach happened some months ago. Why are they only finding the compromise now? We believe it comes down to a lack of proper training and broken models for cyber. Our Government must progress beyond compliance if we want to protect our nations most critical assets. The US is stuck as a nation and falling behind in the world of Cyber.
Based on the article the cyber breach came through the department’s services supply chain. A single commercial vendor created the pathway for the attackers. Our question is simple, “Who vetted the vendor’s systems, processes, and training before allowing access to critical systems at the Pentagon?” It appears the vendor will take the fall and the department has or will take steps to cease the vendor’s performance under its contracts. Halting work with the vendor is all well and good, but it’s us who pay the price, the US veterans, and civil servants.
In our experience, most breaches leverage a target’s weaknesses such as a lack of training, poor internal practices, and ignorance of things that matter. Simply put we are distracted. It is cyber compromises like this that drove us to stand up our CCPA program. There is a better way to marry cyber-based principles and real performance objective to create a safer world. We are bridging the gap between knowing about cyber and becoming the solution to the treat by Democratizing Cybersecurity®.