"almost every major US weapons system contained vulnerabilities"
Almost ?
So there's one that doesn't contain vulnerabilities ?
That's a win, then !
Which one is it ? Oh, it's the coffee planner. Oh well.
US Defence bureaucrats are bashing numbers into a database in a bid to develop what the agency hopes will become an automated security scorecard, assessing vulnerability exposure across the country's networks and weapons systems. The scorecard is at present a manual effort to help identify vulnerabilities and propose the means …
DoD instituted encryption of data at rest after the cyberattack debacle of 2008. By late 2009, encryption was ordered and instituted for all portable systems and media.
That said, it's easier to get the data from a running system, after an idiot downloads something cool in the e-mail or goes to a compromised watering hole.
The 2008 cyberattack was initiated by a few USB flash drives scattered in a parking lot, the idiots who configured the systems didn't follow the DoD baseline that disabled autorun and didn't bother with antivirus scan on insert.
But, my installation didn't have that problem, as I had fought major battles to get onto the authorized DoD baseline configuration and I configured antivirus to be paranoid about what got plugged in. We still had detections from one unit coming back from an infected AOR, but detection and deletion occurred and we had the machine wiped and baselined on principle.
The idiots were lauded as heroes for working thousands of hours of contract overtime, whereas I was the villein for not being an idiot like them.
What can one say other than, idiots prevail only in government. Businesses taking that kind of loss sack the idiots.
Retaining the idiots in management.
Oh, after the DoD emptied out every US and European system administrator, plus the NSA of system administrators to clean up the mess to a tune of one billion dollars, within a month, the infection returned via the same vector - the infected drives that the idiots never scanned and cleaned.
The second wave cleanup costs remain classified.
But, the contracting vendor made a fortune cleaning up the mess that its workers created - twice.
A central database accessed by 6200 people in 133 locations. It's just a boring database with a load of miscellaneous administrative data that is of no interest to anyone but us chickens. Anybody see anything that could go wrong with that?
No? Thought not. It'll be fine.
It'd be either on JWICS, an independent network that holds top secret and sensitive compartmentalized information or on SIPRnet, an independent network that holds confidential and secret information.
Most of the information on JWICS is the stuff that would start WWIII, or more commonly, excruciatingly boring information about really mundane things discovered by classified things, how nation sponsored APT malware works, who shot JR and similar boring crap. Well, that and how to build a thermonuclear weapon, if you have access to that specialized, segregated part of the network.
SIPRnet has the more interesting things, which nation did what, how and why that would cause trouble if it was openly disclosed, who sponsored which APT, *every* intelligence hit on where Osama bin Laden was thought to be, Apache gunship gunsight videos, a few SAS, US SF, US SEAL team, US Ranger team missions (the really interesting ones are on JWICS, the rest on SIPR), embarrassing thinks, such as what diplomats actually think of their foreign peers, etc.