Two U.S. Army captains are pushing for the Army, the Department of Defense and the federal government to adopt practices currently used by the private sector to help protect sensitive data.
Captains Rock Stevens and Michael Weigand wrote in a paper published in The Cyber Defense Review that the Office of Personnel Management and other government hacks might have been stopped or the impact lessened if the proper procedures were in place.
“Had the U.S. Government implemented lessons learned and best practices from the private sector and utilized a functional “bug bounty” program, it is possible that many of these incidents could have been mitigated or even prevented,” wrote Stevens and Weigand.
The officers suggested the creation of the Army Vulnerability Response Program (AVRP) which would be a repository for all cyber-related issues that impact soldiers in the field or cyber security in general. While AVRP is a new idea, the Army has in place similar programs for reporting possible espionage or terrorist threats.
The duo added that the Army urgently needs to put in place a vulnerability and disclosure program that would allow personnel to quickly and responsibly report findings to a centralized office that could track and fix problems. This would enable the Army to push aside the current atmosphere where service members are unwilling to disclose vulnerabilities they discover over the fear of a career ending reprisal up to and including being charged with a crime under the Uniform Code of Military Justice.
“The Army does not have one central location for responsibly disclosing software vulnerabilities across all of its systems. Without a means to report vulnerabilities in Army software or networks, vulnerabilities go unreported and leave our information systems exposed to adversarial attacks,” the two wrote.
It is commonly accepted within the cybersecurity industry that most breaches are discovered by end.
“You have to utilize the end users. They are the people who notice abnormal behavior first,” said Lee Schulz, deputy operations chief, Department of Home Security, at the recent SC Congress New York event, citing that a staffer at the Office of Personnel Management (OPM) discovered the unusual behavior on the network that led to the breach being uncovered.