The Department of Defense‘s red team hacking units lack proper training and are still not communicating vulnerabilities with the parts of the military they hack, according to a new inspector general report.
The report on the DOD’s red teams — groups of hackers that have permission to use adversarial tactics to find vulnerabilities in DOD’s systems — found that when they do communicate vulnerabilities, there is little oversight to track that they are patched or otherwise remediated.
“Ensuring DoD Components mitigate vulnerabilities is essential to achieve a better return on investment,” the report states.
There is also little oversight on the hackers themselves, who lack the needed training and expertise to carry out their jobs. The tests and accreditation process overseen by the National Security Agency “did not effectively assess the skills” of the red teams nor “their ability to perform mission functions and meet training requirements.” The report notes the NSA has accredited 10 teams, but it also recommended the DOD “determine the number of DoD Cyber Red Teams” it needs.
This report is a follow-up from a 2012 report that found many of the same issues with the teams.
The red teams agreed to all of the recommendations laid out by the IG in 2012, but little progress appears to have been made by the DOD, according to Tuesday’s report. One of the problems the IG report faults is the lack of a unified organization overseeing the red teams across the branches of the military and the department.
“Without an enterprise-wide solution to staff, train, and develop tools for DoD Cyber Red Teams and prioritize their missions, DoD Cyber Red Teams have not met current mission requests and will not meet future requests,” the report states.
The report notes that the need for cybersecurity readiness and demand on the red teams will only increase. Nation-states and rogue actors target the DOD’s networks and have recently increased their attacks as the department and services resort to maximum teleworking as the coronavirus spreads.
The report recommends the secretary of Defense assign an organization to oversee red teams and corral all the teams with central oversight. The DOD agreed to 13 other recommendations the IG made.