You will be redirected to the page you want to view in  seconds.

DoD report identifies hundreds of security vulnerabilities

Feb. 5, 2014

A new report found more than 400 cybersecurity vulnerabilities across dozens of Defense Department programs, including the Navy’s Consolidated Afloat Networks and Enterprise Services and the DoD Automated Biometric Identification System.

The findings were included in an annual report by DoD’s Office of the Director for Operational Test and Evaluation and released Jan. 29. The office assessed 33 DoD programs in fiscal 2012 and 2013. Half of the 400 security vulnerabilities were identified as category one, meaning they could allow “debilitating compromise” to DoD systems.

As of November 2012, CANES had 29 category one vulnerabilities and 172 less severe vulnerabilities, the report found. It isn’t clear how many of those issues have been resolved, but the report’s most recent recommendations suggest the Navy mitigate outstanding cyber vulnerabilities prior to initial operational test and evaluation.

CANES will replace legacy networks on ships, submarines and shore sites.

“The majority of system vulnerabilities discovered in operational testing over the last two years could and probably should have been identified and resolved prior to these tests,” Director Michael Gilmore said of the 400 vulnerabilities.

“There is general agreement that systems must be assessed for cybersecurity earlier in a system’s development,” Gilmore said in the report, adding that his office is collaborating with the under secretary of defense for acquisition, technology and logistics to revise cybersecurity policy to address the shortfall.

Among the category one vulnerabilities, the most common were out-of-date or unpatched software, configurations that included known code vulnerabilities, and the use of default passwords in fielded systems, the report noted.

Eighty-nine percent of the 400 vulnerabilities could have been found in developmental testing, versus the remainder that required an operational test to uncover.

“Testing over the past several years has indicated the need to move the discovery and resolution of system vulnerabilities earlier in program development, and the revised cybersecurity [test and evaluation] process addresses this need,” Gilmore said in the report.

More In C4ISR & Networks

More from this channel

More Headlines

Slideshow Stories

Daily intelligence on C4ISR and networks

There's no better way to know what's going on every day in areas like UAS and sensors, GEOINT, C2 and communications, cyber, mobility and defense IT, than to sign up for our daily C4ISRNET newsletters. The news will come right to your inbox, along with commentary and insight from our lineup of senior-level bloggers.

Sign up is easy and quick.

Subscribe for Print or Digital delivery today!

Industry Circle

Your free source for the latest insights, trends, technology and forward thinking from industry leaders.

Visit today!