The DoD report doesn’t get into it. It repeatedly references “a US state’s Army National Guard network”. Which, is probably not the same network as the US Army’s network. It’s also likely to be an Unclassified network; so, it’s not quite as bad as it could be. But also not great.
the US military doesn’t do its own IT anymore. It’s all outsourced to Microsoft and other cloud providers to the tune of tens of billions of dollars.
While some of it is on Microsoft’s and other cloud providers, there is also a lot which isn’t. On top of that, much of the stuff “in the cloud” is all IaaS or PaaS. So, while MS, et al. run the hardware, the operating systems and software is often run by the IT departments for the various branches and programs. These IT departments will be some mix of US Civilian State or Federal employees and then a lot of IT contractors. Generally, the people doing the actual IT work are contractors working for companies like Boeing or Booz-Allen-Hamilton.
I’d like to know which sloppy cloud contractor is responsible.
If you want to find the people responsible, find the managers who have programs on the “state’s Army National Guard network” (as the report puts it) and figure out which one of them either authorized some sort of “shadow IT” project, or just threw a hissy-fit every time the IT folks tried to roll out patches. That’s often how these things go. The report mentions multiple CVEs which were exploited, and I’d place a pretty large bet that they were unpatched in the environment because some manager whined loud enough to get his assets exempted from patching. All too often these types of vulnerabilities hang out there far too long because some department wants high availability on their stuff, but aren’t willing to pay for high availability. So, they bitch and moan that they should be exempt from regular patching. And upper management isn’t willing to back IT and say, “no you aren’t special, you get patched like everyone else”.
The DoD report doesn’t get into it. It repeatedly references “a US state’s Army National Guard network”. Which, is probably not the same network as the US Army’s network. It’s also likely to be an Unclassified network; so, it’s not quite as bad as it could be. But also not great.
While some of it is on Microsoft’s and other cloud providers, there is also a lot which isn’t. On top of that, much of the stuff “in the cloud” is all IaaS or PaaS. So, while MS, et al. run the hardware, the operating systems and software is often run by the IT departments for the various branches and programs. These IT departments will be some mix of US Civilian State or Federal employees and then a lot of IT contractors. Generally, the people doing the actual IT work are contractors working for companies like Boeing or Booz-Allen-Hamilton.
If you want to find the people responsible, find the managers who have programs on the “state’s Army National Guard network” (as the report puts it) and figure out which one of them either authorized some sort of “shadow IT” project, or just threw a hissy-fit every time the IT folks tried to roll out patches. That’s often how these things go. The report mentions multiple CVEs which were exploited, and I’d place a pretty large bet that they were unpatched in the environment because some manager whined loud enough to get his assets exempted from patching. All too often these types of vulnerabilities hang out there far too long because some department wants high availability on their stuff, but aren’t willing to pay for high availability. So, they bitch and moan that they should be exempt from regular patching. And upper management isn’t willing to back IT and say, “no you aren’t special, you get patched like everyone else”.
Guard? Yeah that shit doesn’t even stay powered on for more than like a week a month lol