Earlier this week, Buzzfeed reported that a computer security flaw has left US Army computers vulnerable for at least two years. Today, the US Army confirmed to Buzzfeed that this was in fact the case, and that it has no plans to do anything to fix it.
While the specifics of the flaw haven’t yet been disclosed — for obvious reasons — what it does is alarming. Anyone with access to a shared US Army computer can assume the identity of any other army personnel. That means getting their security clearances. That’s bad. According to Buzzfeed:
In order to log into a shared Army computer you need to insert your personal Common Access Code military ID. Each card contains a chip that has the individual soldier’s permissions and security details, and which helps the military track your activity. Once you remove the card, you are fully logged out. But the hack overrides that system during the shut down period.
Repeated attempts by some soldiers to bring the matter to light through normal channels went unheaded; they were told to keep their mouths shut instead. It was only after the Buzzfeed report came to light that it acknowledged there was a problem at all. And that they have no intention of making it better.
That’s right. Instead of patching the flaw, the military is instead going to impress the importance of personal responsibility on its troops. If everyone makes sure they’re fully logged off, the thinking goes, the problem will take care of itself. As anyone who’s ever spent any amount of time around computer systems will tell you, it will not.
It’s an especially large problem given the sort of information that’s at stake. Nearly any soldier with knowledge of the hack — of whom there were reportedly a large number before, which one can imagine is much larger by now — could use it to gain access to the highest clearance levels we have. If that’s not an important national security threat, I’m not sure what is.
The full report on Buzzfeed is well worth a read. It’s also a not-so-gentle reminder that some of our most important vulnerabilities can’t be stopped with Kevlar or missile defence. Especially if we don’t try to patch them at all. [Buzzfeed]
Picture: Getty Images