The U.S. Defense Department (DoD) has reportedly suspended a $2 billion project to consolidate network security across hundreds of U.S. and global systems for repeatedly failing tests to protect classified material, a new Pentagon report said.
In test results conducted over the last four years, the "joint cyber war fighting" framework, known as the Joint Regional Security Stack (JRSS), has shown an inability to “help network defenders protect DoD components networks” against hackers, Robert Behler, the Pentagon’s Operational Test and Evaluation director, wrote in a report, Bloomberg reported. A classified February 2020 evaluation of the program “resulted in poor cybersecurity findings that contributed to” the decision not to extend it to classified systems, Behler said in the report. Installation of the JRSS to classified systems is now slated for 2023.
The JRSS security platform features network security capabilities, firewall protections, intrusion detection and prevention, enterprise management, and virtual routing and forwarding. It is still authorized to secure non-classified material. According to Bloomberg, a classified February 2020 report that called out the system’s cybersecurity failings prompted the DoD to freeze the project and cut funding until it was operationally secure.
The review was written before the massive malware attack on at least 10 U.S. government facilities allegedly masterminded by Russian-backed operatives who hijacked SolarWinds management software. At this point, the DoD has said none of its data was pilfered nor systems compromised in the attack.
According to a white paper produced by NetCentrics, a Herndon, Virginia-based government contractor and managed security service provider, installation has been undertaken at 10 of the 11 planned JRSS sites within the continental U.S. and 14 sites outside the continental U.S. All DoD components, including firewalls, routers and switches, were mandated to migrate to the JRSS by the end of FY19 to establish a system of continuous monitoring and substantially reduce risk. Full implementation is at least a year in arrears.
A recent audit of the DOD's by the General Accountability Office (GAO) found the agency's cyber hygiene lacking. The Pentagon hadn't fully enact three key initiatives and failed to execute a number of suggested tasks to improve its overall security profile, the watchdog said in the review conducted from January, 2019 to April, 2020. “DOD has become increasingly reliant on information technology and risks have increased as cybersecurity threats evolve,” the GAO wrote.