The Problem, In Plain English

The U.S. Army spent years building what it calls a unified network — one architecture connecting battlefield communications with back-office enterprise IT, replacing the old siloed system that kept those two worlds separate.

Good idea in theory. In practice, it created one very large, very connected target.

"The threat now is a different spot. These new AI capabilities are lowering the barrier of entry and exposing more of our attack surface," said David Markowitz, the Army's deputy chief information officer and chief data and analytics officer, speaking at the TechNet Cyber conference in Baltimore, according to Breaking Defense.

The same AI tools being used to modernize the military are also being handed to adversaries — and those adversaries don't need to be nation-state geniuses anymore. They just need a decent AI model and a network with holes.

One Architecture, One Giant Attack Surface

Before 2021, the Army kept its enterprise IT and its battlefield systems in separate silos. Not elegant, but contained. A breach in one didn't automatically mean a breach in the other.

Now everything lives under one roof. According to Breaking Defense, Markowitz acknowledged the service must "rapidly understand where those attacks may be coming in and be able to ingest the threat and act faster than any adversary."

Faster than any adversary. That's the goal. The problem is they're not there yet — and Markowitz said so himself.

The Supply Chain Problem No One Wants to Talk About

DoD Chief Information Officer Kirsten Davies made an important point at the conference — and it's the one getting the least attention from mainstream coverage.

Small contractors. The ones making widgets, writing firmware, supplying spare parts. Their networks are connected to the Pentagon's. And most of them are not secure.

"A compromise at a small supplier can jeopardize a warfighter making a real time decision," Davies said at TechNet Cyber, according to Breaking Defense. "That should make us all very uncomfortable."

She's right. And the fact that this is still being said out loud in 2026 — as a thing that needs to be emphasized — tells you the problem hasn't been solved.

The Pentagon rolled out its Cybersecurity Maturity Model Certification (CMMC) program back in 2019 specifically to force defense contractors to meet baseline cybersecurity standards. It has undergone multiple changes since then. Davies told reporters last week she'd have more to say about CMMC "at a later time." That's not reassuring.

Compliance Theater vs. Actual Security

Davies delivered a line every government IT bureaucrat needs to hear:

"Compliance does not equal security."

According to Breaking Defense, she said it directly. Checking boxes on a certification form doesn't stop a Chinese state-sponsored hacker using AI to probe your network at machine speed.

The security community has said this for decades. What's new is the speed of the threat. According to Leidos Senior Vice President Paul Welch, speaking to Breaking Defense, AI-enabled adversaries are now exploiting vulnerabilities at a pace that makes legacy reactive defense obsolete.

Leidos VP Josh Salmanson put it plainly: too many critical systems are fragile because mission demands are continuous, leaving no time to pay down technical debt. When a patch finally comes, it's sometimes rushed — and a rushed patch in a complex environment can break other mission-critical functions.

This is the trap. Patch fast, risk breaking something. Patch slow, get exploited. Neither option is good.

The AI Arms Race Is Already Here

According to Gartner, cited by Fortinet, over 60% of organizations will rely on AI-augmented cybersecurity platforms by 2026 — up from less than 20% in 2023. That's a sharp curve on both offense and defense.

According to Syracuse University's iSchool, the generative AI cybersecurity market is expected to grow nearly tenfold between 2024 and 2034. Adversaries — criminal and state-sponsored alike — are riding that same curve.

CISA has published guidance documents on AI security, including frameworks for agentic AI, operational technology integration, and AI red teaming. The guidance exists. Whether the thousands of small defense contractors are actually implementing it is a different question entirely.

What Mainstream Coverage Is Missing

Most outlets covering this story are treating it as a technology story. It's a management and accountability story.

The Army has known about these vulnerabilities since it launched the unified network concept. The CMMC program is seven years old and still not fully enforced. Davies is calling for "operational resilience" but won't say specifically what's changing in her office in the coming months.

Markowitz identified the real obstacle: culture. Getting military and government IT personnel out of a checklist mentality and into an operational, threat-response mindset. That's a bureaucracy problem. And bureaucracies don't move at AI speed.

What This Means for Taxpayers and Warfighters

Regular Americans fund this military to the tune of hundreds of billions per year. If a small contractor's insecure network can compromise a warfighter's real-time decision-making — as the DoD's own CIO just admitted — then every dollar spent on advanced weapons systems is potentially undermined by the cheapest link in the chain.

The Pentagon keeps announcing paradigm shifts in cybersecurity. Davies used those exact words. But until CMMC has teeth, until the compliance-vs-security gap closes, and until the Army's unified network can detect and respond to AI-driven threats at machine speed — the gaps are real, the adversaries know it, and the admissions are coming from the Pentagon's own officials.