The Defense Department is at a “high risk” of “compromise, exploitation and disruption” from cyberattacks, the Pentagon’s chief weapons tester wrote in his annual report to Congress on Monday.
While improvements had been observed over the previous year, Operational Test and Evaluation Director Michael Gilmore wrote, there were “many cases” in which “catastrophic kinetic impacts could be enabled” in the event of cyberattacks on the Defense Department.
“Observed improvements include enhanced protection of some network elements, greater challenges for cyber-opposing forces attempting to gain access to networks and greater awareness by DOD leadership of the potential impact that cyberattacks could have on key systems and the critical missions they support,” the report stated.
Nonetheless, the report found opposing forces were “frequently” in a position “to deliver cybereffects that could degrade the performance of operational missions.”
That was largely the result of common vulnerabilities, including exposed user credentials, a failure to patch systems at the appropriate time, a failure to use known standards for configuring systems and relationships with contractors that failed to include security safeguards.
The report additionally found a need to procure more talented “red team” operators, who pose as bad guys to get into systems and are responsible for the kind of assessments that DOT&E conducts. Bureaucratic hiring processes and low pay have resulted in those operators increasingly opting for jobs in the private sector.
“The private sector has hired away members of Red Teams, resulting in staffing shortfalls during a time when demand is likely to continue to increase,” the report states. “This trend must be reversed if the DoD is to retain the ability to effectively train and assess DoD systems and service members against realistic cyberthreats.”
In the meantime, the report suggests adopting a policy used by Microsoft called “Assume Breach,” or the assumption that systems are always compromised. The implication is that cybersecurity operators should always be working to discover a breach and implement a response plan.
In addition to Defense Department cybersecurity, the report expands on an earlier criticism Gilmore had of the F-35 program. Software in the fighter jet has been found to be flawed, a problem that may take years to resolve. However, the final version of the aircraft is set to be delivered to the Marine Corps and Air Force this year, and the Pentagon is seeking congressional approval to buy additional units over a three-year period, from 2018-20.
Related Story: http://www.washingtonexaminer.com/article/2576841
“Is it prudent to further increase substantially the number of aircraft bought that may need modifications to reach full combat capability and service life?” Gilmore questions. He adds that the jet has a “substantial list of deficiencies” that will “only lengthen” as it comes into service.
