Capt. Sarah Miller and Tech. Sgt. Carrol Brewster, 834th Cyber Operations Squadron, discuss options in response to a staged cyber attack during filming of a scene for an Air Force Reserve Command mission video at Joint Base San Antonio-Lackland, Texas, on June 1, 2019. (U.S. Air Force Photo by Maj. Christopher Vasquez)
WASHINGTON: A lack of operationally-realistic threat testing and inadequately resourced program offices are the root causes of many cybersecurity problems that put the Defense Department’s critical missions at risk, according to the latest report from the Pentagon’s testing and evaluation body.
In the new report, published Thursday, the Pentagon’s Director of Operational Test and Evaluation (DOT&E) states DoD should refocus its cybersecurity efforts on its cyber defender personnel instead of focusing primarily on the technology associated with cyber tools, networks and systems, and train them to face off against more real threats earlier in the process.
For now, cybersecurity “Red Teams” are stretched too thin and the ones that do test military systems are doing it with one hand tied behind their back compared to what actual adversaries would do, the report said.
“The most frequent gaps included insufficient time on network for cyber aggressors, limited toolsets, deficiencies in [tactics, techniques and procedures], unrealistic rules of engagement, and lack of end-to-end planning for a coherent cyber threat campaign,” the DOT&E report said of the Pentagon’s ability to “emulate” advanced threat attacks.
RELATED: Navy’s problems with Zumwalt may be hurting hypersonic weapon efforts
The report noted that cybersecurity issues were the most common problem with the “survivability” of all the programs DOT&E evaluated. Issues included challenges with operating in a contested electronic warfare environment and threats unique to system designs, among other concerns.
“Cybersecurity must be built into system design, and the human defender should be included early on in cyber defense engineering and programmatic priorities for both system usability and training,” according to the report. “Cyber defenders can and should include mission defense teams, system users, response-action teams, commanders, and network operators, all of whom should be trained and equipped to fight through cyberattacks to complete critical missions.”
Current acquisition practices make it impossible to fund dedicated program offices that could help ensure the effectiveness of cyber technologies and to ensure cyber operators are prepared with training commensurate with kinetic warfare operators, the report said.
“In order to improve its cybersecurity posture and avoid costly cybersecurity technology failures, which DOT&E too-often encounters during our cyber assessments, the DOD must ensure that cybersecurity technology development is always conducted by well-resourced program offices; this should include cyber engineering expertise and cyber defense expertise of the highest caliber,” according to the report.
RELATED: Hacks Raised Questions About Pentagon’s Role In Securing Cyber And Networks: 2021 In Review
DOT&E in FY21 resourced its own cyber Red Teams to conduct 45 assessments of operational networks and missions and found inadequate training of cyber personnel and insufficient test planning.
With DoD missions at risk, the report states warfighter exercises should place increased emphasis on training in contested cyber environments. DOT&E is engaging with the Joint Staff to include realistic “cyber stresses” in major training exercises.
“DOD Red Teams, however, are stretched thin by high demand, and do not have the resources or personnel needed to routinely emulate sophisticated near-peer attacks,” according to the report. “The cyber Red Teams need additional resources, as well as automation capabilities, to ease their workload. DOT&E will continue to urge the DOD to address critical Red Team capability gaps to improve [combatant command] assessments and cyber operational testing.”
RELATED: Getting lost: Yet more delays to Space Force protected GPS program
The assessment also found DoD’s cyber concerns increasingly mirror those in the commercial sector due to increasing reliance on commercial products and infrastructure, especially with cloud services. The report recommends the Pentagon renegotiate contracts with commercial cloud providers and establish requirements for future contracts.
“The DOD increasingly uses commercial cloud services to store highly sensitive, classified data, but current contracts with cloud vendors do not allow the DOD to independently assess the security of cloud infrastructure owned by the commercial vendor, preventing the DOD from fully assessing the security of commercial clouds. Current and future contracts must provide for threat-realistic, independent security assessments by the DOD of commercial clouds, to ensure critical data is protected.”
The Pentagon’s Defense Innovation Unit recently announced several awards made in FY21 to the commercial sector for cyber-focused projects, including a cyber deception prototype that warns against adversarial activities, a cyber asset inventory system and a commercial threat data prototype for US Cyber Command.
RELATED: DIA Details Push To Modernize Top-Secret Network Amid 150% Uptick In Cyber Threats
AI/ML Complicate Matters
Advances in artificial intelligence and machine learning will likely add to cybersecurity challenges in the future.
DOT&E led a team of cyber analysts at the request of the DoD chief information officer to develop machine learning tools and tactics, techniques and procedures for an analysis of DoD network traffic data. The results were briefed to the DoD CIO, the office of the defense secretary and mission partners, the report states.
The Pentagon in FY22 is deploying teams of AI and data experts to all 11 Combatant Commands as part of its AI and Data Acceleration initiative. DOT&E in its report stated it would work with those teams to identify opportunities to assess the cybersecurity of technologies in addition to the assessments it already performs with the Combatant Commands.
As part of DoD’s broader efforts focused on how the department manages and secures its data as it develops AI algorithms, the Pentagon announced in December the creation of a new chief digital and AI officer. The move was first reported by Breaking Defense in late November.
Under the reorganization, the Defense Digital Service, Joint Artificial Intelligence Center and the Chief Data Officer will all report to the CDAO, who will report to Deputy Secretary of Defense Kathleen Hicks.
The office is slated to be stood up Feb. 1 with full operating capacity by June 1.
New Army mounted system won’t play favorites when it comes to C5ISR, EW and A-PNT
The CMOSS Mounted Form Factor will facilitate tech insertion for new capabilities while co-existing with the Mounted Family of Computer Systems.
Australia unveils ‘historic’ defense boost to 2.4% of GDP in decade, but critics say too little, too late
Part of the shakeup includes tens of billions for nuclear-powered subs, and halting the pricey procurement of an additional F-35 fighter jet squadron.
