U.S. Department of Defense: Cybersecurity Laggard?

The U.S. Military isn’t equipped to defend the nation's networks and systems against artificial intelligence and machine learning cyber threats, a new report issued by the Pentagon’s combat testing office warned.

In a move to fight fire with fire, the Defense Department (DoD) is diving into developing on par cyber technology to safeguard the country against increasingly sophisticated attacks, said Robert Behler, the Pentagon’s director of operational test and evaluation, in an annual assessment of cyber threats obtained by Bloomberg News. Still, what’s hindering the Pentagon’s efforts are the same hurdles faced by private industry's efforts to counter cyber attacks: A lack of trained cybersecurity pros and the necessary tools to suss out software-based weapons systems.

Testing results showed that Internal “red teams” were able to rebuff some attacks, the report said, but not at the speed at which bad actors are evolving their tactics and techniques. "We estimate that the rate of these improvements is not outpacing the growing capabilities of potential adversaries who continue to find new vulnerabilities and techniques to counter fixes," the testing office said.

Top-level findings:

  • The Air Force found “suggested areas for needed cybersecurity hardening” when it conducted tests last year of initial capabilities for Raytheon Co.’s ground-control network for new GPS III satellites.
  • Cybersecurity testing of Lockheed Martin Corp.’s F-35, a flying computer with eight million lines of code, “showed that some of the vulnerabilities identified during earlier testing periods still had not been remedied.”
  • Red Teams recently conducted three successful cyber attacks on the new Defense Department-Department of Veterans Affairs health care records management system known as
  • Genesis that showed it “is not survivable in a cyber-contested environment.”
  • Analyzing four years of after-action reports on cyber exercises, Behler’s office report found “defenders demonstrated increasing ability to detect Red Team activity.” But it also said “defenders need to improve speed and accuracy for processing reported incidents.”

“We have not reviewed the latest report” from Behler “but DOD faces significant challenges in securing its weapon systems from cyber threats,” Cristina Chaplain, the GAO director who managed the agency’s report, said in an email to Bloomberg. “DOD testers routinely found mission-critical vulnerabilities in systems under development, and in some cases, repeatedly over the years,” she said. Program officials “tended to discount the scale and severity of the problem.”

Recent warnings that the Pentagon needed to step up its cybersecurity profile came in an October, 2018 report from the Government Accountability Office (GAO) and last November when the Pentagon’s top weapons buyer said the DoD “failed to make cybersecurity for its multi-billion dollar weapons systems a major focus.”

“Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity,” the GAO's report said. “DOD is still determining how best to address weapon systems cybersecurity.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.