Cyber Security For US Weapons Systems Criticised

Uploaded on 2021-03-22 in TECHNOLOGY--Resilience, GOVERNMENT-Defence, FREE TO VIEW

US Air Force weapon systems are heavily reliant on complex software and high interconnectivity to per- form their missions. Cyber capabilities enable many of the advanced features, such as electronic attack, sensor fusion, and communications that give the Air Force its edge over potential adversaries, but they also create potential opportunities for adversaries to counter US advantages through cyber attacks. 

Despite the US Defense Department’s (DoD) efforts to build networked weapon systems heavily dependent on software and information technologies, the military service branches have not all issued clear guidance describing how acquisition officials should incorporate cybersecurity requirements into contracts for these systems.  

Of the four services, the Air Force is the only branch to have issued service wide guidance for defining and incorporating cybersecurity requirements into contracts, according to a recent Government Accountability Office (GAO) audit report. The report builds on another audit from 2018 when GAO found DOD was in the early stages of understanding how to apply cyber security to weapon systems. 

While DOD has made improvements in this area since 2018, for example, by ensuring programs have access to adequate cyber expertise, increasing the use of cyber security assessments, and releasing more guidance, the agency is still learning how to contract for cyber security in weapon systems, according to the audit. “Current military service guidance, except for the Air Force, does not address how acquisition programs should contract for weapon systems cybersecurity requirements, acceptance criteria, and verification, which DOD and program officials told GAO would be helpful.” 

The GAO did not include the Cybersecurity Maturity Model Certification program, which requires defense contractors to undergo audits by independent third parties overseen by an accreditation body to validate the security of their systems, in this review.  The audit was released in a time of the disastrous SolarWinds attack, which affected multiple federal agencies.

The Chair of the House Armed Services Committee, Adam Smith, emphasised the importance of securing information systems and command and control. “We cannot have the single points of failure, we have to be able to protect those systems,” Smith said.  

The GAO reviewed five programs for the audit: a radar, an anti-jammer, a ship, a ground vehicle, and a missile. The focus of the audit was on weapon systems that include platform IT, which the report defined as hardware and software for real-time mission performance of special-purpose systems. The acquisition programs reviewed lacked cyber security requirements, or at least clear cyber security requirements, in contracts, according to the audit.

Three of the five programs had no cyber security requirements in the contracts whatsoever when they were awarded. 

Even after contracts were modified post-award, some only included generic instruction to comply with DOD policy. “Contractors we spoke to said it is common for requests for proposals to include generic statements regarding cyber security, such as ‘be cyber resilient’ or ‘comply with risk management framework' according to the audit. “The contractors said such statements do not provide enough information to determine what the government wants or how to design a system.”

None of the five contracts defined how cyber security requirements would be verified at the time of the award/. Officials also said contracts usually focus on the controls programs must have rather than on establishing performance-based requirements geared toward achieving desired outcomes. 

The US Air Force’s System Program Protection and Systems Security Engineering Guidebook, created by the Cyber Resiliency Office for Weapons Systems, or CROWS, was the posistive highlight spot of the GAO audit.  

The guidebook consolidates DOD and Air Force guidance into a single, detailed document complete with suggestions for implementation, according to the audit.  GAO recommended the other service branches develop cyber security requirements guidance for acquisition programs like the guidebook. DOD concurred with the recommendations for the Army and the Navy and asked the Marine Corps to be considered under the recommendation for the Navy. 

The US Air Force relies heavily on advanced computer and software systems, so it is paramount to keep those systems safe. It's the job of Cyber Systems Operations specialists to design, install and support our systems to ensure they operate properly and remain secure from outside intrusion. 

US AirForce:        RAND:      US GAO:     US Airforce University:       NextGov:      Image: Unsplash

You Might Also Read: 

US Air Force Hacked By Teenager:

 

« Is Blockchain The Future Of SSL Certificates?
British Companies Compromised By Exchange Email Hacking »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Energy Sec

Energy Sec

EnergySec is a United States 501(c)(3) non-profit corporation formed to support energy sector organizations with the security of their critical technology infrastructures.

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

Ikerlan

Ikerlan

Ikerlan is an R&D technology centre specialising in areas including embedded systems, industrial automation and industrial cybersecurity.

ESNC

ESNC

ESNC’s vulnerability management and real-time SAP security monitoring solutions help largest corporations in the world to effectively prioritize SAP security tasks and secure their business.

ThreatAdvice

ThreatAdvice

ThreatAdvice is a provider of cybersecurity education, awareness and threat intelligence.

AimBrain

AimBrain

AimBrain tools detect and prevent fraud, faster and more accurately than ever before.

BELAC

BELAC

BELAC is the national accreditation body for Belgium.

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling and Data Destruction protect the environment and your data with proven and trusted electronics recycling and data destruction services.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

In-Q-Tel (IQT)

In-Q-Tel (IQT)

IQT is the non-profit strategic investor that accelerates the development and delivery of cutting-edge technologies to U.S. government agencies that keep our nation safe.

SolidRun

SolidRun

SolidRun is a leading provider of computing and network technology designed to streamline the deployment of edge computing infrastructure and support embedded and IoT markets.

Auriga

Auriga

Auriga create innovative software and have become a benchmark for high quality banking software including cyber security solutions to protect business critical devices.

Skyhigh Security

Skyhigh Security

Skyhigh Security enables your remote workforce while addressing your cloud, web, data, and network security needs.

Liquis Inc.

Liquis Inc.

Liquis, founded in 2002, is one of the largest facility decommissioning services companies in the U.S.

Skillfield

Skillfield

Skillfield is a Melbourne based Cyber Security and Data Services consultancy and professional services company.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.