Cyber Security For US Weapons Systems Criticised

Uploaded on 2021-03-22 in TECHNOLOGY--Resilience, GOVERNMENT-Defence, FREE TO VIEW

US Air Force weapon systems are heavily reliant on complex software and high interconnectivity to per- form their missions. Cyber capabilities enable many of the advanced features, such as electronic attack, sensor fusion, and communications that give the Air Force its edge over potential adversaries, but they also create potential opportunities for adversaries to counter US advantages through cyber attacks. 

Despite the US Defense Department’s (DoD) efforts to build networked weapon systems heavily dependent on software and information technologies, the military service branches have not all issued clear guidance describing how acquisition officials should incorporate cybersecurity requirements into contracts for these systems.  

Of the four services, the Air Force is the only branch to have issued service wide guidance for defining and incorporating cybersecurity requirements into contracts, according to a recent Government Accountability Office (GAO) audit report. The report builds on another audit from 2018 when GAO found DOD was in the early stages of understanding how to apply cyber security to weapon systems. 

While DOD has made improvements in this area since 2018, for example, by ensuring programs have access to adequate cyber expertise, increasing the use of cyber security assessments, and releasing more guidance, the agency is still learning how to contract for cyber security in weapon systems, according to the audit. “Current military service guidance, except for the Air Force, does not address how acquisition programs should contract for weapon systems cybersecurity requirements, acceptance criteria, and verification, which DOD and program officials told GAO would be helpful.” 

The GAO did not include the Cybersecurity Maturity Model Certification program, which requires defense contractors to undergo audits by independent third parties overseen by an accreditation body to validate the security of their systems, in this review.  The audit was released in a time of the disastrous SolarWinds attack, which affected multiple federal agencies.

The Chair of the House Armed Services Committee, Adam Smith, emphasised the importance of securing information systems and command and control. “We cannot have the single points of failure, we have to be able to protect those systems,” Smith said.  

The GAO reviewed five programs for the audit: a radar, an anti-jammer, a ship, a ground vehicle, and a missile. The focus of the audit was on weapon systems that include platform IT, which the report defined as hardware and software for real-time mission performance of special-purpose systems. The acquisition programs reviewed lacked cyber security requirements, or at least clear cyber security requirements, in contracts, according to the audit.

Three of the five programs had no cyber security requirements in the contracts whatsoever when they were awarded. 

Even after contracts were modified post-award, some only included generic instruction to comply with DOD policy. “Contractors we spoke to said it is common for requests for proposals to include generic statements regarding cyber security, such as ‘be cyber resilient’ or ‘comply with risk management framework' according to the audit. “The contractors said such statements do not provide enough information to determine what the government wants or how to design a system.”

None of the five contracts defined how cyber security requirements would be verified at the time of the award/. Officials also said contracts usually focus on the controls programs must have rather than on establishing performance-based requirements geared toward achieving desired outcomes. 

The US Air Force’s System Program Protection and Systems Security Engineering Guidebook, created by the Cyber Resiliency Office for Weapons Systems, or CROWS, was the posistive highlight spot of the GAO audit.  

The guidebook consolidates DOD and Air Force guidance into a single, detailed document complete with suggestions for implementation, according to the audit.  GAO recommended the other service branches develop cyber security requirements guidance for acquisition programs like the guidebook. DOD concurred with the recommendations for the Army and the Navy and asked the Marine Corps to be considered under the recommendation for the Navy. 

The US Air Force relies heavily on advanced computer and software systems, so it is paramount to keep those systems safe. It's the job of Cyber Systems Operations specialists to design, install and support our systems to ensure they operate properly and remain secure from outside intrusion. 

US AirForce:        RAND:      US GAO:     US Airforce University:       NextGov:      Image: Unsplash

You Might Also Read: 

US Air Force Hacked By Teenager:

 

« Is Blockchain The Future Of SSL Certificates?
British Companies Compromised By Exchange Email Hacking »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

GuidePoint Security

GuidePoint Security

GuidePoint Security provide information security solutions that enable commercial and federal organizations to more successfully achieve their security and business goals.

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center is a not-for-profit organization focused on regional cybersecurity excellence and readiness, with a special emphasis on the maritime community.

Shinobi Cyber

Shinobi Cyber

Shinobi Defense System is an integrated security system that absolutely secures information with smart, automatic encryption and protects your endpoints by stopping any unauthorized actions.

SCADASUDO

SCADASUDO

SCADASUDO is a cyber solution architecture and design office, established by leading experts in the field of OT (Industrial control) and IT (information Technology).

Finnish Accreditation Service (FINAS)

Finnish Accreditation Service (FINAS)

FINAS is the national accreditation body for Finland. The directory of members provides details of organisations offering certification services for ISO 27001.

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling and Data Destruction protect the environment and your data with proven and trusted electronics recycling and data destruction services.

EVOLEO Technologies

EVOLEO Technologies

EVOLEO provides engineering services covering a wide range of needs in the electronics design, embedded and systems engineering.

FutureCon Events

FutureCon Events

FutureCon produces cutting edge events aimed for Senior Level Professionals working in the security community, bringing together the best minds in the industry for a unique cybersecurity event.

Accel

Accel

Accel is a leading venture capital firm that invests in people and their companies from the earliest days through all phases of private company growth. Areas of focus include cybersecurity.

972VC

972VC

972VC was created to help entrepreneurs find potential funding for their startups. Your guide to the Israeli startup funding ecosystem.

Sectra Communications

Sectra Communications

Sectra successfully develops and sells cutting-edge solutions in the expanding niche segments of medical IT and cybersecurity.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

Gradient Cyber

Gradient Cyber

Gradient Cyber is a trusted cybersecurity partner specializing in small businesses and mid-market enterprises concerned about cybersecurity but lacking the staff to give it the attention it deserves.

Wing Security

Wing Security

Wing fosters a stronger security culture by engaging SaaS end-users and enabling easy communication with security teams.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.