Pentagon Cybersecurity is Falling Behind

The US military’s cybersecurity capabilities aren’t advancing fast enough to stay ahead of the “onslaught of multipronged” attacks envisioned by adversaries, the Pentagon’s combat testing office is warning.
 
Despite some progress in fending off attacks staged by in-house “Red Teams,” the testing office said “we estimate that the rate of these improvements is not outpacing the growing capabilities of potential adversaries who continue to find new vulnerabilities and techniques to counter fixes.”
 
Automation and artificial intelligence are beginning to “make profound changes to the cyber domain,” a threat that the military hasn’t yet fully grasped how to counter, Robert Behler, the Defense Department’s director of operational test and evaluation, said in his annual assessment of cyber threats, which was obtained by Bloomberg News.
 
The evaluation, part of the testing office’s annual report that may be released as early as this week, comes amid other critical appraisals of the military’s ability to maintain and improves its defense against computer attacks. In an acknowledgment of potential threat from artificial intelligence, the Army is seeking information about “Autonomous Cyber” capabilities that would use AI and machine learning to defend its networks and protect its own intelligent systems against sophisticated cyberattacks. In other words, the Army wants to pit AI against AI in cyberspace, according to Bloomberg Government analyst Chris Cornillie.
 
Last October, the Government Accountability Office issued a withering assessment, saying the US military had failed to make cybersecurity for its multibillion-dollar weapons systems a major focus until recently, despite years of warnings.
 
“We have not reviewed the latest report” from Behler “but DOD faces significant challenges in securing its weapon systems from cyber threats,” Cristina Chaplain, the GAO director who managed the agency’s report, said in an email. She said “DOD testers routinely found mission-critical vulnerabilities in systems under development, and in some cases, repeatedly over the years,” and program officials “tended to discount the scale and severity of the problem.”
 
Expertise Lacking
Behler’s report reinforces those concerns, saying the Pentagon’s cyber testing is “handicapped by lack of expertise” and tools to assess software-intensive weapons systems. Among the test results cited in assessment:
 
• The US Air Force found “suggested areas for needed cybersecurity hardening” when it conducted tests last year of initial capabilities for Raytheon Co.’s ground-control network for new GPS III satellites.
• Cybersecurity testing of Lockheed Martin Corp.’s F-35, a flying computer with eight million lines of code, “showed that some of the vulnerabilities identified during earlier testing periods still had not been remedied.”
• Red Teams recently conducted three successful cyber-attacks on the new Defense Department-Department of Veterans Affairs health care records management system known as Genesis that showed it “is not survivable in a cyber-contested environment.”
 
Improved Detection
Analysing four years of after-action reports on cyber exercises, Behler’s office report found “defenders demonstrated increasing ability to detect Red Team activity.” But it also said “defenders need to improve speed and accuracy for processing reported incidents.”
 
Red Teams operated by the Army’s Threat Systems Management Office conducted more than 200 penetration events in fiscal 2018. While the mock attackers succeeded in many cases, there were “a growing number of instances where Red Teams needed more time” to achieve their objectives partly thanks to “improved network defenses,” the testing office said.
 
Behler also warned of a crisis in recruiting and retaining qualified Red Team commandos, who attempt damaging penetrations of networks and weapons systems using the tactics of adversaries such as Russia, China, North Korea or Iran.
 
Most Pentagon cybersecurity jobs “are not compensated commensurate with the position’s required time and expertise,” increasing the risk of losing trained personnel to higher-paying private work, according to the report. Behler suggested the Pentagon should provide seed funding for a select group of military service academies, private companies, universities and national laboratories “to grow the DoD’s cyber-security testing workforce and capabilities” while developing automated tools because “hiring more cyber experts will not be enough.”
 
Bloomberg
 
You Might Also Read: 
 
Pentagon Weapons Systems Vulnerable To Cyber-Attacks:
 
« Blockchain Improves Multicloud Network Management
Metro Bank Hacked »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

4Secure

4Secure

For over two decades, 4Secure has specialised in cyber security consultancy, safeguarding the worlds critical Infrastructure through securely bridging air gapped networks.

edgescan

edgescan

edgescan is a cloud-based continuous vulnerability management and penetration testing solution.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

PSC

PSC

PSC is a leading PCI and PA DSS assessor and Approved Scanning Vendor.

Secarma

Secarma

Secarma provides penetration testing, security assessments, consultancy, and training services to ensure your digital infrastructure is secure from cybersecurity threats.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

Scientific Cyber Security Association (SCSA)

Scientific Cyber Security Association (SCSA)

The main goal of Scientific Cyber Security Association is the development of scientific and practical directions of cyber security.

Active Countermeasures

Active Countermeasures

Active Countermeasures believe in giving back to the security community. We do this through free training, thought leadership, and both open source and affordable commercial tools.

Adit Ventures

Adit Ventures

Adit Ventures is a venture capital firm with a focus on dynamic growth sectors including AI & Machine Learning, Big Data, Cybersecurity and IoT.

Ascent Cyber

Ascent Cyber

Ascent Cyber provide simple and stress-free solutions to protect your business and its customers from the worries and costs of cybercrime.

Ampere Industrial Security

Ampere Industrial Security

Ampere is an industrial security firm. We specialize in industrial control systems (ICS) and operational technology (OT) security.

Ghost Security

Ghost Security

Ghost is a venture backed, product-led startup building the new standard in application security for the modern enterprise.

Cyrex

Cyrex

Cyrex is a Web3 security and development company. Our mastery over decentralized applications, smart contracts and blockchain will keep you secure across Web3.

Telit Cinterion

Telit Cinterion

Telit Cinterion is a global enabler of the intelligent edge providing highly secure IoT solutions, modules and services.

SEALSQ

SEALSQ

For the last 25 years, SEALSQ have been developing secure semiconductor chips, secure embedded firmware, and tested hardware provisioning services to serve the vision of a safer connected world.

Dynamic Standards International (DSI)

Dynamic Standards International (DSI)

Dynamic Standards International is a global standards development organization which develops certifiable ‘dynamic standards’ that pace with fast-evolving landscapes.