A new Pentagon report on the Defense Department’s major systems includes some worrying assessments of DoD’s overall cybersecurity posture: A troubling proportion of its IT systems appears to be vulnerable to low- or intermediate-level hackers, leaving aside the advanced persistent threats everyone’s worried about.
The annual report from the Office of Operational Test and Evaluation is most known for its summarized assessments on the performance of dozens of individual weapons programs. But a separate eight-page section dedicated to cybersecurity draws some stark conclusions about DoD’s overall defensive positioning.
For obvious reasons, the unclassified report tends not to spell out specific cyber weaknesses in specific systems, but the office’s assessment teams found “significant vulnerabilities” on nearly every major acquisition system that went through operational testing and evaluation in 2014, including many problems that could and should have been found and fixed earlier in the acquisition cycle.
“Nearly all the vulnerabilities were discoverable with novice- and intermediate- level cyber threat techniques,” the authors wrote. “The cyber assessment teams did not need to apply advanced cyber threat capabilities during operational testing.”
Likewise, following the 16 cybersecurity exercises it observed in 2014, in which DoD “red teams” tried to penetrate the defenses of combatant command and military service networks, the OT&E assessors concluded that “many DoD missions are currently at risk from cyber adversaries” with only low-to-mid-level cyber expertise. The department, they wrote, cannot consistently show that its critical missions could be kept safe from an advanced attacker.
“The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most DOD networks, and could be in a position to degrade important DoD missions when and if they chose to,” according to the report. “It is therefore critical that DoD network defenders, and operators of systems residing on DoD networks, learn to ‘fight through’ attacks, just as they are trained to fight through more conventional, kinetic attacks.”
The authors noted special concern for that “fight through” capability. In just over half the assessments, the military’s network defenders were able to mount a response that was designed to expel cyber attackers from their networks. But that response was often too slow to deal with a mid-level or advanced attacker before they got a foothold elsewhere in the system at hand.
Auditors also found it worrisome that the DoD defenders’ response to seeing enemies on their networks was often to reboot affected machines or reinstall software they thought was infected. While those may be effective countermeasures against an ongoing attack, they’re not particularly helpful if the objective is to keep mission-critical systems up and running.
The assessors were apparently impressed with at least one of the DoD exercises. In one, called Turbo Challenge 14, U.S. Transportation Command managed to successfully block an attack by an intermediate-level group of simulated attackers through a combination of quick response, hardened server infrastructure and ongoing, automatic review of server logs and strong password policies.
But that “infrequent success” was the exception and not the rule in 2014, according to OT&E. Elsewhere, red teams “routinely” burrowed their way deep into networks using stolen passwords. The most common points of entry were vulnerable websites and through phishing attacks.
“The asymmetric nature of cyber operations allows even a single default or weak password to lead to rapid access and exploitation of the network,” the report said. “This is particularly true when the password belongs to an individual with elevated privileges. FY14 assessments revealed numerous violations of DoD password security policies, which indicates the policies are either too difficult to implement, too hard to enforce, or both.”
Among their recommendations, the authors say DoD needs to work toward a more realistic training environment, including routinely simulating cyber threats by a “representative opposing force” during every exercise it conducts.
But the department will be challenged to pull that off, given workforce constraints. Unsurprisingly, the need for trained cyber personnel continued to rise across-the-board in 2014.
“Demand has begun to exceed the capacity of existing personnel able to portray cyber threats,” the authors wrote. “Projected FY15 personnel needs for cybersecurity tests and assessments, as well as training for the Cyber Mission Force personnel in support of U.S. Cyber Command, may not be met unless critical resource shortfalls are addressed.”
This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.