The Defense Department’s top weapons tester found that the military has made notable improvements over the past year in securing its systems against cyber attacks, including by applying software patches more quickly. But in too many scenarios, a potential enemy could still do “catastrophic” physical damage to military units because of ongoing cyber weaknesses.
The diagnosis is part of a congressionally mandated annual report by Michael Gilmore, DoD’s director of operational test and evaluation. The office has traditionally focused itself on kinetic weapons systems, but has placed an increasing emphasis on overseeing DoD’s cyber posture in recent years. In 2015, DOT&E examined cyber aspects of 33 acquisition programs and 13 training exercises.
Those assessments led the office to pin DoD’s cyber weaknesses, in part, on an ongoing reluctance by combatant commanders and military services to build realistic cyber threats into their training scenarios. And the elite “red teams” who were allowed to play the role of cyber attackers are spread so thinly across DoD that they don’t have time to and keep up-to-date on the sorts of techniques a real-world attacker might use.
“The demand on DoD-certified red teams, which are the core of the cyber opposing force teams, has increased significantly in the past three years. In the same time frame, the private sector has hired away members of red teams, resulting in staffing shortfalls during a time when demand is likely to continue to increase,” the report noted. “This trend must be reversed if the DoD is to retain the ability to effectively train and assess DoD systems and service members against realistic cyber threats.”
Instead of parachuting the teams in to attack a given system on a given day, some commanders have made better use of them by asking them to play the role of an unrelenting cyber adversary during long-term exercises — a more realistic portrayal of the type of threat the military faces, according to DOT&E. U.S. Pacific Command, for example, began using them for year-long “persistent cyber opposing force” exercises last year.
“This PCO has already helped PACOM find and remediate mission-critical vulnerabilities that might have otherwise gone undetected,” the report says.
But in too many other areas, commanders have not shown enough interest in battle-testing their networks against cyber threats and have actively resisted realistic cyber scenarios in their regularly scheduled training exercises, according to Gilmore’s office. Because of that, it’s impossible to know how most military systems and units would perform if they were targeted by a real cyber attack in actual combat.
“In operational tests and exercise assessments, the cyber opposing force was frequently in a position to deliver cyber effects that could degrade the performance of operational missions. But exercise authorities seldom permitted cyber attacks from being conducted to the full extent that an advanced adversary would likely employ during conflict, so actual data on the scope and duration of cyber attacks are limited,” the report said. “Additionally, exercise authorities often declined to allow kinetic effects based on data exfiltrated by the cyber opposing force.”
When it comes to defense, the report’s conclusions seemed to be at odds with numerous recent assertions on the part of DoD and military service officials that they have had no difficulty attracting and retaining qualified personnel to protect government networks.
The authors cautioned that they were still analyzing the results of a performance assessment DOT&E conducted with members of U.S. Cyber Command’s cyber protection teams last fall. The initial results, however, point to not enough team members having the opportunity to train against an opposing force — even a simulated one. But the team members that got that chance performed much better in test results.
“DOT&E also observed that some individuals assigned to CPTs do not possess the proper training, background, or motivation to become effective CPT members.”
On the plus side, DoD has made significant improvements since last year’s report, when assessors said that most of the military’s weapons systems were susceptible to attack by novice or intermediate-level hackers.
Gilmore’s office credited widespread information campaigns on the part of DoD officials to communicate the importance of basic cyber hygiene, a policy decision to deactivate website links in email messages, the “whitelisting” of applications to make sure only safe programs are running on military systems, speedier application of security patches and better coordination between local network defenders and DoD’s cyber protection teams.
Because of those steps, many of the rudimentary approaches the red teams used to hack into Defense systems in 2014 didn’t work in 2015.
“However, these improvements are not enough to ensure mission success,” the report said. “Detection tools used by network defenders were primarily signature-based and dependent upon commercial tools adapted for DoD use. However, the majority of adversarial accesses involved the use of ‘native’ software normally available within the networks and operating systems. Since misuse of native software is less easily detected and eliminated than malware, DoD should augment current network defenses with behavior‑based and heuristic-type sensors.”