The Pentagon’s cybersecurity capabilities are lagging behind adversaries’, but even as they struggle to improve their performance, past recommendations on plugging gaping security holes still aren’t being followed, according to a pair of scathing reports recently released.
The US military is struggling to keep up with its adversaries’ capabilities, says a report by Robert Behler, the Defense Department’s director of operational test and evaluation (DOT&E). Bloomberg obtained a copy of the report, which it notes is expected to be discussed during a Senate Armed Services hearing on Tuesday.
A second report, published by the Defense Department’s Inspector General (IG) on January 9, found that the Pentagon’s response to recommendations on how to fix cybersecurity issues issued a year prior was dismal, with only 19 of 159 measures implemented since the IG’s previous report in FY 2017.
Behler’s report focuses on how well Pentagon combat testers were able to respond to “Red Teams,” or in-house hackers from the Army’s Threat Systems Management Office who probe DoD defenses for weaknesses. Behler’s report found that over the past four years, “defenders demonstrated increasing ability to detect Red Team activity,” but also noted that “defenders need to improve speed and accuracy for processing reported incidents.”
Behler’s report describes 200 penetration events by Red Teams during Fiscal Year 2018, with the mock attacks succeeding in most cases, though “improved network defenses” were able to slow down their progress more often than in the past.
In other words, the Pentagon is adapting, but not fast enough.
The difference, Behler notes, is artificial intelligence. AI is starting to “make profound changes to the cyber domain,” and the Pentagon is doing a bad job of figuring out what to do about it. Bloomberg notes that the Army is seeking its own “autonomous cyber” capabilities to counter enemy AI with its own AI, and the DoD announced last September it was funnelling $2 billion to its secretive development bureau, the Defense Advanced Research Projects Agency (DARPA), over the next five years to develop AI in new weapons systems that can compete with China’s stated goal of being the world leader in AI by 2030, the Washington Post reported at the time.
An October report by the Government Accountability Office (GAO) eviscerated the DOD’s cybersecurity practices, noting that “testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected.” In one instance, testers were able to guess administrator passwords in only nine seconds, giving them access to major weapons systems, Sputnik noted.
“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic,” the watchdog’s October 9 report stated.
January’s reports found that many of those problems had not been addressed.
The IG’s January 9 report noted that the Air Force still hasn’t changed the default passwords on multiple weapons systems since the October expose. Further, the service isn’t even following its own cybersecurity protocols on new weapons systems it puts out, Motherboard noted.
“The largest number of weaknesses identified in this year’s summary were related to governance,” the report notes about FY 2018. “Without proper governance, the [Pentagon] cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade or destroy targeted information systems.”
GAO Director Cristina Chaplain told Bloomberg for a Monday article that “DOD testers routinely found mission-critical vulnerabilities in systems under development, and in some cases, repeatedly over the years,” and program officials “tended to discount the scale and severity of the problem.”
With the Pentagon projected to spend $1.66 trillion “to develop its current portfolio of weapon systems,” according to the GAO, the significance of these weaknesses cannot be understated.”Defense information is high value in the market,” Paul Wallis, op-ed editor at large at Digital Journal, told Sputnik Monday. “It’s a cash cow for hackers, whether national or independent. It’s hard to overstate that risk.”
Wallis said the Pentagon’s problems stem from “a mix of funding and lack of creativity in security measures,” noting its “find and fix” strategy as a particular problem.
“System thinking tends to assume that penetration needs sophisticated means, codes, etc. — it doesn’t,” Wallis said. He noted five kinds of multilayered solutions the DoD should be looking at: dud information that devalues “entrepreneurial” hacking; decoy information, which he said was “meaningless crap that takes time and effort to reveal that it’s crap;” assembly-only information that can’t be accessed in one hit; standalone systems to limit attackers’ ability to penetrate the system; and inserting friendly worms into code so that hackers themselves get hacked back during the attack.
But despite all that cash getting thrown around, Bloomberg notes that most DoD cybersecurity jobs “are not compensated commensurate with the position’s required time and expertise.” That might contribute to the IG’s finding that, of seven random defense contractors analyzed, five didn’t consistently use “multifactor authentication to access unclassified networks that contained [ballistic missile defense systems] technical information,” an earlier report from March 2018 on the Missile Defense Agency found.