Defense Department Infrastructure Still Vulnerable to Cyber-Attacks, Critics Say (UPDATED)
With rules of engagement due out this year that will govern how the military operates in cyberspace, officials asserted that they are closer than ever to making network offense and defense a normal part of military operations. However, security analysts and industry officials say there is still much work to be done, including hardening its networks, beefing up security practices and recruiting talented computer specialists.
There is no guarantee that the U.S. information technology infrastructure would stand up to a full-spectrum cyber-attack by a sophisticated enemy, said a January report titled, “Resilient Military Systems and the Advanced Cyber Threat” by the Defense Department’s defense science board task force.
Lou Von Thaer, one of the report’s authors, described how such an attack could affect a Navy ship at sea.
“Your common operational picture ... suddenly becomes distorted. Real targets disappear, being replaced by phantom targets in different locations,” Von Thaer, who is also president of General Dynamics Advanced Information Systems, said at the Navy League’s Sea-Air-Space Exposition in April. “Critical databases on the ship are compromised. The main gun’s fire control system has been hijacked and is aimed at your ally.
“Can you stop it from firing? Your supply chain is corrupted, your fuel is ordered to the wrong GPS coordinates. How do you get your ship and sailors out of harm’s way or into the mission that you need to execute?” he asked.
Von Thaer admitted his examples were overdramatic but asserted that small Defense Department teams were able to accomplish similar feats using only software downloaded from the Internet.
His task force spent 18 months studying the resiliency of Pentagon networks by compiling information from these exercises and more than 50 briefings from department and military personnel, industry officials and academia.
Using “exploits” — computer software or code named for its ability to take advantage of a system’s vulnerabilities — the red team hackers were able to infiltrate Defense Department networks in short order, the report said.
“Such penetrations could seriously impede the operation of U.S. forces by degrading network connectivity, corrupting data and gaining intelligence,” the report said.
Maria Horton, chief executive officer of Emesec Inc., said the report was a “harsh” but an “eyes-wide-open view” of Defense Department network vulnerabilities. Her company does diagnostic testing for some of the department’s administrative and medical computing systems.
“I think those systems, to some degree, were designed and implemented in the 70s, 80s and early 90s, and I think that the core software code [and] some of the core systems need to be either revitalized or strategically redone,” she said. She noted that the Pentagon has made progress on switching from legacy systems to newer technology, but because the move is expensive, it is being done “in small, modular chunks.”
While she could not speak on the resilience of “war-fighting” networks, she said the report will help the department prepare for the next generation of cyber-attacks.
If the Defense Department is going to meet those challenges, its policies need to be adaptable so that cyberwarriors can act quickly, Von Thaer said.
“Cyberthreats change in time scales measured in minutes, hours and days,” he said. “DoD doctrine takes considerably longer — we count it in years and sometimes even decades. It’s very difficult to design a system under those constraints that can adapt to threats at the rate that we need to.”
Rules of engagement, which officials say could be released within months, will help the military be able to take action quickly.
“That’s going to give us a clear authority to understand and be able to respond both offensively and defensively to a cyber-attack,” said Rear Adm. Michael Hewitt, deputy director of the special programs cross functional team on the Joint Staff. “You understand the threat, understand the environment that you’re in, and you understand what you can do about it from a delegated perspective and where you need to go back and get permission.”
It has taken almost a decade, but military leadership now recognizes the massive threat posed by cyber-attacks, said Vice Adm. Michael S. Rogers, commander of U.S. Fleet Cyber Command. Even more promising, there is little pushback to the idea that the lines between cyber and kinetic warfare are blurring, he said.
What’s still being worked out is how best to have cyberforces working with and alongside kinetic forces, not “off in some closet somewhere,” Rogers said.
“What we’ve got to do is integrate cyber into the same traditional mechanisms … whether we do that through the spectrum, we do that through a network or we do something kinetic,” he said. “What we want to do is be able to tee up to the commander multiple options. We need to be able to integrate the desired effect we’re trying to achieve into a commander’s operational scheme, and we need the commander to make the decision about what’s the best tool to use.”
It’s not only about integrating cyber with kinetic, Hewitt said. The military also needs to figure out how to use traditional means of warfare to advance against an enemy within networks without having to employ electronic warfare.
“We’re starting a really good dialogue with industry on the concept of integrated fires and understanding traditional military capabilities and how they can be applied in this nonkinetic environment,” he said.
Even as the Pentagon’s overall budget is shrinking, investment in network security operations increased from $3.9 billion in fiscal year 2013 to $4.7 billion in the 2014 budget request.
The Defense Information Systems Agency is consolidating and standardizing the networks and software used across defense organizations and military services under the Joint Information Environment, a move officials said will help harden computer systems against attack.
Still, there could be more centralization around information technology procurement, standards and practices to help drive efficiency and security, said Tony Busseri, chief executive officer of Route1, a Toronto-based security company focused on remote computing.
“There’s a lot of independence within groups, and … too many exceptions are made available,” he said. When groups within the military are allowed to deviate from the standard devices, software or practices, “you don’t get efficiencies and economies of scale. … If people are allowed to make exceptions too often, then they can be creating incremental vulnerabilities that really weren’t intended,” he added.
The federal government — and especially the Defense Department and military services — needs to develop a standardized system to test its networks and IT products, said Clark DeHaven, general manager for LGS Innovations’ innovations mobility and wireless solutions business unit. LGS has worked with the Defense Advanced Research Projects Agency on researching network vulnerabilities.
The Pentagon already regularly tests selected networks and devices to ensure there is no malicious code on them, but the practice should be expanded and institutionalized, he said.
“Is there a more systematic way to do it, and can we develop some additional tools to make it more automated of a process than what we have today? … As these threats become more and more sophisticated, we’re going to have to get a little clever on the tools that we develop to use in a situation like this,” DeHaven said. “We’re in discussions [with the Pentagon], and there is certainly some interest in … getting this started at a broader level.”
Officials in the past have held back from detailing the military’s offensive capabilities, but they have become more candid in recent months about how its personnel might respond to threats.
Cyber Command is creating 13 teams specifically to carry out offensive operations in case of a cyber-attack against the nation, its top officer Army Gen. Keith Alexander said at a March House Armed Services Committee hearing. An additional 27 teams will support combatant commands in planning offensive activities.
“The teams are analogous to battalions in the Army and Marine Corps — or squadrons in the Navy and Air Force,” Alexander testified. “In short, they will soon be capable of operating on their own, with a range of operational and intelligence skill sets, as well as a mix of military and civilian personnel.”
Cyber Command also plans to hire 4,000 employees in the coming years, but it remains to be seen whether the command can recruit the highly-skilled and specialized workforce it needs.
“Our biggest challenge is not capability. I can generally find somebody with the skill set I need,” Rogers said. “In 18 months in command, I have yet to encounter a problem set that I didn’t have people with the right skills. The challenge is capacity. The numbers with the right skills, particularly in the high end, are really small.”
One way to recruit this talent would be partnering with universities and creating a pipeline to groom the skills needed by the military, said Scott Greaux, vice president of product management and services for PhishMe, a Chantilly, Va.–based company that has trained West Point students to identify spearphishing attempts.
Information sharing between Cyber Command and selected universities would help ensure institutions are teaching the skills the command needs, said Greaux, who noted that the Defense Department and military services have been reticent in the past to share sensitive information with industry.
“There’s definitely a knowledge gap … at universities where they’re not aware of what the real threats are facing either our nation or our large organizations,” he said. “There’s a lot of work that goes into cultivating that talent,” and information sharing could help build a pathway between higher education and the Defense Department.
Correction: In the original article, the headquarters of Route1 was misidentified. It is based in Toronto.