DoD Still Can’t Get its Security Ducks in a Row
Five years after the Pentagon demanded that every weapon system include the requirement that it be able to function in the face of Russian and Chinese cyber attacks, many major weapons systems don’t even include cybersecurity as a key performance parameter, never mind actually working under those conditions.
This means that all our adversaries need to do in order to win a war is to hack our weapons, which, it appears, may not be that hard.
Of the three major services, the Air Force is the worst, with inconsistent cybersecurity practices across 85 weapon systems worth over $1.5 trillion.
Even though the Pentagon updated its Joint Capabilities Integration and Development System Manual (JCIDS) in 2015 to include a requirement to be able to function in a degraded cyber environment, at the end of 2019 the GAO found that 25 out of 42 major weapons systems did not even include cybersecurity as a Key Performance Parameter (KPP) and even more did not include it as a Key System Attribute (KSA).
It used to be that you pointed your gun in a particular direction and pulled the trigger. It was pretty hard to hack. Now weapons systems are smart. They include software and many are networked.
WHAT. COULD. POSSIBLY. GO. WRONG?
The 2019 report “looked at DOD’s progress with developing:”
- (1) strategies that help ensure that programs are planning for and documenting cybersecurity risk management efforts (cybersecurity strategies),
- (2) evaluations that allow testers to identify systems’ weaknesses that are susceptible to cybersecurity attacks and that could potentially jeopardize mission execution (cybersecurity vulnerability evaluations), and
- (3) assessments that evaluate the ability of a unit equipped with a system to support assigned missions (cybersecurity assessments).”
Most of the 38 MDAPs (Major Defense Acquisition Programs) reviewed had created a cybersecurity strategy but of the 19 programs that required a cybersecurity vulnerability evaluation, 11 have not completed them or failed to complete them on time. Another three said that they didn’t have a schedule for completing it and one Air Force program said it didn’t know if it had completed an evaluation.
Of 42 programs, 14 told the GAO that they had not finished their cybersecurity assessment.
The GAO report continues discussing the problem. Apparently the Pentagon just has not made this a priority.
If Ellen Lord says that no program will be funded during the next physical year if it doesn’t comply with Pentagon policy, I BET that every program will be funded. It is about priorities.
It is also about servicemember’s lives. We should not forget this. If their weapon systems don’t work because the enemy hacked them or jammed them or somehow compromised them, it could not only cost servicemember’s lives, but also civilian lives.
Credit: Breaking Defense