The Pentagon is not prepared to take on certain adversaries in cyber space and must adopt a new strategy to mitigate looming threats, according to a new report.
The 138-page report, “Resilient Military Systems and the Advanced Cyber Threat,” was compiled by a task force of public and private sector industry experts under the Defense Science Board.
The task force advised that the Department of Defense (DoD) does not have the capabilities to prevent highly sophisticated cyber attacks from penetrating networks that control critical infrastructure and carry out essential military missions.
“DoD’s networks are built on inherently insecure architectures that are composed of, and increasingly using, foreign parts,” James Gosler and Lewis Von Thaer, co-chairs of the task force, wrote in the report. “While DoD takes great care to secure the use and operation of the ‘hardware’ of its weapon systems, the same level of resource and attention is not spent on the complex network of information technology (IT) systems that are used to support and operate those weapons or critical IT capabilities embedded within them.”
The task force noted that two countries in particular, China and Russia, both have the capabilities and resources needed to create vulnerabilities within U.S. networks for the purpose of exploitation.
In one of the task force’s tests, researchers were able to gain access to military networks using only a small team, under a short amount of time. The task force said that an adversary could carry out a similar action and could “significantly disrupt” the military’s networks.
Advising DoD to increase its cyber capabilities, the task force offered up a list of recommendations aiming to reduce the risk of vulnerabilities and threats to U.S. networks.
Recommendations listed by the task force included:
- Determining the mix of cyber, protected-conventional and nuclear capabilities necessary for assured operation in the face of a full-spectrum adversary
- Refocusing intelligence collection and analysis to understand adversarial cyber capabilities, plans and intentions, and to enable counterstrategies
- Creating a counterintelligence capability to directly address the most sophisticated threats using tools and techniques derived from both defensive and offensive U.S. cyber programs
- Developing a capability to model a war game to train for full scale peer-on-peer cyber warfare
- Establishing a policy framework for offensive cyber actions to include who has what authority (for specific actions), under what circumstances, under what controls
- Increasing the number of qualified cyber warriors and enlarging the cyber infrastructure to commensurate with the size of the threat
- Leveraging commercial technologies to automate portions of network maintenance and “real-time” mitigation of detected malware
- Establishing a formal career path for DoD civilian and military personnel engaged in cyber defense
“It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities,” advised the task force, adding, “We must start now.”