Although the U.S. Department of Defense is making progress protecting its information and combat systems from cyber attacks, many vulnerabilities remain and more are expected to emerge, the Pentagon’s chief weapons tester says.
“Now and in the future, cybersecurity threats will arguably be some of the most dangerous threats our defense systems face,” according to the latest annual report by J. Michael Gilmore, DoD’s director of operational test and evaluation.
Despite having improved its defenses in the last fiscal year, DoD exercises demonstrated deficiencies in fending off beginner- and intermediate-level cyber adversaries, Gilmore wrote. Moreover, the “continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most DoD networks, and could be in a position to degrade important DoD missions when and if they chose to. It is therefore critical that DoD network defenders, and operators of systems residing on DoD networks, learn to ‘fight through’ cyber attacks, just as they are trained to fight through more conventional, kinetic attacks.”
Gilmore’s review revealed the most common vulnerabilities include unnecessary network services or system functions; misconfigured, unpatched or outdated software; and weak passwords. Many of these weaknesses could be identified by testing for them earlier in developmental testing, instead of waiting until operational testing to find them, he wrote.
Gilmore also found DoD’s cyber ranges and labs are stretched thin and need to be expanded to accommodate more realistic testing, such as denial-of-service attacks. For “understandable” reasons, exercises involving operational networks are usually limited to less disruptive activities, such as gaining unauthorized network access and stealing data, he wrote.
NON-DOD SYSTEMS RAISE CONCERNS
The Pentagon’s concerns are not limited to DoD systems. Army Gen. Martin Dempsey, the chairman of the Joint Chiefs of Staff, recently told the Defense Media Activity the private sector’s cyber vulnerabilities also threaten national security because the military depends on commercial networks. He reiterated the White House’s call for Congress to pass legislation to allow greater cybersecurity information sharing between the government and private sector.
“We have authorities and capabilities that allow us to do a pretty good job of defending ourselves,” Dempsey said. “But the vulnerability of the rest of America is a vulnerability of ours, and that’s what we have to reconcile.”
In addition, the Coast Guard, the only military organization in the Department of Homeland Security, is developing its own cyber strategy and expects to release it “in the next several weeks,” said Adm. Paul Zukunft, the service’s commandant, who spoke Jan. 16 at the Center for Strategic and International Studies in Washington, D.C.
“The Coast Guard is working to align with DHS and DoD in developing a cyber strategy to defend our own network and protect maritime critical infrastructure and the maritime transportation system,” said Commander Matt Moorlag, a commandant spokesman. “We will also coordinate cyber security activities and standards across federal, state, local and industry stakeholders.”
