Testifying before the Senate Armed Services readiness subcommittee in April, Dr. Raymond D. O’Toole Jr., then acting director of operational test and evaluation for the Pentagon, dropped a verbal bombshell.
“As the committee is aware, cybersecurity is the most pervasive threat vector, and DOD largely is not doing well on this front,” O’Toole said. “Of the programs DOT&E assessed in , virtually none were survivable against relevant cyber threats.”
Rattled, Sen. Dan Sullivan (R-Alaska), the ranking member on the subcommittee, quickly followed up. “I hope our adversaries aren’t watching this hearing. They often do watch these hearings. But what in the hell are we going to do to close that gap?” he said. “That is shocking and, well, concerning.”
Six months later, Sen. Tim Kaine (D-Va.), the panel chair, recalled the incident while questioning Nickolas Guertin, the Biden administration’s nominee to lead operational test and evaluation.
Anything that’s sitting out there on a network, anything that’s moving a bit or byte around, is a cyber target.Kevin Fogarty, Dynetics Aerospace, defense and civil chief technical officer
“Senator Sullivan and I both looked at each other and said, ‘Is this an open hearing?’” Kaine said of his reaction to O’Toole. “And the witness, Dr. O’Toole said, ‘I got this cleared for delivery of testimony in an open hearing.’ But it troubled us greatly.”
The Defense Department’s cyber challenges are enormous. Systems increasingly rely on software code, much of it incorporating open-source components. Growing dependence on cloud-based systems to host databases and computer workloads also expanded the Pentagon’s attack surface. Conventional cyber defenses based on keeping hackers out of DOD networks have given way to new strategies built on protecting the data inside the network, because that’s what hackers are after.
Some see the principal challenges as developing a more cyber-capable workforce, as O’Toole suggested; Guertin suggested the issue is more about integrating cybersecurity into the systems development process from the very beginning. The reality is that in an increasingly connected world, every weapon system is a cyber target.
OUTLINE THE THREAT
As far back as January 2013, a Defense Science Board task force report, “Resilient Military Systems and the Advanced Cyber Threat,” warned that adversaries could exploit cyber vulnerabilities to:
- Degrade and sever communications;
- Manipulate and corrupt data;
- Cause weapons to fail, and potentially; and
- Destroy weapons or systems.
China, Russia, Iran, and North Korea all see cyber as presenting an opportunity to counter American advantages in military technology by exploiting it as the soft underbelly of U.S. defense. A large-scale attack across infrastructure and the military, the report said, could “impose gradual wide scale loss of life and control of the country and produce existential consequences.” For such an attack to occur, it added, “there must be an adversary with both the capability and intent to conduct the attack.”
Klon Kitchen, a senior fellow at the American Enterprise Institute who worked on creating the U.S. Cyberspace Solarium Commission, said it’s not hard to imagine today which adversaries might be so capable. “China has … a capability, and an intention, and a demonstrated history of leveraging its access to supply chains to gain access to information, to exfiltrate data, to insert vulnerabilities that they can leverage later,” he told Air Force Magazine.
Kevin Coggins, a vice president at Booz Allen Hamilton and the head of its Positioning, Navigation, and Timing practice, said cyber vulnerabilities transcend the computer world and threaten the physical world, as well.
“It sounds real sci-fi, but you can literally stop things from working,” Coggins said. “People used not to think of cybersecurity with respect to a weapon system, because you only saw what the weapon system did, right? That thing hits a target and blows a building up. That thing flies through the air, that thing orbits the Earth,” he continued. “But those things are [also] computers. Every single one of them has a computer at its core and information coming into it and out of it. And that defines enough attack surface right there to start thinking about cybersecurity.”
The F-35, as former Air Force Chief of Staff Gen. David L. Goldfein has said, is “a computer that happens to fly.” Modern, digitally enabled weapons are networked to sensors and communications links in space. And Goldfein’s dream of multi-domain command and control—what the Pentagon now calls joint all-domain command and control—is effectively a “military Internet of Things,” as former Air Force acquisition chief Will Roper dubbed it.
The trouble is, there’s no such thing as a hack-proof system. If it can be built, it can be compromised. Iran’s cyber warfare unit famously captured control of an American RQ-170 surveillance drone a decade ago. The incident highlighted the potential vulnerabilities of such systems, as well as the fact that it doesn’t take a world power to develop such capability. Meanwhile, China and Russia have honed their cyber skills, penetrating U.S. government and industry networks, exfiltrating unknown volumes of data, and raising the stakes in information warfare.
“The military writ large is in the middle of this pivot toward near-peer competition … but we’ve been there in the cyber realm for a while—a lot longer than we’ve been there in the kinetic realm,” said Kevin Fogarty, defense and civil chief technical officer for Dynetics Aerospace. “So, as we turn our kinetic capability toward near-peer competition, we need to understand where we’re at with our cyber capabilities and where our adversaries are. And then we need to understand the impact that has on the legacy systems that we’ve got out there, as well as the new systems we’re procuring. Because anything that’s sitting out there on a network, anything that’s moving a bit or byte around, is a cyber target.”
PROTECTING THE SUPPLY CHAIN
Cyber vulnerabilities begin in the development stage. “Obviously potential vulnerability goes up if you can steal the entire plans for weapon systems,” said Laura Brent, a senior fellow in the Technology and National Security Program at the Center for a New American Security.
Securing contractors networks is really the very first line of defense. The Cybersecurity Maturity Model Certification establishes cybersecurity standards and training for contractors and is a good first step. Securing the digital supply chain, including computer chips and sub-assemblies made offshore, however, is another thing entirely.
“Most chips are not made in the U.S. anymore,” noted Ann White, a principal at Booz Allen with a background at the NSA. “And so we’re looking at how you identify vulnerabilities associated with the manufacturing process and that supply chain. How can they be switched out?”
Most of those parts are made in Taiwan, China, and South Korea; concern over parts manufactured in China is particularly high.
Specific vulnerabilities related to China’s role in the supply chain are classified, but the implications of such a threat are clear.
“Imagine if [China] had gotten into the chip supply chain in such a way as to where they could turn off navigation systems in military aircraft,” Kitchen said. “Or if they could disrupt communications capabilities at sea, or if they could throttle power on fundamental systems inside any of our platforms.”
In the recent SolarWinds hack, Russia was able to compromise hundreds of companies and federal agencies, including DOD and cybersecurity specialist FireEye, which discovered the breach. The hackers penetrated the SolarWinds system and then bided its time, employing a long-term strategy to spread its malware by attaching it to a legitimate update, which then spread naturally to SolarWinds customers.
And even if the Pentagon is able to secure the IT systems of contractors and ensure the supply chain is safe, highly sophisticated attacks like that one are hard to detect.
“The user is a vulnerability … how the user interacts with the system,” White said.
Clicking on deceptive links in emails or on websites, downloading files shared by a colleague (or apparent colleague), and taking other routine actions that anyone might experience in a normal workday can all result in accidentally enabling a cyber attack.
Once in the system, malware can exfiltrate data or manipulate data, causing a system to produce bad results, to crash, or to fail. “If you cause a processor on an autonomous drone or a missile or a sensor on a satellite to crash, there’s no one there to hit a reset button,” Coggins said. “And if you didn’t design it to recover from that, it’s done. It’s toast until it resets and recovers.”
The Stuxnet attack used to infiltrate and damage an Iranian uranium enrichment plant caused the plant’s centrifuges to malfunction and effectively destroy themselves. Commonly attributed to Israeli and U.S. cooperation, it was one of the first known instances of a computer virus that directly impacted the physical world.
“Something very similar can be done in a whole host of systems, right?” Kitchen said. “I mean, you could shut down cooling systems, and therefore everything else that depends on those cooling systems within all these different platforms could overheat and stop working, right? … There’s essentially no shortage of ways that you can do bad things if you’ve got this kind of access.”
The Government Accountability Office first identified cybersecurity as a high risk in 1997. Today, while overall security is greater and more effective than ever, the range of systems accessible to hackers has grown exponentially. A 2021 GAO report praised the Air Force’s Cyber Resiliency Office for Weapon Systems for its servicewide guidance on how to define cybersecurity requirements for acquisition systems and how to incorporate them into contracts.
The Air Force’s “System Security Engineering Cyber Guidebook” integrated cybersecurity into the development process, applying an approach similar to the “DevSecOps” mindset used in agile software development, where developers, security specialists and operators all work on new systems in parallel, rather than one after the other. And the crossover between cybersecurity approaches in software and hardware shouldn’t end there, Fogarty said.
“The term ‘zero trust’ doesn’t just apply to your computer network. That needs to apply to our weapon system architecture. … So we really need to look at those constructs, some of the guidance coming out, and make sure we translate those correctly from an IT world into a cyber-physical weapon system,” Fogarty said.
Another approach from the IT world that should carry over to a weapon system’s cyber defenses, Coggins said, is that of iterative updates, where cybersecurity is never considered perfected or finished.
“It’s not just, ‘give me a requirement for an iPhone, I’m going to build you an iPhone and deliver it.’ It’s, ‘build me a capability that you can continuously upgrade and that can continuously pace the threat’—as the threat changes, it’s easy to change the capability,” Coggins said. “Historically, we haven’t designed weapon systems to be updatable or easy to change.”
Like the GAO, Coggins singled out the Air Force for its efforts in that regard, specifically praising Platform One, a DevSecOps platform for software designed to be hardened against threats while still flexible for different programs.
From the hardware side, cybersecurity can also be enhanced by “digital twins,” White added. Using a virtual replica of a weapons system through the development and testing phases allows agencies and contractors to “simulate attacks, simulate mitigations, and then evaluate their effectiveness,” she said.
Overall, increased testing has been a central component of how Congress has tried to address the issue—the 2021 National Defense Authorization Act required the Secretary of Defense to establish policies for periodically testing major weapon systems for cyber vulnerabilities, and the legislature has provided funding for pilot programs aimed at developing a cyber-capable workforce like O’Toole said the Pentagon needs.
Yet even with acquisition requirements, iterative updates, and increased testing, the threat remains so widespread, so pervasive that “it’s important to realize that 100 percent security, whether that’s cyber or otherwise, is probably not achievable,” Brent warned. “So what is an acceptable amount of risk while still allowing achievement of mission critical functions?”
RISK ASSESSMENT AND RESILIENCY
Defining an acceptable level of risk for cybersecurity is especially critical given some of the realities the Pentagon and the Air Force face, like constrained budgets and legacy systems designed and built in a different era.
“I think a lot of our systems made assumptions in terms of … an IT system needed cybersecurity, but these systems with microcontrollers, processors in them that didn’t connect to the internet, didn’t need cybersecurity,” White said.
And in a different time, the risks associated with that mindset weren’t as great—systems were “stove-piped … they had their own command and control system with them,” Fogarty said. “You could protect that system, or not protect that system, but there wasn’t a lot of lateral movement an adversary could do.”
Now, with JADC2 aiming to connect sensors and systems like never before, “you’re only as strong as your weakest link,” Brent said—even systems developed with cybersecurity in mind could be compromised by being connected to less secure systems. Fixing those less secure systems isn’t as simple as a quick software update either.
“It’s hard to push patches to older systems, because the act of putting the patch on them is hard, it’s difficult,” Coggins said. “The system may have to go back to a depot for someone to do it. In the new paradigm, you’ll be able to do it in the field, and it saves a lot of time and money. We’re trying to update many old systems right now. It may take five years to put one patch out.”
Over time, the systems being developed now—the ones developed with security in mind, tested more rigorously in those areas, and capable of receiving iterative updates—will replace the older ones. But that will likely take years. In the meantime, there are ways to address the gaps.
For one, “not every vulnerability has to be fixed, right?” White said. “If it’s not … operationally impactful, or the probability of it happening is very low, don’t fix that, right? Fix the ones that we know our adversaries know about and that are easy to impact, easy to execute, and that have a high operational effectiveness.”
Fixing the issue might not even involve deploying a software patch, Coggins added. Sometimes it’s as simple as training the person operating the weapon system.
“A good example is there may be some telemetry data coming from the satellite that they don’t pay attention to, because it’s just been benign for 20 years,” said Coggins. “We’ve flown GPS for a long time. But now there may be some indicators on the telemetry data of a certain attack that might have occurred, and so now you can detect it as an operator and then do something about it immediately.”
In that example, the satellite’s cybersecurity measures failed to prevent an attack—but the issue isn’t quite as simple as success or failure.
“I think often we approach some of these challenges in binary, does it work/doesn’t it work kind of ways,” Brent said. “And the answer is, even if it doesn’t work now, what is the time, how resilient is the system to be able to return into operation?”
And it’s not just the system that has to be resilient. The operator has to be able to use it even when circumstances aren’t ideal—“It’s not a matter of just knowing how to use your system, you’ve got to know how to use your system while the adversaries are actively attacking it,” Fogarty said.
That speaks to a broader need, multiple experts said, for DOD to continue to develop its workforce to be digitally fluent across the board, not just in specialized fields. Such a force will be necessary as weapon systems become increasingly digital themselves.
“Cybersecurity is not just about the computer, right?” White said. “I have a computer in my doorbell these days, right? I have a computer on … the spotlight that I have in my house. As everything becomes a computer, we have to think a lot more about those requirements and what that means for us in terms of attack surface for our adversaries and how we develop hardening and mitigation against those attacks.”