DOD highly vulnerable to cyberattack from sophisticated opponents

The U.S. military is not ready for full-scale cyber warfare with a sophisticated and well-resourced opponent, and therefore must begin as soon as possible to address a number of major deficiencies in its cyber arsenal and cyber strategy, according to an unclassified version of a Defense Department report.

The 138-page report, “Resilient Military Systems and the Advanced Cyber Threat,” which was prepared for the Defense Secretary by a panel of government and civilian experts, states the U.S. military must lead and build an effective response to the problem that would boost the nation’s confidence while decreasing the confidence of potential adversaries.

The greatest threat to U.S. IT and cyber assets is posed by a so-called full-spectrum opponent that can bring to bear not only its cyber capabilities but also its military and intelligence capabilities to attack U.S. critical IT networks and systems, states the report.

It is likely to take DOD years to build an effective response to the cyber threat, notes the report. Such a response ultimately should include elements of deterrence, mission assurance and offensive cyber capabilities.

The extent of the vulnerability of U.S. systems can be seen by the success that DOD red teams have had using cyberattack tools, readily available through the Internet, to defeat U.S. systems, the report states.

“The success of DOD red teams against its operational systems should also give pause to DOD leadership,” states the report. Red teams proved repeatedly during exercises and testing that, while using only small teams and a short amount of time, they were able to significantly disrupt the blue teams’ ability to carry out military missions, observed the report.

“These stark demonstrations contribute to the task force’s assertion that the functioning of DOD’s systems is not assured in the presence of even a modestly aggressive cyberattack,” the report states.

The 33-member task force convened for the Defense Science Board study was charged with reviewing and making recommendations to improve the resiliency of DOD systems to cyberattacks and to develop a set of metrics that the DOD could use to track progress and shape priorities.

The task force made a number of key observations about the state of U.S. cyber capabilities and vulnerabilities. One key finding was that current DOD actions are fragmented, which is further evidence of the U.S. military’s inability to defend against a full-spectrum opponent.

Another key finding was that U.S. networks are built on inherently insecure architectures with increasing dependence on the use of foreign-built components. Yet another key finding was that with present capabilities and technology is it is not possible for the U.S. military to confidently defend U.S. IT and cyber assets from the most sophisticated attacks.

The task force developed a six-tier hierarchy to describe the capabilities of potential attackers. The most sophisticated attackers, those at levels V and VI, can invest billions of dollars and many years to actually create vulnerabilities in systems that appear to be strongly protected, the report states. Only a few countries, such as the United States, China and Russia, currently have such capabilities, according to the report.

Exploitation of U.S. systems by adversaries is a long-standing problem, the report states. “For years adversaries have infiltrated U.S. systems, sometimes detected, sometimes deflected, but almost never deterred,” the report states.

An example of this exploitation can be seen in a recently declassified Soviet Union operation from the 1970s known as Gunman, the report states. The Gunman operation exploited an operationally introduced vulnerability that resulted in the transmission to Soviet intelligence of every keystroke in 16 IBM Selectric typewriters housed in the U.S. Embassy in Moscow and the U.S. Mission in Leningrad. The United States only learned of Gunman via a tipoff from a liaison intelligence service.

The cyber realm is a complicated domain that must be managed from a systems perspective, the report states. The network connectivity that has given the United States key advantages both economically and militarily over the past two decades also is the nation’s Achilles’ Heel when it comes to cyber warfare.

To remedy its cyber deficiencies, the DOD must take a number of steps, including protecting nuclear strike capabilities as a deterrent, building the right mix of cyber and conventional capabilities to operate against a full-spectrum adversary, and refocusing intelligence and collection analysis to enable cyber counterstrategies, the report states.

In addition, the DOD must forge world-class cyber offensive capabilities, change its culture regarding cyber and cybersecurity, and establish a resilient cyber force, the report states.

The DOD should expect cyberattacks to be present in all conflicts in the future, and should not expect competitors to play by the U.S. version of the rules, but instead apply their rules, for example, by using surrogates for exploitation and offensive operations and various other methods, the report states.