DoD Addressing Cyber Risks in Weapon Systems But Congress Wants More Done

DoD Addressing Cyber Risks In Weapon Systems But Congress Wants More Done

More than just policy changes are needed.

Amid congressional concern that the cyber security of the nation’s war fighting systems aren’t getting the attention they deserve, the Defense Department is moving forward at various levels to mitigate cyber vulnerabilities to its weapon and mission systems with plans to further these efforts.

In a report in June, the House Appropriations Committee says it is concerned about potential cyber vulnerabilities in systems under development and with legacy weapon systems in use before cyber threats may have been a consideration. The House and Senate Armed Services Committees this year have expressed similar concerns.

The House panels want DoD and the military services to work together to assess the these potential vulnerabilities in legacy systems and develop a standardized report of these potential cyber vulnerabilities and mitigation efforts to be part of acquisition program baselines of current and future major acquisition programs.

Yet DoD isn’t standing still in this area.

The Marine Corps has been doing vulnerability assessments for years on anything that has a “chip in it,” Col. Gregory Breazile, director of Marine Corps C2/Cyber and Electronic Warfare Division, tells Defense Daily. But those assessments, which are funded within every program, can take months, he says.

In March the service stood up a cyber range that is now being used to “rapidly assess all of our IT assets and weapon systems” to determine the “criticality of vulnerabilities,” Breazile says. For example, the Marines’ aviation command and control system was assessed in two days in the range, he says.

In April Defense Secretary Ash Carter released a new DoD Cyber Security Strategy that recognizes that a “cyber attack on critical infrastructure and key resources on which DoD relies for its operations could impact the U.S. military’s ability to operate in a contingency.” The same month the Pentagon’s acquisition office issued its latest iteration better buying practices.

Better Buying Power 3.0 points out that the department has taken steps to improve the cyber security of military systems but says there is more to do, and directs that DoD acquisition instructions address “all aspects of the program manager’s and other’s responsibilities for cybersecurity through the product lifecycle” and for the services to recommend ways to “improve cybersecurity of system designs.”

The latest policies are built in part on existing guidance and strategy.

DoD Cyber Strategy Goals

Build and maintain ready forces and capabilities to conduct cyberspace operations
Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions.
Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence.
Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages.
Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

In 2012 DoD released a Mission Assurance Strategy, which included a look at all potential hazards, such as cyber vulnerabilities, and mitigation opportunities throughout a mission chain, Paul Stockton, a former assistant Secretary of Defense for Homeland Defense and the strategy’s author, tells Defense Daily.

In March and May 2014 the department updated two of its instruction manuals, DoDI 8500.01 and 8510.01 to establish a risk management framework for its IT systems, including platform IT (PIT), which covers weapon systems, and a cyber security program to protect and defend its information and IT, including PIT.

But more than just policy changes are needed, says one industry official. A step up in strategic investments and shifting the operating concepts around cyber defenses of systems and networks are critical to giving the U.S. military the edge to remain dominant in future conflicts, says Vern Boyle, director of technology for the Cyber Division in Northrop Grumman’s [NOC] Information Systems sector.

Cyber is the heart of the matter. Everything's connected.

Continuous Trust Restoration

Boyle says the U.S. military needs to start taking advantage of new tools such as software defined networking and network function virtualization to achieve what he calls Continuous Trust Restoration, which is “designed to proactively disrupt an attacker’s kill chain,” he writes in a whitepaper, Speed Wins: The Next Strategic Technology Advancement for Continued US Military Dominance issued by Northrop Grumman in June.

That speed is obtained through the automation enabled by tools like software defined networking, which allows for networks to be configured rapidly, dynamically and cost-effectively, making it difficult for cyber attacks to begin to access, map and persist on a network.

Another “key point that we’re trying to bring out is that the restoration model doesn’t have to wait for a response or detection, which I think is one of the foundational challenges with the concept of operations (CONOPS) that’s in place today,” Boyle tells Defense Daily. “So you don’t need to wait until a breach has occurred or a compromise has occurred. You can use these Continuous Trust Restoration techniques in advance and actively restore to known levels of trust using a variety of techniques so you can break the adversary’s kill chain before they actually have had a chance to do anything.”

Boyle wants the DoD to lead in using these tools to establish more cyber resilient infrastructure.

The "next generation of conflict will be won or lost on a digital battlefield,"

The “next generation of conflict will be won or lost on a digital battlefield, possibly before the first shot is ever fired,”

Vern Boyle
Director of Technology, Cyber Division
Advanced Cyber Technology Center

The “next generation of conflict will be won or lost on a digital battlefield, possibly before the first shot is ever fired,” Boyle says in the whitepaper. “Kinetic technology and weaponry will have a limited role in this type of fight. In fact, some of these weapon systems could be rendered useless by disabling the information or compute platforms on which they have come to rely.”

The DoD is making some basic investments in new tools that could mitigate cyber vulnerabilities of its physical systems, including mission and weapon systems. For example, the Office of Naval Research (ONR) and the Assistant Secretary of Defense for Research and Engineering this year awarded Georgia Tech $2 million for cyber security basic research.

In the work for ONR, there is an assumption that computer and software systems will be compromised, Dr. Wenke Lee, director of the Georgia Tech Information Security Center, tells Defense Daily. He says a potential defense entails multiple applications that are designed to do the same thing, such as steering an aircraft, with each application configured differently so that not all of them can be successfully disrupted by a cyber attack, allowing the “physical system to function.”

Boyle says this work fits within the Continuous Trust Restoration model. The next step with that research is to be able to constantly shift which applications are being used to steer the aircraft, he says.

Navy's Task Force Cyber Awakening (TFCA)

Cyber Resiliency Approach

Control Points

Control Points will allow us to effectively isolate portions of our networks and prevent adversaries who gain a foothold from moving laterally. Also improve boundary defenses for individual portions of the network and serve as insertion points in the network for emerging technology solutions.

Cyber Situational Awareness (SA)

Allow us to visualize the activity in the “cyber-field”, promote timely assessment of normal vs. abnormal activity, and mitigate possible threats. Cyber SA provides us with the tools to detect and respond to higher level threat actors.

Designing (vice retroactively Patching-in) Resiliency within Systems & Networks

Generating common sets of standards and protocols to improve our cyber posture by driving down variance, and also designing-in resiliency in future system designs.

Cyber Hygiene

Use of focused Tactics, Techniques & Procedures (TTPs) and workforce training.

Cyber Ready Workforce

Improving manning levels, personnel training and Fleet readiness via readiness reviews, Fleet cyber security efforts, Cybersecurity Workforce continuing education, unit patch/scan compliance and adherence to computer tasking orders (CTO).

Meanwhile, as the Pentagon’s leadership implements its new cyber strategy and acquisition guidance, the military services are undertaking their own initiatives to better understand and strengthen their cyber security postures and implement the latest department guidance and strategy.

For example, the Army’s Program Executive Office for Command, Control, Communications-Tactical (PEO C3T), has developed a Cyber Reference Guide that makes use of cyber security strategies put forth by DoD and the Army to provide “a cyber standard and policy education to our program managers, industry, sustainment partners, and research and development community,” Dr. Portia Crowe, director of Cyber Operations and CIO for PEO C3T, tells Defense Daily via an email response to questions.

Crowe says that “The larger picture is how to implement and interpret these policies and standards into the system of system architecture and practices, backing cyber in to the acquisition process early and often.”

Last summer the Chief of Naval Operations directed the establishment of the Navy’s Task Force Cyber Awakening (TFCA), a year-long unified effort to look at the service’s IT systems holistically, to include combat, control and other mission systems necessary “to prosecute the war fight,” Matt Swartz, director of the Communications and Networks Division within the CNO’s Office for Information Dominance, tells Defense Daily.

With today’s networked environments, “you could argue that a risk to one is a risk to all and to understand your vulnerabilities appropriately you need to have the right mechanisms in place, whether its technology, CONOPS and TTPs (tactics, techniques and procedures) to ensure you’ve mitigated that vulnerability across the entire enterprise,” Swartz says.

TFCA has gathered assessments and recommendations related to cyber that were already ongoing throughout the Navy enterprise, including ones related to tactical platforms and war fighting systems, and used them to prioritize investments and create a Cyber Resiliency Plan, Swartz says.

The Air Force in March stood up its Task Force Cyber Secure (TFCS), a similar effort to the Navy’s TFCA, which has also been “synchronizing” multiple ongoing studies, recommendations and action plans throughout the service related to cyber security, Peter Kim, deputy director, Cyberspace Operations for the Air Force, tells Defense Daily.

Some of the key things TFCS is doing are prioritizing the cyber security issues that need to be addressed first related to IT, mission systems and platforms, develop a risk management strategy to approach cyber challenges enterprise-wide, prioritize investments, and identify the “inject points into strategic planning and decision process for cyber security for the Air Force,” Kim says.

A key aspect of all the services’ efforts in the cyber arena is the buy in from senior leadership.

“The Task Force has been embraced and supported by very senior levels within the Navy enterprise and I think that’s been a large part of our success, that is the level of commitment they provided to us,” Swartz says.

In September TFCA stood down to make room for an enduring organization, the Navy’s new Cyber Security Division within CNO’s Information Dominance Office.

“We are now mainstream,” Troy Johnson, the acting director of the division tells Defense Daily. “What we discovered during the life of the task force was most of the work that was being done by the task force, be it advocating for resources…or evaluating how the Navy specs and credits, that work needed to continue.”