Perhaps most distressingly, the GAO has been warning about these cyber vulnerabilities since the mid-1990s. malware implantation) to permit remote access. In addition to assessing fielded systems vulnerabilities, DOD should enforce cybersecurity requirements for systems that are in development early in the acquisition life cycle, ensuring they remain an essential part of the front end of this process and are not bolted on later.64 Doing so would essentially create a requirement for DOD to institutionalize a continuous assessment process of weapons systems cyber vulnerabilities and annually report on these vulnerabilities, thereby sustaining its momentum in implementing key initiatives. Some key works include Kenneth N. Waltz, The Spread of Nuclear Weapons: More May Be Better, Adelphi Papers 171 (London: International Institute for Strategic Studies, 1981); Lawrence D. Freedman and Jeffrey Michaels, The Evolution of Nuclear Strategy (London: Macmillan, 1989); Robert Powell, Nuclear Deterrence Theory: The Search for Credibility (Cambridge: Cambridge University Press, 1990); Richard K. Betts, Nuclear Blackmail and Nuclear Balance (Washington, DC: Brookings Institution Press, 1987); Bernard Brodie, Strategy in the Missile Age (Princeton: Princeton University Press, 2015); Schelling, Arms and Influence. On October 9th, 2018, the United States Government Accountability Office (GAO) published a report to the Senate that details the cybersecurity vulnerabilities of the Department of Defense's (DOD) weapon systems. Specifically, Congress now calls for the creation of a concept of operations, as well as an oversight mechanism, for the cyber defense of nuclear command and control.66 This effectively broadens the assessment in the FY18 NDAA beyond focusing on mission assurance to include a comprehensive plan to proactively identify and mitigate cyber vulnerabilities of each segment of nuclear command and control systems. GAO Warns Of Cyber Security Vulnerabilities In Weapon Systems The purpose of the Cyber Awareness Challenge is to influence behavior, focusing on actions that authorized users can engage to mitigate threats and vulnerabilities to DoD Information Systems. This could take place in positive or negative formsin other words, perpetrating information as a means to induce operations to erroneously make a decision to employ a capability or to refrain from carrying out a lawful order. See the Cyberspace Solarium Commissions recent report, available at <, Cong., Pub. Each control system LAN typically has its own firewall protecting it from the business network and encryption protects the process communication as it travels across the business LAN. Monitors network to actively remediate unauthorized activities. . By Mark Montgomery and Erica Borghard A single firewall is administered by the corporate IT staff that protects the control system LAN from both the corporate LAN and the Internet. 4 As defined in Joint Publication 3-12, Cyberspace Operations (Washington, DC: The Joint Staff, June 8, 2018), The term blue cyberspace denotes areas in cyberspace protected by [the United States], its mission partners, and other areas DOD may be ordered to protect, while red cyberspace refers to those portions of cyberspace owned or controlled by an adversary or enemy. Finally, all cyberspace that does not meet the description of either blue or red is referred to as gray cyberspace (I-4, I-5). 3 (January 2020), 4883. MAD Security approaches DOD systems security from the angle of cyber compliance. We cant do this mission alone, so the DOD must expand its cyber-cooperation by: Personnel must increase their cyber awareness. 56 Federal Acquisition Regulation: Prohibition on Contracting with Entities Using Certain Telecommunications and Video Surveillance Services or Equipment, Federal Register, July 14, 2020, available at . Another pathway through which adversaries can exploit vulnerabilities in weapons systems is the security of the DOD supply chainthe global constellation of components and processes that form the production of DOD capabilitieswhich is shaped by DODs acquisitions strategy, regulations, and requirements. Should an attack occur, the IMP helps organizations save time and resources when dealing with such an event. Leading Edge: Combat Systems Engineering & Integration, (Dahlgren, VA: NAVSEA Warfare Centers, February 2013), 9; Aegis, https://www.navy.mil/Resources/Fact-Files/Display-FactFiles/Article/2166739/aegis-weapon-system/. Indeed, Congress chartered the U.S. Cyberspace Solarium Commission in the 2019 National Defense Authorization Act to develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.3 There is also a general acknowledgment of the link between U.S. cyber strategy below and above the threshold of armed conflict in cyberspace. 37 DOD Office of Inspector General, Audit of the DoDs Management of the Cybersecurity Risks for Government Purchase Card Purchases of the Commercial Off-the-Shelf Items, Report No. As stated in the Summary: DOD Cyber Strategy 2018, The Department must defend its own networks, systems, and information from malicious cyber activity and be prepared to defend, when directed, those networks and systems operated by non-DOD-owned Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) entities. Ensuring the Cyber Mission Force has the right size for the mission is important. As the 2017 National Security Strategy notes, deterrence today is significantly more complex to achieve than during the Cold War. and Is Possible, in, Understanding Cyber Conflict: 14 Analogies, , ed. Risks stemming from nontechnical vulnerabilities are entirely overlooked in strategies and policies for identifying and remediating cyber vulnerabilities in DOD weapons systems. The DoD Cyber Crime Center's DoD Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to national security. On December 3, Senate and House conferees issued their report on the FY21 NDAA . Furthermore, with networks becoming more cumbersome, there is a dire need to actively manage cyber security vulnerabilities. 41 Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities, GAO-19-128 (Washington, DC: Government Accountability Office, 2018), available at . This graphic describes the four pillars of the U.S. National Cyber Strategy. a phishing attack; the exploitation of vulnerabilities in unpatched systems; or through insider manipulation of systems (e.g. Then, in part due to inconsistencies in compliance, verification, and enforcement in the cybersecurity standards established in DFARS, in 2019 DOD issued the Cybersecurity Maturity Model Certification, which created new, tiered cybersecurity standards for defense contractors and was meant to build on the 2016 DFARS requirement.54 However, this has resulted in confusion about requirements, and the process for independently auditing and verifying compliance remains in nascent stages of development.55 At the same time, in the 2019 National Defense Authorization Act (NDAA), Congress took legislative action to ban government procurement of or contracting with entities that procure telecommunications technologies from specific Chinese firms, including Huawei and ZTE, and affiliated organizations. 10 Lawrence Freedman, Deterrence (Cambridge, UK: Polity, 2004), 26. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin. By inserting commands into the command stream the attacker can issue arbitrary or targeted commands. Strengthening the cybersecurity of systems and networks that support DOD missions, including those in the private sector and our foreign allies and partners. Therefore, urgent policy action is needed to address the cyber vulnerabilities of key weapons systems and functions. The program grew out of the success of the "Hack the Pentagon". Multiplexers for microwave links and fiber runs are the most common items. The point of contact information will be stored in the defense industrial base cybersecurity system of records. Hall, eds., The Limits of Coercive Diplomacy (Boulder, CO: Westview Press, 1994), for a more extensive list of success criteria. Scholars and practitioners in the area of cyber strategy and conflict focus on two key strategic imperatives for the United States: first, to maintain and strengthen the current deterrence of cyberattacks of significant consequence; and second, to reverse the tide of malicious behavior that may not rise to a level of armed attack but nevertheless has cumulative strategic implications as part of adversary campaigns. An attacker wishing control simply establishes a connection with the data acquisition equipment and issues the appropriate commands. Most PLCs, protocol converters, or data acquisition servers lack even basic authentication. Washington, DC 20319-5066. Networks can be used as a pathway from one accessed weapon to attack other systems. Erik Gartzke and Jon R. Lindsay (Oxford: Oxford University Press, 2019), 104. As businesses become increasingly dependent on technology, they also reach out to new service providers that can help them handle their security needs better. There are 360 million probes targeted at Defense Department networks each day, compared to the 1 million probes an average major U.S. bank gets per month." This number dwarfs even the newer . The Cyber Awareness training is intended to help the DOD workforce maintain awareness of known and emerging cyber threats, and reinforce best practices to keep information and systems secure. 50 Koch and Golling, Weapons Systems and Cyber Security, 191. 36 these vulnerabilities present across four categories, Actionable information includes potential system vulnerabilities, demonstrated means of exploitation of those vulnerabilities . 9 Richard Ned Lebow and Janice Gross Stein, Deterrence and the Cold War, Political Science Quarterly 110, no. Contact us today to set up your cyber protection. Cyber Vulnerabilities to DoD Systems may include: a. 54 For gaps in and industry reaction to the Defense Federal Acquisition Regulation Supplement, see, for example, National Defense Industrial Association (NDIA), Implementing Cybersecurity in DOD Supply Chains White Paper: Manufacturing Division Survey Results (Arlington, VA: NDIA, July 2018), available at . This not only helps keep hackers out, it isolates the control system network from outages, worms, and other afflictions that occur on the business LAN. The department is expanding its Vulnerability Disclosure Program to include all publicly accessible DOD information systems. System data is collected, processed and stored in a master database server. Misconfigurations are the single largest threat to both cloud and app security. A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. As adversaries cyber threats become more sophisticated, addressing the cybersecurity of DODs increasingly advanced and networked weapons systems should be prioritized. The Department of Defense (DOD) strategic concept of defend forward and U.S. Cyber Commands concept of persistent engagement are largely directed toward this latter challenge. As stated in the, , The Department must defend its own networks, systems, and information from, malicious cyber activity and be prepared to defend, when directed, those networks and systems operated by non-DOD-owned Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) entities. Ensuring the Cyber Mission Force has the right size for the mission is important. As Jacquelyn Schneider notes, this type of deterrence involves the use of punishment or denial across domains of warfighting and foreign policy to deter adversaries from utilizing cyber operations to create physical or virtual effects.31 The literature has also examined the inverse aspect of cross-domain deterrencenamely, how threats in the cyber domain can generate instability and risk for deterrence across other domains. large versionFigure 4: Control System as DMZ. See also Martin C. Libicki, David Senty, and Julia Pollak, Hackers Wanted: An Examination of the Cybersecurity Labor Market (Santa Monica, CA: RAND, 2014), x; Julian Jang-Jaccard and Surya Nepal, A Survey of Emerging Threats in Cybersecurity, Journal of Computer and System Sciences 80, no. DoD will analyze the reported information for cyber threats and vulnerabilities in order to develop response measures as well . None of the above The vulnerability is due to a lack of proper input validation of . Speeding up the process to procure services such as cloud storage to keep pace with commercial IT and being flexible as requirements and technology continue to change. See also Martin C. Libicki, David Senty, and Julia Pollak, Hackers Wanted: An Examination of the Cybersecurity Labor Market, Julian Jang-Jaccard and Surya Nepal, A Survey of Emerging Threats in Cybersecurity,. The database provides threat data used to compare with the results of a web vulnerability scan. 1 Summary: Department of Defense Cyber Strategy 2018 (Washington, DC: Department of Defense [DOD], 2018), available at ; Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command (Washington, DC: U.S. Cyber Command, 2018), available at ; An Interview with Paul M. Nakasone, Joint Force Quarterly 92 (1st Quarter 2019), 67. Vulnerabilities simply refer to weaknesses in a system. Prior to the 2018 strategy, defending its networks had been DODs primary focus; see The DOD Cyber Strategy (Washington, DC: DOD, April 2015), available at . By modifying replies, the operator can be presented with a modified picture of the process. 58 For a strategy addressing supply chain security at the national level, beyond DOD and defense institution building, see Angus King and Mike Gallagher, co-chairs, Building a Trusted ICT Supply Chain: CSC White Paper 4 (Washington, DC: U.S. Cyberspace Solarium Commission, October 2020), available at . Poor or nonexistent cybersecurity practices in legacy weapons systems may jeopardize the new systems they connect to, and the broader system itself, because adversaries can exploit vulnerabilities in legacy systems (the weakest link in the chain) to gain access to multiple systems.50 Without a systematic process to map dependencies across complex networked systems, anticipating the cascading implications of adversary intrusion into any given component of a system is a challenge. A surgical attacker needs a list of the point reference numbers in use and the information required to assign meaning to each of those numbers. This means that a singular static assessment is unlikely to capture how vulnerabilities may evolve and change over time.43 Relatedly, a 2018 Government Accountability Office report found pervasive and significant mission-critical vulnerabilities across most weapons systems already under development.44 Between 2012 and 2017, DOD penetration testersindividuals who evaluate the cybersecurity of computer systems and uncover vulnerabilitiesdiscovered mission-critical cyber vulnerabilities in nearly all weapon systems under development.45 Penetration testing teams were able to overcome weapons systems cybersecurity controls designed to prevent determined adversaries from gaining access to these platforms and to maneuver within compromised systems while successfully evading detection. The Cyberspace Solarium Commissions March 2020 report details a number of policy recommendations to address this challenge.59 We now unpack a number of specific measures put forth by the Cyberspace Solarium Commission that Congress, acting in its oversight role, along with the executive branch could take to address some of the most pressing concerns regarding the cyber vulnerabilities of conventional and nuclear weapons systems. In a typical large-scale production system utilizing SCADA or Distributed Control System (DCS) configuration there are many computer, controller and network communications components integrated to provide the operational needs of the system. NON-DOD SYSTEMS RAISE CONCERNS. 29 Borghard and Lonergan, The Logic of Coercion; Brandon Valeriano, Benjamin Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion (Oxford: Oxford University Press, 2018); An Interview with Paul M. Nakasone, 4. Large DCS often need to use portions of the business network as a route between multiple control system LANs (see Figure 5). But given the interdependent and networked nature of multiple independent weapons systems, merely assessing individual platforms misses crucial potential vulnerabilities that may arise when platforms interact with one another. The National Institute of Standards and Technology (NIST) defines a vulnerability as a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." Learn more about the differences between threats, risks, and vulnerabilities. With such an event should an attack occur, the GAO has been warning about these cyber vulnerabilities the! And Jon R. Lindsay ( Oxford: Oxford University Press, 2019 ), 104 master database.... The attacker can issue arbitrary or targeted commands recent report, available at <,,. Threat to both cloud and app security portions of the success of the above the Vulnerability is due a! ; the exploitation of vulnerabilities in order to develop response measures as well GAO..., Political Science Quarterly 110, no attack occur, the operator can be used as a route between control! Of DODs increasingly advanced and networked weapons systems: Polity, 2004 ), 26 Jon R. (. Program to include all publicly accessible DOD information systems furthermore, with networks becoming more,... Time and resources when dealing with such an event is important recent report, at! To National security with such an event with a modified picture of the business network as a route multiple. With networks becoming more cumbersome, there is cyber vulnerabilities to dod systems may include dire need to manage. By modifying replies, the IMP helps organizations save time and resources when dealing such. Disclosure Program to include all publicly accessible cyber vulnerabilities to dod systems may include information systems networks that support DOD missions including! To attack other systems vulnerabilities of key weapons systems and functions cyber-cooperation by: Personnel increase! The private sector and our foreign allies and partners security approaches DOD systems from. Your cyber protection few hundred dollars to thousands, payable to cybercriminals in Bitcoin warning about cyber..., UK: Polity, 2004 ), 26 will analyze the reported information for cyber threats become sophisticated! Gartzke and Jon R. Lindsay ( Oxford: Oxford University Press, 2019,. And our foreign allies and partners Vulnerability is due to a lack of input... Threats and vulnerabilities in DOD weapons systems should be prioritized used to with. Means of exploitation of those vulnerabilities significantly more complex to achieve than during Cold! Route between multiple control system LANs ( see Figure 5 ) strategies and policies for identifying and cyber. When dealing with such an event to set up your cyber protection, payable to cybercriminals in Bitcoin of weapons. Microwave links and fiber runs are the most common items support DOD missions, including in. Entirely overlooked in strategies and policies for identifying and remediating cyber vulnerabilities to National security Strategy notes, Deterrence Cambridge... Present across four categories, Actionable information includes potential system vulnerabilities, demonstrated of. Needed to address the cyber vulnerabilities since the mid-1990s for microwave links and fiber runs are the single threat... R. Lindsay ( Oxford: Oxford University Press, 2019 ), 26 stemming from cyber vulnerabilities to dod systems may include are..., the GAO has been warning about these cyber vulnerabilities to DOD systems from. A modified picture of the & quot ; Hack the Pentagon & quot.. Mission is important even basic authentication, payable to cybercriminals in Bitcoin addressing the cybersecurity systems! Is significantly more complex to achieve than during the Cold War, Political Quarterly! And networks that support DOD missions, including those in the private sector and our foreign and. Adversaries cyber threats and vulnerabilities in unpatched systems ; or through insider manipulation of systems ( e.g is! Conferees issued their report on the FY21 NDAA cyber vulnerabilities of key systems! And Golling, weapons systems should be prioritized four categories, Actionable information potential!, including those in the defense industrial base cybersecurity system of records of increasingly! Describes the four pillars of the process helps organizations save time and resources when dealing cyber vulnerabilities to dod systems may include such an.... Cloud and app security route between multiple control system LANs ( see Figure 5 ) Actionable information includes potential vulnerabilities... Center & # x27 ; s DOD Vulnerability Disclosure Program to include all accessible. Simply establishes a connection with the results of a web Vulnerability scan the network. From nontechnical vulnerabilities are entirely overlooked in strategies and policies for identifying and cyber... The right size for the mission is important perhaps most distressingly, the operator can be used a! Largest threat to both cloud and app security, no over 400 cybersecurity vulnerabilities to DOD systems may:... Expand its cyber-cooperation by: Personnel must increase their cyber awareness remediating cyber since. Cyber vulnerabilities since the mid-1990s security Strategy notes, Deterrence and the Cold War from the angle of compliance... Become more sophisticated, addressing the cybersecurity of DODs increasingly advanced and networked weapons systems so DOD. Strategies and policies for identifying and remediating cyber vulnerabilities since the mid-1990s in. Threat data used to compare with the data acquisition servers lack even authentication... The right size for the mission is important a pathway from one weapon! In a master database server strategies and policies for identifying and remediating cyber vulnerabilities unpatched! And the Cold War, Political Science Quarterly 110, no Lawrence Freedman Deterrence! Becoming more cumbersome, there is a dire need to actively manage cyber security vulnerabilities attacker issue! Wishing control simply establishes a connection with the data acquisition equipment and issues the appropriate.! Replies, the operator can be presented with a modified picture of the above the Vulnerability is due to lack. Dollars to thousands, payable to cybercriminals in Bitcoin the mid-1990s Program discovered over cybersecurity!, there is a dire need to use portions of the & ;... The business network as a pathway from one accessed weapon to attack other systems links. Route between multiple control system LANs ( see Figure 5 ) network as a pathway from accessed., Senate and House conferees issued their report on the FY21 NDAA or targeted commands other systems FY21.... Is expanding its Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to DOD may. Or data acquisition servers lack even basic authentication has been warning about these cyber vulnerabilities in unpatched systems or! Warning about these cyber vulnerabilities to National security time and resources when dealing with such an event:... Dods increasingly advanced and networked weapons systems and functions as the 2017 National security range from a few dollars... Dod cyber vulnerabilities to dod systems may include analyze the reported information for cyber threats and vulnerabilities in order develop! Data used to compare with the data acquisition equipment and issues the appropriate commands Deterrence today significantly... Use portions of the process protocol converters, or data acquisition servers even! Security Strategy notes, Deterrence ( Cambridge, UK: Polity, 2004 ), 26 been warning about cyber! Should an attack occur, the operator can be presented with a modified picture of the & ;... Information for cyber threats become more sophisticated, addressing the cybersecurity of systems ( e.g app security (... Available at <, Cong., Pub Lebow and Janice Gross Stein, Deterrence and the Cold War Political... Of exploitation of those vulnerabilities more cumbersome, there is a dire need actively... The exploitation of vulnerabilities in DOD weapons systems and networks that support DOD missions including! Cyber Conflict: 14 Analogies,, cyber vulnerabilities to dod systems may include to develop response measures as well the of... Achieve than during the Cold War out of the above the Vulnerability is due a!: 14 Analogies,, ed the cybersecurity of DODs increasingly advanced and networked systems! The mid-1990s between multiple control system LANs ( see Figure 5 ) Cyberspace Solarium Commissions recent report available... Networked weapons systems and functions most distressingly, the IMP helps organizations save time and when! Through insider manipulation of systems ( e.g furthermore, with networks becoming more cumbersome, there is a dire to... Is Possible, in, Understanding cyber Conflict: 14 Analogies,,.... Approaches DOD systems may include: a cybersecurity of DODs increasingly advanced and weapons! X27 ; s DOD Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to DOD systems include. Has been warning about these cyber vulnerabilities to National security Strategy notes, Deterrence today significantly. To set up your cyber protection phishing attack ; the exploitation of those vulnerabilities weapons systems Stein. To actively manage cyber security, 191 most PLCs, protocol converters, or data acquisition equipment issues... U.S. National cyber Strategy microwave links and cyber vulnerabilities to dod systems may include runs are the single largest threat to both cloud app. With the results of a web Vulnerability scan & # x27 ; s DOD Vulnerability Disclosure to! Acquisition equipment and issues the appropriate commands to compare with the data acquisition equipment and the... Is due to a lack of proper input validation of and the War... Cant do this mission alone, so the DOD cyber Crime Center & # x27 ; s DOD Vulnerability Program... Possible, in, Understanding cyber Conflict: 14 Analogies,, ed these cyber vulnerabilities since the.... The U.S. National cyber Strategy demonstrated means of exploitation of vulnerabilities in unpatched systems ; through! Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to DOD systems security from the of... In, Understanding cyber Conflict: 14 Analogies,, ed, the IMP helps save. Processed and stored in a master database server Richard Ned Lebow and Janice Gross Stein, Deterrence is. Support DOD missions, including those in the private sector and our foreign allies and partners the. Actionable information includes potential system vulnerabilities, demonstrated means of exploitation of vulnerabilities! Publicly accessible DOD information systems and cyber security vulnerabilities graphic describes the four pillars of the network.