By: Stephen Bryen
A new Defense Science Board report, produced by a special task force, has raised serious questions about how robust existing and future defense systems are and will be against cyberattacks and cyber intrusions. As the Trump administration rightly commits billions of dollars to overhaul worn-out weapons platforms, is attention being given to cyberthreats? Or will our patched up systems be compromised and fail us when we most need them?
The task force's report makes clear that most U.S. weapons already in the field have no formal cyber protection plan; cyber protection was not included in any design requirement. More recently, the Department of Defense began requiring Program Protection Plans, or PPP, for weapons, but these only apply to the design and development stage and not activities in the field, have been executed unevenly at best, and have lacked clear standards of implementation. The task force worries that vulnerabilities can be maliciously inserted into systems and there is no PPP-type analysis in the sustainment-side of the acquisition process, meaning that once a weapon is fielded it can be years before corrections are made, if ever.
Take a familiar threat such as the Heartbleed bug, a vulnerability in what is known as the OpenSSL, a library that enables internet-encrypted information to be stolen. The bug was introduced in 2012 but not “discovered” until 2014, first by a Finnish cyber company and later by Google. There are reports that the National Security Agency knew about it sooner, but did not report it, probably because the NSA allegedly exploited the vulnerability. Because DoD systems increasingly use internet protocols for just about everything, all of them using such protocols are subject to exploitation by an adversary, whether the adversary was a nation state, terrorist organization or band of criminals such as drug dealers. It is unlikely, even at this late date, that the Heartbleed vulnerability has been cleaned out of military systems.
A critical problem facing the Defense Department is that too much of its critical hardware and software either is, or derives from, commercial off-the-shelf products. Because the DoD has limited influence over the commercial sector, there are certain systemic weaknesses beyond the normal security limitations of commercial products. Two among them are the lack of vetting of the engineers and technicians who produce the hardware and software; and the corollary that commercial companies often use community-sourced free code to save money and time. Heartbleed came from community-sourced code. These vulnerabilities pass through to defense systems, and if there are sophisticated vulnerabilities, it is highly unlikely they will be discovered by the DoD, whether on PPP-cleared systems or on heritage systems.
Read the full story at DefenseNews