Cybersecurity and Deterrence

Critical Gaps Remain in Defense Department Weapons System Cybersecurity

By Madison Creery
Friday, March 13, 2020, 9:00 AM

Editor's note: This article is part of a series of short articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.

While the U.S. military is the most effective fighting force in the modern era, it struggles with the cybersecurity of its most advanced weapons systems. In times of crisis and conflict, it is critical that the United States preserve its ability to defend and surge when adversaries employ cyber capabilities to attack weapons systems and functions. Today, the very thing that makes these weapons so lethal is what makes them vulnerable to cyberattacks: an interconnected system of software and networks.

Continued automation and connectivity are the backbone of the Department of Defense’s warfighting capabilities, with almost every weapons system connected in some capacity. Today, these interdependent networks are directly linked to the U.S. military’s ability to carry out missions successfully, allowing it to gain informational advantage, exercise global command and control, and conduct long-range strikes. An example of such a networked system is the F-35 Joint Strike Fighter, which the Air Force chief of staff, Gen. David Goldfein, once called “a computer that happens to fly.” Underpinning this platform’s unrivaled capability is more than 8 million lines of software code. In the past, software served as an enabler of hardware and weapons systems. Today, it defines the capabilities critical to carrying out the warfighter’s mission.

While the United States currently enjoys a technological edge in the conventional realm, our adversaries are working every day to erode it. It is crucial that the United States secure these weapons systems not only from threats such as inbound missiles but also from increasingly sophisticated malicious cyberattacks. The vulnerability of these networks and software has grown as adversaries continue to use cyberspace as an asymmetric capability. Rather than target a weapons platform with a missile, attackers can now manipulate the software to cause systems to malfunction or to prevent systems from operating entirely. A central element of deterrence is possessing a credible military capability to either defeat an incoming attack or provide a survivable response. Today, this is not guaranteed.

This is why one of the Cyberspace Solarium Commission’s key recommendations aims to provide a legislative vehicle to promote the cybersecurity and resilience of critical weapons systems. To reach this point, the commission recognized several key challenges and barriers the Department of Defense must first overcome.

One challenge is the staggering loss of weapons system design information. As noted by the former secretary of the Navy, Richard Spencer, the service and its industry partners are “under cyber siege” by Chinese hackers. These cyber intrusions have provided adversaries insight into technical designs and weapons system use, enabling them to develop their own cutting-edge weapons and to close the gap in the technological superiority that the U.S. has long enjoyed. Though these intrusions have thus far focused on exfiltrating weapons system designs, a persistent and capable adversary could attack a weapons system through the contractor’s own network, implementing malware that can disrupt or disable the system.

Another critical challenge arises from the Defense Department’s acquisition and requirements process. This system of statutes and regulations determines how weapons within the department are developed, acquired and deployed. A key reason these platforms are so vulnerable is that, until recently, the department did not prioritize cybersecurity as part of the requirements stage of the acquisition process. This routinely left it to the program managers to incorporate cybersecurity into the later stages of development, “bolting it on” rather than “baking it in.”

When weapons systems move past the procurement stage, factors such as cybersecurity receive far less attention. This is especially concerning because most systems reside in the sustainment phase for the majority of their life. The rapid fielding of new weapons systems with the intention of tacking on cybersecurity in the later stages of the process provides adversaries the opportunity to gain network access, which is difficult to detect and remove. This lack of cybersecurity hygiene has resulted in an entire generation of weapons being designed, built and made vulnerable without adequately assessing this critical factor.

It is also critical to remember that cybersecurity threats are not found solely in the newest and most advanced weapons systems. The modern battlefield is more interconnected than ever before. Numerous highly complex weapons from different generations interact with one another on a day-to-day basis. The U.S. Air Force’s B-52 bomber, which entered service in 1955, is still in use today and currently operates alongside systems like the F-35. Legacy platforms (which make up a majority of the Defense Department’s inventory) are also highly vulnerable to cyberattacks, sometimes even more than newer systems. When they operate alongside newly fielded platforms, cybersecurity measures must take an integrated approach that evaluates how a cyber intrusion or attack on one system could affect the rest. A breach in the weakest link can have severe consequences for the integrity of an entire mission.

As cyber threats from malicious actors become increasingly advanced and persistent, it is crucial for the Defense Department to place weapons system cybersecurity at the forefront of future policy discussions. Recently, the department has taken critical steps in this endeavor. As directed by Congress in the FY2016 National Defense Authorization Act (NDAA), the department began assessing the cyber vulnerabilities of individual major weapon platforms. The FY2020 NDAA further tightened these assessment requirements.

Despite these efforts, the volume of new vulnerabilities in weapons systems may now exceed the ability of the Defense Department to identify and patch the systems before adversaries can exploit them, and the problem is only getting worse. Barriers to effective cybersecurity remain, including those discussed above. The most critical barrier is the lack of a permanent process to periodically assess the cybersecurity of weapons systems. The department’s ability to test and evaluate cyber vulnerabilities is not keeping pace with increasingly aggressive adversary attacks. As stated in a 2019 Department of Defense Inspector General report, “Without proper governance, the [Defense Department] cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries.”

This is why the commission recommends that the Defense Department begin to report annually to Congress on the status of ongoing cyber vulnerability assessments of all Defense Departmentmajor weapons systems. The Department must ensure it also assesses legacy platforms and cyber vulnerabilities across networked systems in broader mission areas. This assessment should focus on mission assurance and the warfighters’ ability to fight through cyberattacks. The ultimate test is whether the weapons systems can accomplish their missions in a cyber-contested environment.

Creating a comprehensive, continuous assessment process for these weapons platforms and their cybersecurity vulnerabilities may be tedious and time consuming, but it is essential to ensuring the United States is prepared to prevail in times of crisis and conflict.