Two years ago, in the 2016 National Defense Authorization Act, Congress called on the Defense Department to evaluate the extent of cyber vulnerabilities in its weapons systems by 2019. While the Pentagon report has yet to be released, a scathing report on Defense Department weapons systems published early this October by the Government Accountability Office (GAO) should already be enough to sound the alarm.
Defense Department weapons systems are more network-connected and more likely to be dependent on IT and software than ever before—yet those advances also make them vulnerable to cyberattacks if they are not sufficiently secure. While trying to develop an understanding of the scope of the vulnerabilities, the GAO reached a grim conclusion. Cybersecurity testers repeatedly gained access to or even control of weapons systems, and these testers weren’t even able to gauge the extent of problems, given that they only tested for a limited number of threats and only tested a subset of weapons systems. What’s more, according to the report—and as Nathan Swire has outlined on Lawfare— these vulnerabilities include failures to prioritize cybersecurity at all stages of the acquisition process; problems with updating existing cyber-vulnerable weapons systems; and failures of those in charge to recognize or respond when vulnerabilities are identified. These problems implicate large swathes of the Defense Department: acquisition, existing systems, personnel management and potentially even readiness.
At this point, there’s no need for Congress to wait for the 2019 Defense Department report to address many of the issues raised by the GAO. To begin with, the GAO report should form the basis of a full Senate Armed Services Committee hearing to ensure that as many members of Congress as possible are made aware of the scope of the vulnerabilities, as well as what is and is not being addressed already by the Pentagon. After the public hearings, committee staff should turn to developing the next National Defense Authorization Act (NDAA) with the need to address these problems in mind—and should give the Pentagon the adequate budget to do so . As the GAO discusses, this is almost certainly going to require a change in how vulnerability-testing occurs at the Pentagon, not just of individual systems but across systems.
Grappling with the GAO report may also require a change in mandates surrounding information-sharing regarding cyber vulnerabilities. Currently, cyber vulnerabilities for systems are classified at the highest level, and intelligence on the extent of the vulnerabilities is rarely circulated in an attempt to protect systems from being attacked. While this limited distribution of vulnerabilities certainly protects against attacks, it also prevents cyber personnel at the Pentagon from understanding the extent of threats that may impact their own systems. The Defense Department needs to develop a better system for determining which personnel need to know about vulnerabilities, and for sharing highly classified threat information so that personnel can address potential cyber threats to their own systems.
More generally, addressing these problems will require decision-makers at the Defense Department to change their understanding of cybersecurity. The Pentagon needs to view cyber vulnerability as a potential problem at every stage of development, acquisition and deployment, and to see vulnerabilities as issues to be addressed rapidly. The GAO report shows that if vulnerabilities remain, they can impact capabilities in ways that those who otherwise may not see cyber vulnerabilities as critical would not expect.
Congress recognized the potential threats of an insufficient cyber workforce during the latest congressional session, and there is legislation in the National Defense Authorization Act of 2019 (NDAA) to increase the size of and bolster the training for the cyber workforce. Since passage of the 2019 NDAA in August of this year, the Senate Armed Services Committee has already conducted oversight on the issue by holding a hearing on the state of cyber readiness in the Pentagon workforce. Yet oversight of workforce readiness alone is not enough. Just as Congress decided to prioritize the cyber workforce as it became aware of the vulnerabilities that exist when the military does not have sufficient (or sufficiently) trained manpower to respond to cyber threats, it should similarly turn its attention to reducing cyber vulnerabilities within weapons systems. For the 2020 NDAA, Congress should hold hearings to investigate the range of the cyber threats to weapons systems and the number of systems likely suffering vulnerabilities, then develop legislation for the upcoming NDAA to ensure that the military has the mandate and capabilities to address the threats.