The U.S. is dangerously unprepared to face a full-scale cyberconflict launched by a peer adversary, a report by the military's Defense Science Board (DSB) warns.
The report, released in January, and first reported on by The Washington Post on Tuesday, is based on an 18-month study of the resilience of U.S. military systems to cyberattacks.
It reflects the perspective of 24 members of a DSB Task Force who interviewed more than four dozen Department of Defense (DoD) officials, members of the U.S. intelligence community, policy makers and security practitioners from private industry, academia and national laboratories.
The conclusions in the report are grim, even by the often Cassandra-like standards of the cybersecurity industry.
"The benefits to an attacker using cyber exploits are potentially spectacular," the report warns. "Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. "
The attacks could cause U.S. guns, missiles and bombs to fail, misfire or be directed against the country's troops. Supply chains could be disrupted, resulting in critical shortages of food, water and ammunition. "Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces," the report noted.
The impact of a full-scale cyberassault on the civilian population would be even greater with the power grid, communications infrastructure, financial networks and fuel distribution infrastructure all getting crippled. "In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless," the report said.
Much of the problems have to do with the relative lack of readiness of U.S. military networks and critical infrastructure networks to withstand a sustained cyberattack. DoD networks and those belonging to many of its contractors have already been deeply compromised and have sustained "staggering losses" of system design information and other vital information reflecting decades of combat knowledge, the DSB report cautioned.
Many of the networks that the DoD relies on are built on "inherently insecure" architectures and technologies. Many critical systems used by the Pentagon incorporate foreign-built components that could be used by adversaries to spy on and gather information. As an example, the DSB report pointed to a 1970s Soviet operation codenamed Gunman, where Soviet intelligence operatives managed to insert keystroke-logging malware on 16 IBM Selectric typewriters at the U.S. embassy in Moscow.
DoD attempts to address the vulnerabilities on its networks have been numerous, but fragmented, the report noted. As a result, the military is simply not prepared to meet the cyber threats that are ranged against it. In recent penetration tests and mock attacks, U.S. Army "red teams" have been able to very easily penetrate and disrupt Army networks.
"Typically, the disruption is so great, that the exercise must be essentially reset without the cyber intrusion to allow enough operational capability to proceed," the report said. The demonstrations showed that many DoD systems are likely going to be unable to withstand even a "modestly aggressive cyberattack."
The report offers several recommendations on what the government and the military need to do to address the problems. Among them is the need for a strong deterrent capability in cyberspace, the development of a strong incident response capability based on a thorough understanding of an adversary's cyber capabilities, and the need for robust cyber offensive capabilities.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.