Pentagon aims to keep enemy from controlling its best weapons

If it's your drone, you'd probably like to be the one deciding what it shoots at.
Credit: U.S. Dept. of Defense.

Even in the harshest cost/benefit analysis of cyberwar technology, it seems as if you'd be setting a pretty low goal to say you're going to make sure that, when you try to use your smartest systems, they don't kill you instead.

That's exactly what the Department of Defense (DoD) is doing, however, following a report in January showing that, of more than 40 high-tech weapons systems tested, every single one had at least one major cybersecurity weakness that would allowing it to be taken over by the enemy, which could make it unusable or use it against the U.S. troops trying to use it on them.

That report came from Michael Gilmore, the DoD's chief weapons tester for the Pentagon, who has been widely criticized by military officials and defense-systems makers for insisting that those systems be tested early to make sure they work or might work, before the Pentagon invests a decade or more in developing them into boondoggles.

The idea of testing weapons systems for cybersecurity vulnerabilities wasn't popular, either, but it's hard to argue with the idea that billion-dollar weapons systems can be countered by off-the-shelf IT products and a little ingenuity -- as Iraqi insurgents proved in 2009, when they used a $26 app called SkyGrabber to capture the unencrypted video feeds from U.S. Predator drones that were looking for them.

And then there was the time, in 2011, when a virus infected the control systems of Predator and Reaper drones, logging every keystroke of their U.S. military pilots, which could have allowed hackers to take control of the heavily armed drones at any time.

The Pentagon has been shelled for years for cybersecurity spotty enough that it has acknowledged, at different times, having designs and plans stolen for advanced versions of the Patriot missile system, the anti-ballistic missile system Terminal High Altitude Area Defense (THAAD), the F/A-18 fighter and Black Hawk helicopter. The Pentagon's most public loss was the theft in 2007 of "many terabytes" of data on the F-35 Joint Strike Fighter, allegedly by China.

The Pentagon didn't really get serious about security until after a 2008 security breach called "Operation Buckshot Yankee" that began when an employee of U.S. Central Command plugged a thumb drive into a laptop at a base in the Middle East and launched malware that spread through the classified-server network of the DoD, giving the foreign intelligence agency that created it direct access to Pentagon servers. This prompted a round of soul-searching that led to the creation of U.S. Cyber Command -- created in 2010 to be the primary cyberdefense organization for the DoD and slated to be at full strength of more than 6,000 cyberwarriors by 2016.

Overall standards and performance of U.S. military cybersecurity have improved a lot since then, according to Gilmore's report, which summarizes the results of "red team" testing of U.S. military networks in the field and cyberattacks on U.S. command-and-control systems during simulated-warfare training operations. Among the most obvious was the addition of simulated cyberwarfare attack and defender teams to the Air Force's massive Red Flag simulation exercise in 2014 for the first time in the 40-year history of Red Flag.

The size of U.S. Cyber Command is expanding "exponentially," and will eventually be able to send cyberwarriors on Combat Mission Teams overseas to support ground troops, but still won't be up to its full strength until 2017 due to difficulty attracting and retaining people with the right cyberwar skills, the commander of the Army's section of Cyber Command told Congress March 4.

The DoD plans to spend $400 million more on defensive and offensive cybersecurity during 2016 than this year -- an effort that includes overhauls and new design rules for military computer networks.

The weapons systems themselves haven't gotten nearly as much attention.

The biggie -- the U.S. nuclear missile force -- appears to be relatively safe, though that's more because it depends on antiquated technology like 8-inch floppy disks of a kind that haven't been common since the mid '80s. Rare and clunky as they are, the old floppies are a good defense against viruses such as Stuxnet because they can't hold enough data to fit a piece of complex malware, according to an April, 2014 Defense Systems story.

All the other smart, sophisticated U.S. weapons systems, on the other hand, are under threat, according to Gilmore. Even those that have been upgraded to add encryption and layers of security consistently displayed at least one critical vulnerability -- often caused by the failure to update a password or configure a system up to required security specifications -- that would let an attacker get a foothold, which could lead to "rapid access and exploitation" that would allow attackers to take over or shut down a weapon system "when and if they chose to," according to Gilmore's report.

"One important conclusion from my 2014 review of DoD programs was that operational testing still finds exploitable cyber vulnerabilities that earlier technical testing could have mitigated," Gilmore wrote in the report. "My review of these systems also identified the need to increase the participation of network defenders and assessment of mission effects during threat-representative, adversarial assessments."

The Pentagon is also issuing new rules for the security of the weapons systems themselves, requiring upgrades in encryption and security, improvements in the effort to avoid misconfigured or unpatched software and more security in the way weapons development programs are run as well, the Pentagon's chief weapons buyer told Reuters over the weekend.

The DoD will issue a new rulebook for weapons-system acquisitions by September 30, and release a guidebook on securing development programs according to assistant secretary of defense Katrina McFarland.

The new rules are "about the security of our weapons systems themselves and everything that touches them. It’s a pervasive problem and I think we have to pay a lot more attention to it," the Pentagon's chief weapons buyer, Frank Kendall, told Reuters March 5.

"One of the things now hurting our force is we’ve gotten used to having nothing but very, very high-end weapons systems, ‘exquisite’ weapons systems," according to a BreakingDefense story quoting Allan Shaffer, Pentagon acting assistant secretary for research and engineering as he spoke at an August, 2014 defense-industry conference. "Unfortunately….potential adversaries have figured out how to counter [those] with things like very cheap electronic warfare systems."

In fact, the Pentagon's whole electronic warfare strategy has been weak, inconsistent and ineffective, according to a report from the DoD's Defense Sciences Council that has not been made public, but which Kendall has said prompted the creation of a new Electronics Warfare Council Kendall will co-chair whose purpose is to evaluate the U.S. military's effectiveness in both creating and defending against mayhem using digital technology.

"EW has often been regarded as just a combat enabler. Our adversaries don't think so," deputy undersecretary of defense Bob Work, who approved the council's creation, said at a defense-industry conference over the weekend, according to FederalNewsRadio. "They believe it is an important part of their offensive and defensive arsenal. For relatively small investments in EW, you get an extremely high potential payoff, and our competitors are trying to win in that competition. We still have a lead, I think, but that lead is diminishing rapidly."

The new procurement rules will plug some security holes in upcoming weapons systems and reinforce the need for more consistent compliance with existing security rules, Kendall told Reuters. But they're also intended eliminate the design ethic that allows security to be designed along with the rest of a weapons system, five or 10 years before it goes into the field, with no chance of updates or improvements along the way.

"We've been complacent," Kendall, said in an August, 2014 interview with BreakingDefense. "Our technological superiority is very much at risk, there are people designing systems [specifically] to defeat us in a very thoughtful and strategic way, and we’ve got to wake up, frankly."

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.