U.S. military networks not prepared for cyberthreats, report warns
Consequences of a full-scale cyberconflict could be major, Defense Science Board warns in unusually grim report
Computerworld - The U.S. is dangerously unprepared to face a full-scale cyberconflict launched by a peer adversary, a report by the military's Defense Science Board (DSB) warns.
The report, released in January, and first reported on by The Washington Post on Tuesday, is based on an 18-month study of the resilience of U.S. military systems to cyberattacks.
It reflects the perspective of 24 members of a DSB Task Force who interviewed more than four dozen Department of Defense (DoD) officials, members of the U.S. intelligence community, policy makers and security practitioners from private industry, academia and national laboratories.
The conclusions in the report are grim, even by the often Cassandra-like standards of the cybersecurity industry.
"The benefits to an attacker using cyber exploits are potentially spectacular," the report warns. "Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. "
The attacks could cause U.S. guns, missiles and bombs to fail, misfire or be directed against the country's troops. Supply chains could be disrupted, resulting in critical shortages of food, water and ammunition. "Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces," the report noted.
The impact of a full-scale cyberassault on the civilian population would be even greater with the power grid, communications infrastructure, financial networks and fuel distribution infrastructure all getting crippled. "In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless," the report said.
Much of the problems have to do with the relative lack of readiness of U.S. military networks and critical infrastructure networks to withstand a sustained cyberattack. DoD networks and those belonging to many of its contractors have already been deeply compromised and have sustained "staggering losses" of system design information and other vital information reflecting decades of combat knowledge, the DSB report cautioned.
Many of the networks that the DoD relies on are built on "inherently insecure" architectures and technologies. Many critical systems used by the Pentagon incorporate foreign-built components that could be used by adversaries to spy on and gather information. As an example, the DSB report pointed to a 1970s Soviet operation codenamed Gunman, where Soviet intelligence operatives managed to insert keystroke-logging malware on 16 IBM Selectric typewriters at the U.S. embassy in Moscow.
DoD attempts to address the vulnerabilities on its networks have been numerous, but fragmented, the report noted. As a result, the military is simply not prepared to meet the cyber threats that are ranged against it. In recent penetration tests and mock attacks, U.S. Army "red teams" have been able to very easily penetrate and disrupt Army networks.
"Typically, the disruption is so great, that the exercise must be essentially reset without the cyber intrusion to allow enough operational capability to proceed," the report said. The demonstrations showed that many DoD systems are likely going to be unable to withstand even a "modestly aggressive cyberattack."
The report offers several recommendations on what the government and the military need to do to address the problems. Among them is the need for a strong deterrent capability in cyberspace, the development of a strong incident response capability based on a thorough understanding of an adversary's cyber capabilities, and the need for robust cyber offensive capabilities.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- DOJ's charges against China reframe security, surveillance debate
- Hacker indictments against China's military unlikely to change anything
- U.S. to formally accuse Chinese military of hacking
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
Read more about Cyberwarfare in Computerworld's Cyberwarfare Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Platfora Big Data Analytics for Network Security Platfora amplifies the effectiveness of network security analysis, providing Big Data Analytics capability to augment existing security infrastructure for known threats, and advanced...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Cyberwarfare White Papers | Webcasts