U.S. military networks not prepared for cyberthreats, report warns
Consequences of a full-scale cyberconflict could be major, Defense Science Board warns in unusually grim report
Computerworld - The U.S. is dangerously unprepared to face a full-scale cyberconflict launched by a peer adversary, a report by the military's Defense Science Board (DSB) warns.
The report, released in January, and first reported on by The Washington Post on Tuesday, is based on an 18-month study of the resilience of U.S. military systems to cyberattacks.
It reflects the perspective of 24 members of a DSB Task Force who interviewed more than four dozen Department of Defense (DoD) officials, members of the U.S. intelligence community, policy makers and security practitioners from private industry, academia and national laboratories.
The conclusions in the report are grim, even by the often Cassandra-like standards of the cybersecurity industry.
"The benefits to an attacker using cyber exploits are potentially spectacular," the report warns. "Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. "
The attacks could cause U.S. guns, missiles and bombs to fail, misfire or be directed against the country's troops. Supply chains could be disrupted, resulting in critical shortages of food, water and ammunition. "Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces," the report noted.
The impact of a full-scale cyberassault on the civilian population would be even greater with the power grid, communications infrastructure, financial networks and fuel distribution infrastructure all getting crippled. "In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless," the report said.
Much of the problems have to do with the relative lack of readiness of U.S. military networks and critical infrastructure networks to withstand a sustained cyberattack. DoD networks and those belonging to many of its contractors have already been deeply compromised and have sustained "staggering losses" of system design information and other vital information reflecting decades of combat knowledge, the DSB report cautioned.
Many of the networks that the DoD relies on are built on "inherently insecure" architectures and technologies. Many critical systems used by the Pentagon incorporate foreign-built components that could be used by adversaries to spy on and gather information. As an example, the DSB report pointed to a 1970s Soviet operation codenamed Gunman, where Soviet intelligence operatives managed to insert keystroke-logging malware on 16 IBM Selectric typewriters at the U.S. embassy in Moscow.
DoD attempts to address the vulnerabilities on its networks have been numerous, but fragmented, the report noted. As a result, the military is simply not prepared to meet the cyber threats that are ranged against it. In recent penetration tests and mock attacks, U.S. Army "red teams" have been able to very easily penetrate and disrupt Army networks.
"Typically, the disruption is so great, that the exercise must be essentially reset without the cyber intrusion to allow enough operational capability to proceed," the report said. The demonstrations showed that many DoD systems are likely going to be unable to withstand even a "modestly aggressive cyberattack."
The report offers several recommendations on what the government and the military need to do to address the problems. Among them is the need for a strong deterrent capability in cyberspace, the development of a strong incident response capability based on a thorough understanding of an adversary's cyber capabilities, and the need for robust cyber offensive capabilities.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
Read more about Cyberwarfare in Computerworld's Cyberwarfare Topic Center.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Cyberwarfare White Papers | Webcasts