U.S. military networks not prepared for cyberthreats, report warns
Consequences of a full-scale cyberconflict could be major, Defense Science Board warns in unusually grim report
Computerworld - The U.S. is dangerously unprepared to face a full-scale cyberconflict launched by a peer adversary, a report by the military's Defense Science Board (DSB) warns.
The report, released in January, and first reported on by The Washington Post on Tuesday, is based on an 18-month study of the resilience of U.S. military systems to cyberattacks.
It reflects the perspective of 24 members of a DSB Task Force who interviewed more than four dozen Department of Defense (DoD) officials, members of the U.S. intelligence community, policy makers and security practitioners from private industry, academia and national laboratories.
The conclusions in the report are grim, even by the often Cassandra-like standards of the cybersecurity industry.
"The benefits to an attacker using cyber exploits are potentially spectacular," the report warns. "Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. "
The attacks could cause U.S. guns, missiles and bombs to fail, misfire or be directed against the country's troops. Supply chains could be disrupted, resulting in critical shortages of food, water and ammunition. "Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces," the report noted.
The impact of a full-scale cyberassault on the civilian population would be even greater with the power grid, communications infrastructure, financial networks and fuel distribution infrastructure all getting crippled. "In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless," the report said.
Much of the problems have to do with the relative lack of readiness of U.S. military networks and critical infrastructure networks to withstand a sustained cyberattack. DoD networks and those belonging to many of its contractors have already been deeply compromised and have sustained "staggering losses" of system design information and other vital information reflecting decades of combat knowledge, the DSB report cautioned.
Many of the networks that the DoD relies on are built on "inherently insecure" architectures and technologies. Many critical systems used by the Pentagon incorporate foreign-built components that could be used by adversaries to spy on and gather information. As an example, the DSB report pointed to a 1970s Soviet operation codenamed Gunman, where Soviet intelligence operatives managed to insert keystroke-logging malware on 16 IBM Selectric typewriters at the U.S. embassy in Moscow.
DoD attempts to address the vulnerabilities on its networks have been numerous, but fragmented, the report noted. As a result, the military is simply not prepared to meet the cyber threats that are ranged against it. In recent penetration tests and mock attacks, U.S. Army "red teams" have been able to very easily penetrate and disrupt Army networks.
"Typically, the disruption is so great, that the exercise must be essentially reset without the cyber intrusion to allow enough operational capability to proceed," the report said. The demonstrations showed that many DoD systems are likely going to be unable to withstand even a "modestly aggressive cyberattack."
The report offers several recommendations on what the government and the military need to do to address the problems. Among them is the need for a strong deterrent capability in cyberspace, the development of a strong incident response capability based on a thorough understanding of an adversary's cyber capabilities, and the need for robust cyber offensive capabilities.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
- New report says cyberspying group linked to China's army
Read more about Cyberwarfare in Computerworld's Cyberwarfare Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Cyberwarfare White Papers | Webcasts