Report: Flimsy cybersecurity for US military is 'magnet to US opponents'

A Pentagon study of cybervulnerabilities found that during war-game exercises, some adversaries were able to hack into US military networks with 'relative ease.' The study urges refocused intelligence work and improved cyberdefense.

AP Photo/Mark J. Terrill, File
This file photo shows a reflection of the Department of Homeland Security logo in the eyeglasses of a cybersecurity analyst at the watch and warning center of the Department of Homeland Security's cyber defense facility in Idaho Falls, Idaho.

The US military “cannot be confident” that its computer networks will continue to work in the event of a cyberattack from a reasonably competent enemy.

What’s more, the US military’s “dependence” on flimsy security systems “is a magnet to US opponents,” who are increasingly capable of attacking “with potential consequences similar in some ways to the nuclear threat of the Cold War.”

That’s the warning out of a new 18-month study from the Pentagon’s Defense Science Board, which formed a task force to review the vulnerability of US military networks.

The task force found that during war-game exercises, “red team” adversaries were able to hack into US military networks with “relative ease.”

Such adversaries could “completely [beat] our forces in exercises” using hacking programs widely available on the Internet, according to the study. This happened in large part, the study concluded, because the Defense Department’s networks “are built on inherently insecure architectures that are composed of, and increasingly using, foreign parts.”

As a result, the DOD and the contractors it employs “have already sustained staggering losses” – in the form of “decades of combat knowledge and experience that provide adversaries insight” into US military operations.

So what to do about the threat, which Pentagon officials liken to the countering of German U-boats during World War II and nuclear deterrence during the cold war?

It is going to take a combination of refocused intelligence work and improved cyberdefense, according to the report.

Getting better at cyberdefense will involve giving up on the thought of protecting all military networks from advanced hackers, “which the task force believes is neither feasible nor affordable.”

Part of building a better defense system is also recognizing that the enemy “is on our networks” already. Senior defense officials point to a 2008 incident that has become notorious within the halls of the Pentagon, in which an infected flash drive allowed adversaries to export vast quantities of classified defense data, including times and routes of supply convoys in Afghanistan.

Moreover, improving cyberoperations involves recognizing that the nature of the threat is changing and evolving. In the late 1970s, the IBM Selectric typewriters at the US Embassy in Moscow were rigged by the Soviets to transmit every keystroke back to the KGB.

Today, cyberattacks are quickly progressing from exploitation and disruption to destruction. “Should the United States find itself in a full-scale conflict,” cyberattacks could deny the US military its greatest assets. “US guns, missiles, and bombs may not fire, or may be directed against our own troops,” according to the report.

Enemies could also infiltrate networks to play havoc with what is widely considered one of the US military’s greatest strengths: logistics. “Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military commanders may rapidly lose trust in the information and ability to control US systems and forces,” the report warns. “Once lost, that trust is very difficult to regain.”

In the face of these cybervulnerabilities, the Pentagon must hone its offensive cybercapabilities as well, the report advises. “Cyber offense may provide the means to respond in kind,” it says.

The task force also advises keeping some crucial forces offline, to respond in the event of a catastrophic cyberattack, à la “Battlestar Galactica.”

“Notionally, 20 aircraft designated by tail number, out of a fleet of hundreds, might be segregated and treated as part of the cyber critical survivable mission force.”

This will help, the report concluded, “ensure the President has options beyond a nuclear-only response to a catastrophic cyber attack.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.