The US military “cannot be confident” that its computer networks will continue to work in the event of a cyberattack from a reasonably competent enemy.
What’s more, the US military’s “dependence” on flimsy security systems “is a magnet to US opponents,” who are increasingly capable of attacking “with potential consequences similar in some ways to the nuclear threat of the Cold War.”
The task force found that during war-game exercises, “red team” adversaries were able to hack into US military networks with “relative ease.”
Such adversaries could “completely [beat] our forces in exercises” using hacking programs widely available on the Internet, according to the study. This happened in large part, the study concluded, because the Defense Department’s networks “are built on inherently insecure architectures that are composed of, and increasingly using, foreign parts.”
As a result, the DOD and the contractors it employs “have already sustained staggering losses” – in the form of “decades of combat knowledge and experience that provide adversaries insight” into US military operations.
So what to do about the threat, which Pentagon officials liken to the countering of German U-boats during World War II and nuclear deterrence during the cold war?
It is going to take a combination of refocused intelligence work and improved cyberdefense, according to the report.
Getting better at cyberdefense will involve giving up on the thought of protecting all military networks from advanced hackers, “which the task force believes is neither feasible nor affordable.”
Part of building a better defense system is also recognizing that the enemy “is on our networks” already. Senior defense officials point to a 2008 incident that has become notorious within the halls of the Pentagon, in which an infected flash drive allowed adversaries to export vast quantities of classified defense data, including times and routes of supply convoys in Afghanistan.
Moreover, improving cyberoperations involves recognizing that the nature of the threat is changing and evolving. In the late 1970s, the IBM Selectric typewriters at the US Embassy in Moscow were rigged by the Soviets to transmit every keystroke back to the KGB.
Today, cyberattacks are quickly progressing from exploitation and disruption to destruction. “Should the United States find itself in a full-scale conflict,” cyberattacks could deny the US military its greatest assets. “US guns, missiles, and bombs may not fire, or may be directed against our own troops,” according to the report.
Enemies could also infiltrate networks to play havoc with what is widely considered one of the US military’s greatest strengths: logistics. “Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military commanders may rapidly lose trust in the information and ability to control US systems and forces,” the report warns. “Once lost, that trust is very difficult to regain.”
In the face of these cybervulnerabilities, the Pentagon must hone its offensive cybercapabilities as well, the report advises. “Cyber offense may provide the means to respond in kind,” it says.
The task force also advises keeping some crucial forces offline, to respond in the event of a catastrophic cyberattack, à la “Battlestar Galactica.”
“Notionally, 20 aircraft designated by tail number, out of a fleet of hundreds, might be segregated and treated as part of the cyber critical survivable mission force.”
This will help, the report concluded, “ensure the President has options beyond a nuclear-only response to a catastrophic cyber attack.”