The biggest national security story of 2015 is not the possible return of sequestration, the likelihood of a nuclear arms deal with Iran or even Russian aggression against Ukraine. Rather, it is that the Department of Defense’s (DoD) arsenal of weapons, systems, platforms and networks could be rendered inoperable with a few computer keystrokes. This goes well beyond the now run-of-the-mill stories about hacker attacks on Pentagon computers. Cyber security experts have known for years what senior defense officials have openly acknowledged only recently: the problem is widespread and extremely serious. In testimony before Congress last January that got very little public notice, the director of operational test and evaluation, Mr. Michael Gilmore, warned that virtually all U.S. weapons systems have “significant vulnerabilities” to cyber attack. The words he used are particularly disturbing, “The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most (DoD) networks, and could be in a position to degrade important DOD missions when and if they chose to.”
After massive hacking attacks on the U.S. energy grid, Target, Home Depot, Sony and international banks, to name a few recent targets, many of us have come to accept that commercial networks and our personal computers are vulnerable. But we can be forgiven for having assumed that critical military systems were adequately protected against cyber attack. This doesn’t seem to be the case. This week, DoD chief weapons buyer, Mr. Frank Kendall, reaffirmed the seriousness of the problem: “It’s about the security of our weapons systems themselves and everything that touches them. It’s a pervasive problem and I think we have to pay a lot more attention to it.”
The military superiority the U.S. has enjoyed for more than thirty years is directly attributable to its exploitation of information technologies. Each generation of weapons systems or platforms is more information intensive than the last. Many defense experts believe that the key to our success in future major conflicts will rest not on the “brilliance” of individual weapons systems or platforms, but on the ability to network them together. For the first time, the Navy is deploying a carrier strike group to the Middle East equipped with the Naval Integrated Fire Control-Counter Air system. This is a network and battle management system that links the group’s sensors and platforms together to significantly increase its overall combat capability. The Air Force is about to invest in a network to allow its most advanced fighter, the F-22, to pass data to older aircraft, thereby improving the latter’s ability to launch weapons from beyond the range of enemy defenses.
Consequently, it’s not as if the U.S. military can simply turn off its computers, disconnect itself from their networks or remove the chips in all their weapons systems. The weapons and platforms need their sensors and computers and the forces are extremely reliant on network connectivity. Military supply chains are configured around just-in-time delivery which requires highly capable and fully functional networks.
During the Cold War, the U.S. military was so concerned about the Soviet Union’s ability to interfere with its communications or use its electronic emissions as a means for locating and targeting forces, that it practiced operating under something called emissions control or EMCON. But that was a quarter century ago. How many individuals in uniform are left who remember those days? Relearning the lessons of operating under EMCON, without military networks and the Internet, will take DoD years, if it is even possible.
If there is any good news in this story it is that senior Pentagon officials appear to be paying serious attention to this issue. Mr. Kendall has said that cybersecurity will become part of the requirements generation process, thereby ensuring, at least in theory, that future systems will not have the same vulnerabilities as current ones.
There is some additional potentially bad news. Mr. Kendall intends to add cybersecurity to the next edition of his guide to reforming defense acquisition policy, Better Buying Power 3.0 (BBP 3.0) which is now in draft. Lest we forget, it was the past versions of BBP that led inter alia, to the massive overuse of the contract award standard known as Lowest Price Technically Acceptable or LPTA, particularly in IT-related competitions. Under LPTA, once companies jumped the bar with respect to basic competence to perform the specified work, the only basis for an award was price. Past performance, technical excellence and even new and innovative solutions didn’t count. Cost pressures have forced companies competing for this kind of work to reduce the seniority and experience of their staffs in order to reduce labor costs. The results have not been good to the defense industry’s ability to provide cutting edge cyber solutions.
The dangers to our military posed by vulnerability to cyber attacks suggest that we could be facing not a mere “Cyber Pearl Harbor,” as some have suggested, but a true “Cyber Armageddon.” If major weapons systems do not function as expected, platforms cannot communicate with one another and if our networks go down or the data in them is corrupted, the results would be truly catastrophic.
Find Archived Articles: