A recent government report identified flaws in our weapon systems that are creating cybersecurity vulnerabilities. Now, we must find and resolve the root cause.
In October 2018, the Government Accountability Office (GAO) released a report to the U.S. Senate’s Committee on Armed Services called Weapon Systems Cybersecurity—sharing observations and findings on our weapon systems’ cybersecurity weaknesses. However, it made no recommendations for course-correcting current operations and resolving cyber concerns.
A root cause analysis would likely unveil the single most effective strategy to counter these weaknesses: strengthen and widely-implement compulsory, modernized cybersecurity training for program managers.
While the proposed solutions remain to be seen, the history of weapon systems as part of broader cybersecurity policy provides context for the recommendation of enhanced training.
Shifting priorities in DOD cybersecurity strategy
The report was produced using a review of previous reports on weapon systems security from 1991 to 2018, interviews within many relevant Department of Defense (DOD) organizations and with associated cybersecurity experts, and through vulnerability and penetration testing of select systems. In it, the office repeatedly says that 2014 marked a major turning point in weapon systems cybersecurity, attributing a paradigm shift in prioritization by defense leadership.
Policymakers produced key issuances and initiatives during the same year: the transition to National Institute of Standards and Technology (NIST) cybersecurity doctrine and the risk management framework for information technology. These directives were the primary reasons behind the strengthening of DOD’s weapon systems cybersecurity.
Before, during, and after the landmark transition to NIST cyber doctrine, the DOD formed working groups and integrated product teams with weapon systems program managers. Had GAO evaluators participated in these groups, they may have found a culture of distrust surrounding cybersecurity policy among program managers, reaching from the mid-1980s to today. To address this root problem, the DOD must educate program managers in modernized cybersecurity techniques.
The GAO report explains up front that it makes no recommendations, saving those for a future publication. To ensure a sound path forward, the impending guidance should be based on a root cause analysis of the systemic, pre-2014 weaknesses in weapon system cybersecurity—such as policy distrust—in addition to how those issues may be addressed.
The effect of past issuances on weapon systems managers
Interestingly, the GAO report cites the 2015 publication of the DOD program manager’s guidebook for integrating the cybersecurity risk management framework into the system acquisition lifecycle as an example of how weapon systems cybersecurity is strengthening. This guidebook contains precisely the kind of targeted training material (Figure 1) that should be developed into a cybersecurity training curriculum required of every weapon system program manager.
Previous materials, however, did not fully consider the challenges program managers face in the field.
In 1985, the “light yellow book” of the DOD information security “rainbow series” was published to provide guidance on implementing the trusted computer system evaluation criteria. For the first time, the light yellow book separated system and information risk concerns of confidentiality, integrity, and availability from concerns of efficiency, effectiveness, and reliability as tenets of information security management.
Nowhere has this continued separation caused more consternation than among weapon systems program managers, who generally weigh risks to efficiency (weapon system cost), effectiveness (weapon system’s support of the mission) and reliability (weapon system functions as designed) more heavily than confidentiality, integrity and availability risks.
Figure 1. Acquisition Lifecycle High-Level Cybersecurity Process Flow
In a recent DOD cybersecurity working group, an army colonel said, “Reliability is everything. When a soldier pushes the button, steel has to be put on target.”
The colonel was commenting on an executive officer-issued memorandum directing all information systems—including weapon systems—to implement a complex and external process-dependent set of user identity controls. Yes, compliance with the directive would strengthen confidentiality, integrity, and availability, but at an unacceptable cost to weapon system reliability—it would exponentially increase the likelihood of system failure.
Progress through framework updates and education
The sense of the DOD cybersecurity competency overlooking real-world concerns has created the culture of cybersecurity policy-avoidance among weapon system, platform information technology, and industrial control system program managers.
However, the DOD risk management framework has enabled program managers to evaluate risk and make decisions based on individual system needs that include not only confidentiality, integrity, and availability, but also efficiency, effectiveness and reliability risk concerns—all without the need for a prohibitively long and burdensome control requirement waiver process.
The most impactful measure to address the root cause of weapons system cyber risk is, in all likelihood, widely-implemented education—showing defense program managers how to integrate the modern DOD cybersecurity risk management framework with the weapon system acquisition lifecycle. By arming teams with this knowledge, trust can be improved and systematic issues can be resolved.