A recent government report identified flaws in our weapon systems that are creating cybersecurity vulnerabilities. Now, we must find and resolve the root cause.
In October 2018, the Government Accountability Office (GAO) released a report to the U.S. Senate’s Committee on Armed Services called Weapon Systems Cybersecurity—sharing observations and findings on our weapon systems’ cybersecurity weaknesses. However, it made no recommendations for course-correcting current operations and resolving cyber concerns.
A root cause analysis would likely unveil the single most effective strategy to counter these weaknesses: strengthen and widely-implement compulsory, modernized cybersecurity training for program managers.
While the proposed solutions remain to be seen, the history of weapon systems as part of broader cybersecurity policy provides context for the recommendation of enhanced training.
Shifting priorities in DOD cybersecurity strategy
The report was produced using a review of previous reports on weapon systems security from 1991 to 2018, interviews within many relevant Department of Defense (DOD) organizations and with associated cybersecurity experts, and through vulnerability and penetration testing of select systems. In it, the office repeatedly says that 2014 marked a major turning point in weapon systems cybersecurity, attributing a paradigm shift in prioritization by defense leadership.
Policymakers produced key issuances and initiatives during the same year: the transition to National Institute of Standards and Technology (NIST) cybersecurity doctrine and the risk management framework for information technology. These directives were the primary reasons behind the strengthening of DOD’s weapon systems cybersecurity.
Before, during, and after the landmark transition to NIST cyber doctrine, the DOD formed working groups and integrated product teams with weapon systems program managers. Had GAO evaluators participated in these groups, they may have found a culture of distrust surrounding cybersecurity policy among program managers, reaching from the mid-1980s to today. To address this root problem, the DOD must educate program managers in modernized cybersecurity techniques.
The GAO report explains up front that it makes no recommendations, saving those for a future publication. To ensure a sound path forward, the impending guidance should be based on a root cause analysis of the systemic, pre-2014 weaknesses in weapon system cybersecurity—such as policy distrust—in addition to how those issues may be addressed.
The effect of past issuances on weapon systems managers
Interestingly, the GAO report cites the 2015 publication of the DOD program manager’s guidebook for integrating the cybersecurity risk management framework into the system acquisition lifecycle as an example of how weapon systems cybersecurity is strengthening. This guidebook contains precisely the kind of targeted training material (Figure 1) that should be developed into a cybersecurity training curriculum required of every weapon system program manager.
Previous materials, however, did not fully consider the challenges program managers face in the field.
In 1985, the “light yellow book” of the DOD information security “rainbow series” was published to provide guidance on implementing the trusted computer system evaluation criteria. For the first time, the light yellow book separated system and information risk concerns of confidentiality, integrity, and availability from concerns of efficiency, effectiveness, and reliability as tenets of information security management.
Nowhere has this continued separation caused more consternation than among weapon systems program managers, who generally weigh risks to efficiency (weapon system cost), effectiveness (weapon system’s support of the mission) and reliability (weapon system functions as designed) more heavily than confidentiality, integrity and availability risks.