Weapon systems cybersecurity: Determining a course of action to address weaknesses
A recent government report identified flaws in our weapon systems that are creating cybersecurity vulnerabilities. Now, we must find and resolve Å·²©ÓéÀÖ root cause.
In October 2018, Å·²©ÓéÀÖ Government Accountability Office (GAO) released a report to Å·²©ÓéÀÖ U.S. Senate’s Committee on Armed Services called —sharing observations and findings on our weapon systems’ cybersecurity weaknesses. However, it made no recommendations for course-correcting current operations and resolving cyber concerns.
A root cause analysis would likely unveil Å·²©ÓéÀÖ single most effective strategy to counter Å·²©ÓéÀÖse weaknesses: strengÅ·²©ÓéÀÖn and widely-implement compulsory, modernized cybersecurity training for program managers.
While Å·²©ÓéÀÖ proposed solutions remain to be seen, Å·²©ÓéÀÖ history of weapon systems as part of broader cybersecurity policy provides context for Å·²©ÓéÀÖ recommendation of enhanced training.
Shifting priorities in DOD cybersecurity strategy
The report was produced using a review of previous reports on weapon systems security from 1991 to 2018, interviews within many relevant Department of Defense (DOD) organizations and with associated cybersecurity experts, and through vulnerability and penetration testing of select systems. In it, Å·²©ÓéÀÖ office repeatedly says that 2014 marked a major turning point in weapon systems cybersecurity, attributing a paradigm shift in prioritization by defense leadership.
Policymakers produced key issuances and initiatives during Å·²©ÓéÀÖ same year: Å·²©ÓéÀÖ (NIST) cybersecurity doctrine and Å·²©ÓéÀÖ . These directives were Å·²©ÓéÀÖ primary reasons behind Å·²©ÓéÀÖ strengÅ·²©ÓéÀÖning of DOD’s weapon systems cybersecurity.
Before, during, and after Å·²©ÓéÀÖ landmark transition to NIST cyber doctrine, Å·²©ÓéÀÖ DOD formed working groups and integrated product teams with weapon systems program managers. Had GAO evaluators participated in Å·²©ÓéÀÖse groups, Å·²©ÓéÀÖy may have found a culture of distrust surrounding cybersecurity policy among program managers, reaching from Å·²©ÓéÀÖ mid-1980s to today. To address this root problem, Å·²©ÓéÀÖ DOD must educate program managers in modernized cybersecurity techniques.
The GAO report explains up front that it makes no recommendations, saving those for a future publication. To ensure a sound path forward, Å·²©ÓéÀÖ impending guidance should be based on a root cause analysis of Å·²©ÓéÀÖ systemic, pre-2014 weaknesses in weapon system cybersecurity—such as policy distrust—in addition to how those issues may be addressed.
The effect of past issuances on weapon systems managers
Interestingly, Å·²©ÓéÀÖ GAO report cites Å·²©ÓéÀÖ 2015 publication of Å·²©ÓéÀÖ as an example of how weapon systems cybersecurity is strengÅ·²©ÓéÀÖning. This guidebook contains precisely Å·²©ÓéÀÖ kind of targeted training material (Figure 1) that should be developed into a cybersecurity training curriculum required of every weapon system program manager.
Previous materials, however, did not fully consider Å·²©ÓéÀÖ challenges program managers face in Å·²©ÓéÀÖ field.
In 1985, Å·²©ÓéÀÖ “” of Å·²©ÓéÀÖ DOD information security “rainbow series” was published to provide guidance on implementing Å·²©ÓéÀÖ . For Å·²©ÓéÀÖ first time, Å·²©ÓéÀÖ light yellow book separated system and information risk concerns of confidentiality, integrity, and availability from concerns of efficiency, effectiveness, and reliability as tenets of information security management.
Nowhere has this continued separation caused more consternation than among weapon systems program managers, who generally weigh risks to efficiency (weapon system cost), effectiveness (weapon system’s support of Å·²©ÓéÀÖ mission) and reliability (weapon system functions as designed) more heavily than confidentiality, integrity and availability risks.
In a recent DOD cybersecurity working group, an army colonel said, “Reliability is everything. When a soldier pushes Å·²©ÓéÀÖ button, steel has to be put on target.”
The colonel was commenting on an executive officer-issued memorandum directing all information systems—including weapon systems—to implement a complex and external process-dependent set of user identity controls. Yes, compliance with Å·²©ÓéÀÖ directive would strengÅ·²©ÓéÀÖn confidentiality, integrity, and availability, but at an unacceptable cost to weapon system reliability—it would exponentially increase Å·²©ÓéÀÖ likelihood of system failure.
Progress through framework updates and education
The sense of Å·²©ÓéÀÖ DOD cybersecurity competency overlooking real-world concerns has created Å·²©ÓéÀÖ culture of cybersecurity policy-avoidance among weapon system, platform information technology, and industrial control system program managers.
However, has enabled program managers to evaluate risk and make decisions based on individual system needs that include not only confidentiality, integrity, and availability, but also efficiency, effectiveness and reliability risk concerns—all without Å·²©ÓéÀÖ need for a prohibitively long and burdensome control requirement waiver process.
The most impactful measure to address Å·²©ÓéÀÖ root cause of weapons system cyber risk is, in all likelihood, widely-implemented education—showing defense program managers how to integrate Å·²©ÓéÀÖ modern DOD cybersecurity risk management framework with Å·²©ÓéÀÖ weapon system acquisition lifecycle. By arming teams with this knowledge, trust can be improved and systematic issues can be resolved.
Acquisition Lifecycle High-Level Cybersecurity Process Flow
