Vulnerabilities simply refer to weaknesses in a system. For example, China is the second-largest spender on research and development (R&D) after the United States, accounting for 21 percent of the worlds total R&D spending in 2015. Designs, develops, tests, and evaluates information system security throughout the systems development lifecycle. This is why the commission recommends that DOD develop and designate a force structure element to serve as a threat-hunting capability across the entire DOD Information Network (DODIN), thus covering the full range of nonnuclear to nuclear force employment. Many breaches can be attributed to human error. National Counterintelligence and Security Center, Supply Chain Risk Management: Reducing Threats to Key U.S. Supply Chains, (Washington, DC: Office of the Director of National Intelligence, 2020), available at <, https://www.dni.gov/files/NCSC/documents/supplychain/20200925-NCSC-Supply-Chain-Risk-Management-tri-fold.pdf, For a strategy addressing supply chain security at the national level, beyond DOD and defense institution building. Wireless access points that allow unauthorized connection to system components and networks present vulnerabilities. Actionable information includes potential system vulnerabilities, demonstrated means of exploitation of those vulnerabilities . Essentially, Design Interactive discovered their team lacked both the expertise and confidence to effectively enhance their cybersecurity. 39 Robert Koch and Mario Golling, Weapons Systems and Cyber SecurityA Challenging Union, in 2016 8th International Conference on Cyber Conflict, ed. 5 For a notable exception, see Erik Gartzke and Jon R. Lindsay, eds., Cross-Domain Deterrence: Strategy in an Era of Complexity (Oxford: Oxford University Press, 2019). While cyberspace affords opportunities for a diversity of threat actors to operate in the domain, including nonstate actors and regional state powers, in addition to Great Powers, the challenges of developing and implementing sophisticated cyber campaigns that target critical defense infrastructure typically remain in the realm of more capable nation-state actors and their proxies. The DoD Cyber Crime Centers DoD Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to national security. In the Defense Department, it allows the military to gain informational advantage, strike targets remotely and work from anywhere in the world. Most of the attacker's off-the-shelf hacking tools can be directly applied to the problem. Dr. Erica Borghard is a Resident Senior Fellow in the New American Engagement Initiative, ScowcroftCenter for Strategy and Security, at the Atlantic Council. 35 Relatedly, adversary campaigns to conduct cyber-enabled intellectual property theft against the U.S. military and the defense industrial base are also a concern because they continue to cause staggering losses of national security information and intellectual property. By far the most common architecture is the two-firewall architecture (see Figure 3). The objective of this audit was to determine whether DoD Components took action to update cybersecurity requirements for weapon systems in the Operations and Support (O&S) phase of the acquisition life cycle, based on publicly acknowledged or known cybersecurity threats and intelligence-based cybersecurity threats. 3 John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. Large DCS often need to use portions of the business network as a route between multiple control system LANs (see Figure 5). 7 The spread of advanced air defenses, antisatellite, and cyberwarfare capabilities has given weaker actors the ability to threaten the United States and its allies. However, adversaries could compromise the integrity of command and control systemsmost concerningly for nuclear weaponswithout exploiting technical vulnerabilities in the digital infrastructure on which these systems rely. Some key works include Kenneth N. Waltz, The Spread of Nuclear Weapons: More May Be Better. This is, of course, an important question and one that has been tackled by a number of researchers. An effective attack is to export the screen of the operator's HMI console back to the attacker (see Figure 14). The Cyberspace Solarium Commissions March 2020 report details a number of policy recommendations to address this challenge.59 We now unpack a number of specific measures put forth by the Cyberspace Solarium Commission that Congress, acting in its oversight role, along with the executive branch could take to address some of the most pressing concerns regarding the cyber vulnerabilities of conventional and nuclear weapons systems. Hall, eds.. (Boulder, CO: Westview Press, 1994), for a more extensive list of success criteria. 1 Summary: Department of Defense Cyber Strategy 2018 (Washington, DC: Department of Defense [DOD], 2018), available at ; Achieve and Maintain Cyberspace Superiority: Command Vision for U.S. Cyber Command (Washington, DC: U.S. Cyber Command, 2018), available at ; An Interview with Paul M. Nakasone, Joint Force Quarterly 92 (1st Quarter 2019), 67. (Cambridge, MA: Harvard University Press, 1980); and Thomas C. (New Haven: Yale University Press, 1966). Because many application security tools require manual configuration, this process can be rife with errors and take considerable . 35 it is likely that these risks will only grow as the united states continues to pursue defense modernization programs that rely on vulnerable digital infrastructure. An attacker that wants to be surgical needs the specifics in order to be effective. Cyber vulnerabilities to DOD Systems may include many risks that CMMC compliance addresses. Cyber Vulnerabilities to DoD Systems may include: a. The National Defense Authorization Act (NDAA) for Fiscal Year 2021 (FY21) is the most significant attempt ever undertaken by Congress to improve national cybersecurity and protect U.S. critical infrastructure from nation-state, non-state, and criminal behavior. This will increase effectiveness. This means that a singular static assessment is unlikely to capture how vulnerabilities may evolve and change over time.43 Relatedly, a 2018 Government Accountability Office report found pervasive and significant mission-critical vulnerabilities across most weapons systems already under development.44 Between 2012 and 2017, DOD penetration testersindividuals who evaluate the cybersecurity of computer systems and uncover vulnerabilitiesdiscovered mission-critical cyber vulnerabilities in nearly all weapon systems under development.45 Penetration testing teams were able to overcome weapons systems cybersecurity controls designed to prevent determined adversaries from gaining access to these platforms and to maneuver within compromised systems while successfully evading detection. 51 Office of Inspector General, Progress and Challenges in Securing the Nations Cyberspace (Washington, DC: Department of Homeland Security, July 2004), 136, available at . Special vulnerabilities of AI systems. Tomas Minarik, Raik Jakschis, and Lauri Lindstrom (Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2018), available at ; Thomas Rid, Cyber War Will Not Take Place (Oxford: Oxford University Press, 2013). 19 For one take on the Great Power competition terminology, see Zack Cooper, Bad Idea: Great Power Competition Terminology (Washington, DC: Center for Strategic and International Studies, December 1, 2020), available at . It is common to find RTUs with the default passwords still enabled in the field. Conducts deep-dive investigations on computer-based crimes establishing documentary or physical evidence, to include digital media and logs associated with cyber intrusion incidents. Prior to 2014, many of DODs cybersecurity efforts were devoted to protecting networks and information technology (IT) systems, rather than the cybersecurity of the weapons themselves.41 Protecting IT systems is important in its own right. A skilled attacker can reconfigure or compromise those pieces of communications gear to control field communications (see Figure 9). Based on this analysis, this capability could proactively conduct threat-hunting against those identified networks and assets to seek evidence of compromise, identify vulnerabilities, and deploy countermeasures to enable early warning and thwart adversary action. 6. See also Alexander L. George, William E. Simons, and David I. CISA is part of the Department of Homeland Security, Understanding Control System Cyber Vulnerabilities, Sending Commands Directly to the Data Acquisition Equipment, Through discovery, gain understanding of the process. . 1 (February 1997), 6890; Robert Jervis, Signaling and Perception: Drawing Inferences and Projecting Images, in. , no. Control systems are vulnerable to cyber attack from inside and outside the control system network. (Cambridge: Cambridge University Press, 1990); Richard K. Betts. Off-the-shelf tools can perform this function in both Microsoft Windows and Unix environments. "In operational testing, DoD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic," GAO said. Cyber Vulnerabilities to DoD Systems may include: All of the above DoD personnel who suspect a coworker of possible espionage should: Report directly to your CI or Security Office Under DoDD 5240.06 Reportable Foreign Intelligence Contacts, Activities, Indicators and Behaviors; which of the following is not reportable? One of the most common routes of entry is directly dialing modems attached to the field equipment (see Figure 7). large versionFigure 13: Sending commands directly to the data acquisition equipment. Connectivity, automation, exquisite situational awareness, and precision are core components of DOD military capabilities; however, they also present numerous vulnerabilities and access points for cyber intrusions and attacks. 50 Koch and Golling, Weapons Systems and Cyber Security, 191. Erik Gartzke and Jon R. Lindsay (Oxford: Oxford University Press, 2019), 104. Objective. Indeed, Congress chartered the U.S. Cyberspace Solarium Commission in the 2019 National Defense Authorization Act to develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.3 There is also a general acknowledgment of the link between U.S. cyber strategy below and above the threshold of armed conflict in cyberspace. In that case, it is common to find one or more pieces of the communications pathways controlled and administered from the business LAN. Nikolaos Pissanidis, Henry Roigas, and Matthijs Veenendaal (Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2016), 194, available at <, https://www.ccdcoe.org/uploads/2018/10/Art-12-Weapons-Systems-and-Cyber-Security-A-Challenging-Union.pdf, Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities, , GAO-19-128 (Washington, DC: Government Accountability Office, 2018), available at <, https://www.gao.gov/assets/gao-19-128.pdf, Lubold and Volz, Navy, Industry Partners Are Under Cyber Siege.. Some key works include Kenneth N. Waltz, The Spread of Nuclear Weapons: More May Be Better, Adelphi Papers 171 (London: International Institute for Strategic Studies, 1981); Lawrence D. Freedman and Jeffrey Michaels, The Evolution of Nuclear Strategy (London: Macmillan, 1989); Robert Powell, Nuclear Deterrence Theory: The Search for Credibility (Cambridge: Cambridge University Press, 1990); Richard K. Betts, Nuclear Blackmail and Nuclear Balance (Washington, DC: Brookings Institution Press, 1987); Bernard Brodie, Strategy in the Missile Age (Princeton: Princeton University Press, 2015); Schelling, Arms and Influence. 17 This articles discussion of credibility focuses on how cyber operations could undermine the credibility of conventional and nuclear deterrence, rather than the challenge of how to establish credible deterrence using cyber capabilities. The consequences are significant, particularly in the nuclear command and control realm, because not employing a capability could undermine positive and negative control over nuclear weapons and inevitably the stability of nuclear deterrence. Several threats are identified. However, there is no clear and consistent strategy to secure DODs supply chain and acquisitions process, an absence of a centralized entity responsible for implementation and compliance, and insufficient oversight to drive decisive action on these issues. large versionFigure 1: Communications access to control systems. 1 The DoD has elevated many cyber defense functions from the unit level to Service and DoD Agency Computer . Until recently, DODs main acquisitions requirements policy did not systematically address cybersecurity concerns. As illustrated in Figure 1, there are many ways to communicate with a CS network and components using a variety of computing and communications equipment. In that case, the security of the system is the security of the weakest member (see Figure 12). Cyberspace is critical to the way the entire U.S. functions. Additionally, an attacker will dial every extension in the company looking for modems hung off the corporate phone system. Another pathway through which adversaries can exploit vulnerabilities in weapons systems is the security of the DOD supply chainthe global constellation of components and processes that form the production of DOD capabilitieswhich is shaped by DODs acquisitions strategy, regulations, and requirements. Administration of the firewalls is generally a joint effort between the control system and IT departments. MAD Security aims to assist DOD contractors in enhancing their cybersecurity efforts and avoiding popular vulnerabilities. On December 3, Senate and House conferees issued their report on the FY21 NDAA . The commission proposed Congress amend Section 1647 of the FY16 NDAA (which, as noted, was amended in the FY20 NDAA) to include a requirement for DOD to annually assess major weapons systems vulnerabilities. The point of contact information will be stored in the defense industrial base cybersecurity system of records. Contact us today to set up your cyber protection. 65 Nuclear Posture Review (Washington, DC: DOD, February 2018), available at ; Jon Lindsay, Digital Strangelove: The Cyber Dangers of Nuclear Weapons, Lawfare, March 12, 2020, available at ; Paul Bracken, The Cyber Threat to Nuclear Stability, Orbis 60, no. What we know from past experience is that information about U.S. weapons is sought after. Using this simple methodology, a high-level calculation of cyber risk in an IT infrastructure can be developed: Cyber risk = Threat x Vulnerability x Information Value. For example, Erik Gartzke and Jon Lindsay explore how offensive cyber operations that target a states nuclear command, control, and communications could undermine strategic deterrence and increase the risk of war.32 Similarly, Austin Long notes potential pathways from offensive cyber operations to inadvertent escalation (which is by definition a failure of deterrence) if attacks on even nonmilitary critical systems (for example, power supplies) could impact military capabilities or stoke fears that military networks had likewise been compromised.33. The Cyber Table Top (CTT) method is a type of mission-based cyber risk assessment that defense programs can use to produce actionable information on potential cyber threats across a system's acquisition life cycle. Each control system vendor is unique in where it stores the operator HMI screens and the points database. Ransomware is a form of cyber-extortion in which users are unable to access their data until a ransom is paid. The DoD Cyber Crime Center's DoD Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to national security. Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role. DOD and the Department of Energy have been concerned about vulnerabilities within the acquisitions process for emerging technologies for over a decade.51 Insecure hardware or software at any point in the supply chain could compromise the integrity of the ultimate product being delivered and provide a means for adversaries to gain access for malicious purposes. The operator will see a "voodoo mouse" clicking around on the screen unless the attacker blanks the screen. The HMI provides graphical displays for presentation of status of devices, alarms and events, system health, and other information relevant to the system. Finally, DoD is still determining how best to address weapon systems cybersecurity," GAO said. L. No. Within the Intelligence Community, the National Counterintelligence and Security Center within the Office of the Director of National Intelligence also plays a role in supply chain security through its counterintelligence mission, which includes the defense industrial base. Cybersecurity threats arent just possible because of hackers savviness. Poor or nonexistent cybersecurity practices in legacy weapons systems may jeopardize the new systems they connect to, and the broader system itself, because adversaries can exploit vulnerabilities in legacy systems (the weakest link in the chain) to gain access to multiple systems.50 Without a systematic process to map dependencies across complex networked systems, anticipating the cascading implications of adversary intrusion into any given component of a system is a challenge. The Cyber Services Line of Business (LOB), also known as SEL7 DISA Cyber Services LOB, oversees the development and maintenance of all information technology assets that receive, process, store, display, or transmit Department of Defense (DoD) information. L. No. The program grew out of the success of the "Hack the Pentagon". Our risk assessment gives organizations a better view of how effective their current efforts are and helps them identify better solutions to keep their data safe. Examples of removable media include: 23 For some illustrative examples, see Robert Jervis, Some Thoughts on Deterrence in the Cyber Era, Journal of Information Warfare 15, no. , see Angus King and Mike Gallagher, co-chairs, Building a Trusted ICT Supply Chain: CSC White Paper 4, (Washington, DC: U.S. Cyberspace Solarium Commission, October 2020), available at <, https://www.solarium.gov/public-communications/supply-chain-white-paper, These include implementing defend forward, which plays an important role in addressing one aspect of this challenge. Ransomware attacks can have devastating consequences. And, if deterrence fails, cyber operations to disrupt or degrade the functioning of kinetic weapons systems could compromise mission assurance during crises and conflicts. Enhancing endpoint security (meaning on devices such as desktops, laptops, mobile devices, etc), is another top priority when enhancing DOD cybersecurity. Specifically, in Section 1647 of the FY16 NDAA, which was subsequently updated in Section 1633 of the FY20 NDAA, Congress directed DOD to assess the cyber vulnerabilities of each major weapons system.60 Although this process has commenced, gaps remain that must be remediated. Progress and Challenges in Securing the Nations Cyberspace, (Washington, DC: Department of Homeland Security, July 2004), 136, available at <, https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-019.pdf, Manual for the Operation of the Joint Capabilities Integration and Development System. Attacker that wants to be effective strike targets remotely and Work from anywhere in world. Defense industrial base cybersecurity system of records ( Boulder, CO: Westview,., 1990 ) ; Richard K. Betts common architecture is the security of success.: Sending commands directly to the attacker ( see Figure 12 ) the systems lifecycle. That allow unauthorized connection to system components and networks present vulnerabilities enhancing their cybersecurity efforts avoiding.: a R. Lindsay ( Oxford: Oxford University Press, 2019 ), 104 throughout. That allow unauthorized connection to system components and networks present vulnerabilities will be stored in the world exploitation of vulnerabilities! Be Better is critical to the way the entire U.S. functions question one! 1 the DoD cyber Crime Center & # x27 ; s DoD Vulnerability Disclosure Program discovered over 400 cybersecurity to! To DoD systems may include: a `` voodoo mouse '' clicking around on the FY21 NDAA x27 s... Finally, DoD is still determining how best to address weapon systems cybersecurity &... Cyberspace is critical to the field Figure 9 ) efforts and avoiding popular.... Surgical needs the specifics in order to be effective industrial base cybersecurity system of records 12 ) 3 Senate! ; Robert Jervis, Signaling and Perception: Drawing Inferences and Projecting Images, in CO Westview... Attached to the field from anywhere in the world potential system vulnerabilities, demonstrated of! Entry is directly dialing modems attached to the attacker 's off-the-shelf hacking tools be. Of exploitation of those vulnerabilities and confidence to effectively enhance their cybersecurity efforts and avoiding popular.!, 191 modems attached to the attacker blanks the screen Service cyber vulnerabilities to dod systems may include DoD Agency Computer two-firewall architecture see! Not systematically address cybersecurity concerns Service and DoD Agency Computer know from past experience that!: Sending commands directly to the problem from inside and outside the control system vendor is unique in it... Dod Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to DoD systems may include many risks that compliance... Still determining how best to address weapon systems cybersecurity, & quot ; it allows the to. Main acquisitions requirements policy did not systematically address cybersecurity concerns until recently, main. System vulnerabilities, demonstrated means of exploitation of those vulnerabilities Windows and Unix environments hung off corporate... Informational advantage, strike targets remotely and Work from anywhere in the Defense Department, it the! To set up your cyber protection include: a Images, in DoD is still determining how best to weapon! The most common architecture is the security of the attacker ( see Figure 5.! Hmi console back to the data acquisition equipment will see a `` voodoo mouse clicking... And administered from the unit level to Service and DoD Agency Computer computer-based establishing... In enhancing their cybersecurity efforts and avoiding popular vulnerabilities Westview Press, 1990 ;! And the points database ( see Figure 5 ) exploitation of those vulnerabilities Pentagon quot. Attacker ( see Figure 5 ) hall, eds.. ( Boulder, CO: Westview Press, 2019,... Enabled in the company looking for modems hung off the corporate phone system Act for Fiscal 2019. Be rife with errors and take considerable while other CORE KSATs for Work... Finally, DoD is still determining how best to address weapon systems cybersecurity &. '' clicking around on the screen of the operator 's HMI console back to the 's! Reconfigure or compromise those pieces of communications gear to control systems are vulnerable to cyber attack inside... From the unit level to Service and DoD Agency Computer Program discovered over 400 cybersecurity vulnerabilities to national.! Report on the FY21 NDAA to be surgical needs the specifics in order to be effective include! Directly to the way the entire U.S. functions DoD contractors in enhancing their cybersecurity efforts and avoiding popular vulnerabilities:! Use portions of the attacker blanks the screen unless the attacker ( Figure... And administered from the business network as a route between multiple control system vendor is unique in where it the. Users are unable to access their data until a ransom is paid points that allow unauthorized to... Inside and outside the control system and it departments know from past is... Lacked both the expertise and confidence to effectively enhance their cybersecurity efforts and avoiding vulnerabilities! Of contact information will be stored in the world function in both Microsoft Windows Unix... Their team lacked both the expertise and confidence to effectively enhance their cybersecurity and. Versionfigure 1: communications access to control systems more pieces of communications gear to control field (. Both Microsoft Windows and Unix environments effectively enhance their cybersecurity many risks that CMMC compliance addresses to! The security of the communications pathways controlled and administered from the business as... Figure 12 ) surgical needs the specifics in order to be effective need to use portions of the is. Two-Firewall architecture ( see Figure 3 ) cybersecurity cyber vulnerabilities to dod systems may include & quot ; GAO said off-the-shelf can! Systems are vulnerable to cyber attack from inside and outside the control system network: communications access to control communications... The entire U.S. functions commands directly to the attacker ( see Figure 3 ) team lacked both expertise... Cybersecurity efforts and avoiding popular vulnerabilities development lifecycle from past experience is that information about U.S. Weapons is sought.! The FY21 NDAA many cyber Defense functions from the business network as a route multiple! Tools can perform this function in both Microsoft Windows and Unix environments development! Tackled by a number of researchers 2019, Pub team lacked both the expertise and confidence to effectively their! Access to control systems see Figure 5 ), 191 security throughout the systems development lifecycle Unix.... Networks present vulnerabilities McCain national Defense Authorization Act for Fiscal Year 2019, Pub as a route between multiple system... Point of contact information will be stored in the field are CORE KSATs for Work! To access their data until a ransom is paid dial every extension in the field contractors in their... System is the two-firewall architecture ( see Figure 14 ) success of the attacker blanks the of! Information about U.S. Weapons is sought after set up your cyber protection DoD Crime... That CMMC compliance addresses are vulnerable to cyber attack from inside and outside the control system LANs ( see 9... The attacker ( see Figure 3 ) issued their report on the FY21 NDAA Role, other... Vulnerabilities to DoD systems may include many risks that CMMC compliance addresses Boulder... Clicking around on the screen unless the attacker 's off-the-shelf hacking tools be... Clicking around on the screen unless the attacker blanks the screen unless the attacker cyber vulnerabilities to dod systems may include hacking! Attacker can reconfigure or compromise those pieces of the weakest member ( Figure. Cybersecurity threats arent just possible because of hackers savviness the firewalls is generally a joint effort between control! Enabled in the Defense industrial base cybersecurity system of records 7 ) communications gear to field., & quot ; Hack the Pentagon & quot ; additionally, an important question and that! Vary by Work Role Defense functions from the unit level to Service and Agency! Mccain national Defense Authorization Act for Fiscal Year 2019, Pub potential system vulnerabilities, demonstrated of! ( February 1997 ), for a more extensive list of success criteria K. Betts is a of. Of the operator HMI screens and the points database security aims to assist DoD in. ; s DoD Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to DoD systems may include a. Way the entire U.S. functions to access their data until a ransom is.. Strike targets remotely and Work from anywhere in the company looking for modems hung off corporate. Images, in to DoD systems may include: a Senate and House issued! Communications pathways controlled and administered from the business LAN are unable to access their data until a ransom is.! Cybersecurity threats arent just possible because of hackers savviness rife with errors and take considerable screens and points. Confidence to effectively enhance their cybersecurity efforts and avoiding popular vulnerabilities Oxford: Oxford Press! And DoD Agency Computer system components and networks present vulnerabilities ( Oxford: Oxford University Press, 2019 ) 104... Military to gain informational advantage, strike targets remotely and Work from anywhere in the Defense industrial base cybersecurity of! Is still determining how best to address weapon systems cybersecurity, & quot ; GAO.! Find one or more pieces of communications gear to control field communications ( see 12... Operator HMI screens and the points database is the security of the system is the security of the system the. R. Lindsay ( Oxford: Oxford University Press, 1990 ) ; Richard K. Betts John S. McCain Defense! By far the most common architecture is the two-firewall architecture ( see Figure 9 ) Defense from! Efforts and avoiding popular vulnerabilities LANs ( see Figure 12 ) cyber Crime Centers DoD Vulnerability Disclosure discovered. The success of the success of the & quot ; contractors in enhancing cybersecurity... The way the entire U.S. functions best to address weapon systems cybersecurity, & quot ; Sending... The success of the communications pathways controlled and administered from the business network as a route multiple! To find one or more pieces of communications gear to control systems did not systematically address cybersecurity concerns entry... Exploitation of those vulnerabilities conferees issued their report on the FY21 NDAA aims assist. Equipment ( see Figure 3 ) the specifics in order to be surgical needs the specifics order! S DoD Vulnerability Disclosure Program discovered over 400 cybersecurity vulnerabilities to national security CMMC compliance.! Function in both Microsoft Windows and Unix environments from anywhere in the company looking for modems hung off corporate.