Defense Department Officals Recognize Advancements in Addressing Cybersecurity Vulnerabilities in Weapons Systems, Yet Acknowledge Significant Strides Remain

Defense Department Officals Recognize Advancements in Addressing Cybersecurity Vulnerabilities in Weapons Systems, Yet Acknowledge Significant Strides Remain

Modernizing Defense Cybersecurity: Addressing the Threat in the Digital Battlefield

The Pentagon's IT and cyber professionals have been making ground in raising understanding among top military officials regarding the critical threats to weapons systems and technology infrastructure. However, there are still some who underestimate these risks, according to the Department of Defense (DoD) Chief Information Security Officer (CISO), David McKeown. He shared his concerns with an audience of Air Force contractors on December 13.

McKeown revealed that on multiple occasions, his superior, the CIO, has issued a warning to a service secretary that they might not certify their budget unless they adequately addressed cybersecurity concerns. These requirements are detailed in the DoD Capability Planning Guidance, a five-year plan produced and updated annually by the CIO's office.

"In this plan, we outline what services and agencies are expected to do in terms of cybersecurity," McKeown explained during a panel discussion at the AFCEA Northern Virginia Air Force IT Day. "That means putting your money where your mouth is. You have to fund things that are going to solve the problem we're telling you about."

The CIO — currently Leslie A. Beavers, on an acting basis — has to sign off on service budgets to certify that they are dealing with the issues identified in the guidance. McKeown stated that the CIO's warnings about non-certification are "a pretty big deal, and it gets their attention, and they quickly rectify that."

However, McKeown admitted that this rectification often meant other, less critical cyber measures would not get funded. "We know that even inside the services, we're often robbing Peter to pay Paul. So when we tell them to do something like that, something else will probably fall off the plate," he explained.

At the program level, McKeown stated that some officials still do not consider cyber requirements as critical. "I think there's an increased awareness. A lot of the top leadership is getting it," he said. "In certain programs, it still gets ignored. I've heard acquisition professionals tell me that 'We know about these cyber vulnerabilities, and they're critical. They can take down the weapon system, but there are a lot of other operational requirements that we have to pay for this year in this particular weapon system. So therefore the cybersecurity stuff didn't meet the cut line.'"

Greg Garcia, the panel moderator and AFCEA committee member, recalled that in the years leading up to his 2021 retirement, many commanders would often disregard online threats. "Every time there would be a cyber threat [warning], I remember operational mission impact statements that would override every single cyber threat [measure], because the operational commander would say, 'I accept the risk' without any clue of what they're actually accepting," Garcia said.

Air Force Brig. Gen. Heather Blackwell, deputy commander of the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), emphasized that today, more commanders recognize the need to think of their networks as a battlefield, terrain that needs to be controlled to win. JFHQ-DODIN is responsible for maintaining and protecting the Pentagon's global IT networks, but it is the operational commanders who have to protect these networks on the ground.

"I can't do command and control for 3.2 million endpoints from my team of 450," Blackwell said. "Commanders have to be accountable. Do I have a single commander I can go to, and say 'You have not done your cyber measures tasked to you. You might have a compromise. You might be compromising this mission?' Making sure someone owns that terrain is one of the biggest pieces."

Nick Freije, the assistant chief engineer for mission architecture at the Naval Information Warfare Systems Command, stressed the need to bring reality into threat analyses. "A lot of times, we'll do a threat analysis, and it's like 'Yes, given a perfect, sunny day uncontested, sure, I can do everything. I can do my mission in this perfect world.' No, we have to start bringing in reality to this," Freije stated.

Exercises like tabletop games and cyber red-team testing are essential strategies for raising awareness, McKeown argued. "The tabletop exercises are a good start. The red-team testing is a much better start," McKeown said. "I wish that weapon system platforms and critical infrastructure platforms were continuously red-team testing their own things and then fixing those things."

The ideal approach, according to McKeown, is "purple-teaming," where red teams identify vulnerabilities and then blue teams fix them. "We need more of that as we go forward," McKeown said.

Ultimately, McKeown concluded that, during a shooting war, the military could find itself lacking crucial capabilities if it had not cyber-secured them proactively. "Our weapon systems, our critical infrastructure, are definitely at risk, and they may not be there at the critical time we need them if we don't address these cyber vulnerabilities," he said.

Facing escalating cyber threats on multiple fronts, the DoD requires collective effort and innovative strategies to defend its weapon systems and critical infrastructure effectively. Enhanced exercises, international cooperation, and technological advancements can help secure these vital digital assets, as the DoD strives toward a safer cyber battlefield.

1. The Department of Defense (DoD) Chief Information Security Officer (CISO), David McKeown, shared his concerns about cybersecurity threats to weapons systems and technology infrastructure with an audience of Air Force contractors.
2. McKeown revealed that his superior, the CIO, has issued a warning to a service secretary that they might not certify their budget unless they addressed cybersecurity concerns.
3. The CIO's office produces and updates annually the DoD Capability Planning Guidance, which outlines what services and agencies are expected to do in terms of cybersecurity.
4. In this plan, cybersecurity measures are considered critical, and services must fund them to solve the identified problems.
5. McKoewn stated that occasionally, the sanctions about non-certification lead to other less critical cyber measures not being funded.
6. In certain programs, some officials still do not consider cybersecurity requirements as critical, and they may ignore them even if they know about the cyber vulnerabilities that can potentially take down the weapon system.

Read also: