The Pentagon’s cybersecurity is improving — but not quickly enough to keep pace with the growing capabilities of America’s adversaries, according to the annual report from the Department of Defense’s chief weapons and systems tester.
The DOD Office of the Director of Operational Test & Evaluation’s 2018 report keyed in on traditional weapons and operational systems’ dependence on software as a key trend that “will continue as more complex and capable software platforms and algorithms make their way into the battlespace.” And with that, comes the need to defend and “test all systems having data exchanges for the resilience to complete missions in a cyber-contested environment.”
DOT&E performed a number of such tests in 2018 and found generally that “there were an increasing number of instances where the cyber Red Teams employed during DOT&E assessments experienced greater difficulty in penetrating network defenses or maintaining previously acquired accesses,” Director Robert Behler wrote in the annual report. “These improvements are both noteworthy and encouraging, but we estimate that the rate of these improvements is not outpacing the growing capabilities of potential adversaries, who continue to find new vulnerabilities and techniques to counter the fixes and countermeasures by DOD defenders.”
While the report cites a number of improvements DOD has made in the cyber domain in the past year, DOT&E also found many persisting vulnerabilities through its tests. Here are three critical systems in particular that testers found to be operating inadequately:
The F-35 Joint Strike Fighter’s brain is malfunctioning
The F-35 Joint Strike Fighter is meant to “bring cutting-edge technologies to the battlespace of the future,” but for now, the brains behind the aircraft appear to be holding it back from seeing combat anytime soon. It was designed, in a sense, to be a flying supercomputer. But the fighter’s logistics system — the Autonomic Logistics Information System (ALIS) — is plagued with problems, OST&E found in various tests.
“ALIS is designed to bring efficiency to maintenance and flight operations, but it does not yet perform as intended,” the new report says.
The problems fall into three main areas: Users must create numerous workarounds to make ALIS functional, there are “pervasive problems with data integrity and completeness on a daily basis,” and users generally lack confidence in the system, causing them to maintain “separate databases to track life usage.”
The report explains that ALIS will give pilots and others mixed signals on the health of a fighter: “ALIS incorrectly reports the status of aircraft as NMC in the Squadron Health Management application based on HRCs (faults). Meanwhile, a separate application – Customer Maintenance Management System, which relies on the Mission Essential Function List (MEFL) – reports the same aircraft as mission capable.”
The system also faces a variety cybersecurity vulnerabilities.
DOD EHR woes continue
The Defense Healthcare Management System Modernization’s struggle to get operational approval the modernized MHS Genesis electronic health record is not new — earlier reports from DOT&E highlighted the issue. However, DHMSM continues to face challenges and still is “not operationally suitable because of poor system usability, insufficient training and documentation, and inadequate dissemination of system change information.”
In this new report, there are also details about MHS Genesis’ cybersecurity vulnerabilities. “MHS GENESIS is not survivable in a cyber-contested environment,” it says, explaining that the Joint Interoperability Test Command and Space and Naval Warfare Systems Command (SPAWAR) Red Team “successfully executed three cybersecurity attacks against the system as an insider, near-sider, and outsider.”
The program office leading the system’s development has since created the Cyber Integrated Work Group, identifying “34 specific tasks assigned to the appropriate parties, focused upon incident response and intrusion detection as well as prioritization and mitigation of identified vulnerabilities. ”
Joint Regional Security Stack (JRSS) needs a pause
One of the biggest cyber takeaways from the DOT&E report is its conclusion that the department should stop operation of the Joint Regional Security Stack until “the system demonstrates that it is capable of helping network defenders to detect and respond to operationally realistic cyber-attacks.”
JRSS is meant to provide “a suite of equipment intended to perform firewall functions, intrusion detection and prevention, enterprise management, and virtual routing and forwarding, as well as provide a host of network security capabilities” in a centralized manner for the DOD Information Network.
Simply put, the version of the JRSS the office tested “is unable to help network defenders protect the network against operationally realistic cyber-attacks.”
“JRSS performed poorly, and showed little improvement” from the previous test. “JRSS operators did not detect the Air Force 177th Information Aggressor Squadron as it portrayed a cyber adversary attacking the Enclave Control Node logically situated behind JRSS defenses,” the report says.
The report keys in on a handful of specific underlying issues: difficulty managing large amounts of data within a JRSS stack; lagging training; a lack of codified JRSS joint tactics, techniques, and procedures; and insufficient manning.