Back to news

March 18, 2020 | International, C4ISR, Security

The Pentagon is handling cyber vulnerabilities inconsistently

Mark Pomerleau

The Department of Defense has not consistently mitigated cyber vulnerabilities identified in a 2012 report, according to the department's inspector general.

The DoD IG issued a follow-on report to its 2012 report, issued March 13 and made public March 17, that determined cyber red teams didn't report the results of assessments to organizations and components didn't effectively correct or mitigate the identified vulnerabilities.

The new report discovered that components didn't consistently mitigate or include unmitigated vulnerabilities identified in the prior audit and during this audit by red teams during combatant command exercises, operational testing assessments and agency-specific assessments in plans of action and milestones.

“Ensuring DoD Components mitigate vulnerabilities is essential to achieve a better return on investment,” the report stated. “In addition, we determined that the DoD did not establish a unified approach to support and prioritize DoD Cyber Red Team missions. Instead, the DoD Components implemented Component-specific approaches to staff, train and develop tools for DoD Cyber Red Teams, and prioritize DoD Cyber Red Team missions.”

The report found that DoD didn't establish a unified approach because it didn't assign an organization with responsibility to oversee and synchronize red team activity based on priorities, it didn't assess the resources needed for each red team and identify requirements to train them to meet priorities and it didn't develop baseline tools to perform assessments.

“Without an enterprisewide solution to staff, train and develop tools for DoD Cyber Red Teams and prioritize their missions, DoD Cyber Red Teams have not met current mission requests and will not meet future requests because of the increased demands for DoD Cyber Red Team services,” the report said. “Until the DoD assigns an organization to assess DoD Cyber Red Team resources, it will be unable to determine the number of DoD Cyber Red Teams and staffing of each team to support mission needs, which will impact the Do D's ability to identify vulnerabilities and take corrective actions that limit malicious actors from compromising DoD operations.”

The DoD IG issued seven recommendations the secretary of defense assign an organization responsibility for. They include:

  • Review and assess red team reports for systemic vulnerabilities and coordinate the development and implementation of enterprise solutions to mitigate them;
  • Ensure components develop and implement a risk-based process to assess the impact of identified vulnerabilities and prioritize funding for corrective actions for high-risk vulnerabilities;
  • Ensure components develop and implement processes for providing reports with red team findings and recommendations to organizations with responsibility for corrective actions;
  • Develop processes and procedures to oversee red team activities, including synchronizing and prioritizing red team missions, to ensure activities align with priorities;
  • Perform a joint DoD-wide mission-impact analysis to determine the number of red teams, minimum staffing levels of each team, the composition of the staffing levels needed to meet current and future mission requests;
  • Assess and identify a baseline of core and specialized training standards, based on the three red team roles that team staff must meet for the team to be certified and accredited; and
  • Identify and develop baseline tools needed by red teams to perform missions.

https://www.fifthdomain.com/dod/2020/03/17/the-pentagon-is-handling-cyber-vulnerabilities-inconsistently/

On the same subject

  • 5 strategies to speed adoption of AI and data analytics across the DOD

    February 26, 2024 | International, Security

    5 strategies to speed adoption of AI and data analytics across the DOD

    Opinion: NAVAIR is teaming with U.S. Naval Surface Force’s Task Force Hopper to explore fielding of AI-embedded sensors onto aircraft.

  • A key milestone of the Air Force One replacement program was conducted using virtual tools. It won’t be the last.

    April 17, 2020 | International, Aerospace

    A key milestone of the Air Force One replacement program was conducted using virtual tools. It won’t be the last.

    By: Valerie Insinna WASHINGTON — The Air Force One replacement program has hit a major development milestone, and it did so without the in-person meetings that have become more risky in the age of the novel coronavirus, the U.S. Air Force's top acquisition official said on Thursday. The Air Force recently completed the critical design review for the Presidential Aircraft Replacement program, which will replace the legacy VC-25A Air Force One planes with a new variant of the Boeing 747-8 known as the VC-25B. Although the classified portions of the review still must be done via face-to-face meetings in secure spaces, much of it was accomplished using virtual tools and applications, said Will Roper, assistant secretary of the Air Force for acquisition, technology and logistics. “I was really excited that the team was able to shift their CDR [critical design review] and go virtual,” he told reporters in an April 16 teleconference, adding that more programs will shift toward using virtual meetings to conduct key reviews and milestones even after the COVID-19 pandemic subsides. “I don't know if it makes any sense to do CDRs, at least at an unclassified level, outside of tools like this. And we're working really hard to provide the same capabilities at the secret level,” he said. While Roper did not detail which communication tools were used by the program office to conduct the CDR, he described it as being very similar to widely used applications like Zoom, where the briefer can share PowerPoint slides and participants can share thoughts and questions via a written chat function. “It allows a greater level of productivity than a meeting itself,” he said. “In meetings, you have someone speaking and you want to get a question in, but you've got to wait for them to stop, and then everyone else wants to ask a question. It's hugely inefficient. It's just such an antiquated way of sharing information that is ingrained in us.” The Air Force One replacement drew considerable attention in 2016 after then-President-elect Donald Trump tweeted that the program was too expensive at more than $4 billion and should be canceled. After Trump held numerous meetings with Dennis Muilenburg, who led Boeing at the time, the Air Force awarded Boeing a $3.9 billion contract to modify two 747s into VC-25B jets. However, once all costs are included — such as buying a new hangar for the aircraft and the base cost of the 747s themselves — the Air Force will pay $5.3 billion, according to Defense One. That expense includes an $84 million contract awarded to Boeing on Wednesday to modify Boeing 747 technical specifications and manuals to the VC-25B configuration. Roper doesn't project any schedule delays to the program as a result of COVID-19, which has pummeled prime contractor Boeing's commercial business and caused a temporary pause to certain defense production lines. In February, Boeing began modifying the two 747s slated to become VC-25Bs at its facility in San Antonio, Texas. During the first part of the process, Boeing will cut out large pieces of the aircraft's skin and structure and replace that with two specially designed “superpanels,” according to an Air Force release. The VC-25Bs will also receive upgrades including enhanced electrical power, specialized communication systems, a medical facility, a customized executive interior and autonomous ground operations capabilities. The new Air Force Ones are expected to be operational in 2024. https://www.defensenews.com/air/2020/04/16/a-key-milestone-of-the-air-force-one-replacement-program-was-conducted-using-virtual-tools-it-wont-be-the-last/

  • Le drone MALE européen n’arrivera pas avant 2028 au sein de l'armée de l'Air et de l’Espace

    January 14, 2021 | International, Aerospace

    Le drone MALE européen n’arrivera pas avant 2028 au sein de l'armée de l'Air et de l’Espace

    La ministre des Armées, Florence Parly, répondant à une question lors de son audition à l'Assemblée nationale mardi 12 janvier, a indiqué que le drone MALE européen, ou Eurodrone, n'intégrerait pas les forces de l'armée de l'Air et de l'Espace avant 2028. La ministre a estimé qu'une capacité intermédiaire n'était pas nécessaire. La France dispose déjà de ces capacités avec les drones américains Reaper, dont l'achat a été décidé en 2013. En outre, Mme Parly a rappelé que le ministère des Armées a prévu de doter l'armée de Terre de drones tactiques, les SDT Patroller, développés par Safran Electronics & Defense, qui seront « livrés à nos forces en 2021 ». La Tribune du 14 janvier

All news