Back to news

March 18, 2020 | International, C4ISR, Security

The Pentagon is handling cyber vulnerabilities inconsistently

Mark Pomerleau

The Department of Defense has not consistently mitigated cyber vulnerabilities identified in a 2012 report, according to the department's inspector general.

The DoD IG issued a follow-on report to its 2012 report, issued March 13 and made public March 17, that determined cyber red teams didn't report the results of assessments to organizations and components didn't effectively correct or mitigate the identified vulnerabilities.

The new report discovered that components didn't consistently mitigate or include unmitigated vulnerabilities identified in the prior audit and during this audit by red teams during combatant command exercises, operational testing assessments and agency-specific assessments in plans of action and milestones.

“Ensuring DoD Components mitigate vulnerabilities is essential to achieve a better return on investment,” the report stated. “In addition, we determined that the DoD did not establish a unified approach to support and prioritize DoD Cyber Red Team missions. Instead, the DoD Components implemented Component-specific approaches to staff, train and develop tools for DoD Cyber Red Teams, and prioritize DoD Cyber Red Team missions.”

The report found that DoD didn't establish a unified approach because it didn't assign an organization with responsibility to oversee and synchronize red team activity based on priorities, it didn't assess the resources needed for each red team and identify requirements to train them to meet priorities and it didn't develop baseline tools to perform assessments.

“Without an enterprisewide solution to staff, train and develop tools for DoD Cyber Red Teams and prioritize their missions, DoD Cyber Red Teams have not met current mission requests and will not meet future requests because of the increased demands for DoD Cyber Red Team services,” the report said. “Until the DoD assigns an organization to assess DoD Cyber Red Team resources, it will be unable to determine the number of DoD Cyber Red Teams and staffing of each team to support mission needs, which will impact the Do D's ability to identify vulnerabilities and take corrective actions that limit malicious actors from compromising DoD operations.”

The DoD IG issued seven recommendations the secretary of defense assign an organization responsibility for. They include:

  • Review and assess red team reports for systemic vulnerabilities and coordinate the development and implementation of enterprise solutions to mitigate them;
  • Ensure components develop and implement a risk-based process to assess the impact of identified vulnerabilities and prioritize funding for corrective actions for high-risk vulnerabilities;
  • Ensure components develop and implement processes for providing reports with red team findings and recommendations to organizations with responsibility for corrective actions;
  • Develop processes and procedures to oversee red team activities, including synchronizing and prioritizing red team missions, to ensure activities align with priorities;
  • Perform a joint DoD-wide mission-impact analysis to determine the number of red teams, minimum staffing levels of each team, the composition of the staffing levels needed to meet current and future mission requests;
  • Assess and identify a baseline of core and specialized training standards, based on the three red team roles that team staff must meet for the team to be certified and accredited; and
  • Identify and develop baseline tools needed by red teams to perform missions.

https://www.fifthdomain.com/dod/2020/03/17/the-pentagon-is-handling-cyber-vulnerabilities-inconsistently/

On the same subject

  • Italy prepares to launch submarine rescue vessel programme

    January 22, 2019 | International, Naval

    Italy prepares to launch submarine rescue vessel programme

    The Italian Ministry of Defence's Naval Armament Directorate is gearing up to launch its acquisition programme for a new multirole submarine rescue vessel by mid-2019. The Special and Diving Operations - Submarine Rescue Ship (SDO-SuRS), for which EUR424 million (USD481.7 million) has been earmarked from 2018, is intended to replace the ageing salvage ship, Anteo . Jane's understands that the vessel will have a modular design in order to carry out its three main tasks of submarine rescue in addition to supporting special forces and diving operations carried out by the Italian Navy's Comando Subacquei ed Incursori (COMSUBIN) special forces and divers command. Basic specifications include a full-load displacement of about 8,500 tonnes, an overall length of 120 m, and a 20 m beam. The ship will be powered by an integrated full-electric propulsion system (IFEP) - using two azimuthal propulsion pods and two bow-mounted thrusters - able to achieve a maximum speed of 15 kt. Full article: https://www.janes.com/article/85856/italy-prepares-to-launch-submarine-rescue-vessel-programme

  • Airbus demos Remote Carrier 'loyal wingman' connectivity with Eurofighters and Tornados

    July 31, 2020 | International, Aerospace

    Airbus demos Remote Carrier 'loyal wingman' connectivity with Eurofighters and Tornados

    by Gareth Jennings Airbus has demonstrated for the first time with real combat aircraft the Remote Carrier (RC) ‘loyal wingman' technology it is developing for the Future Combat Air System (FCAS)/Systeme de Combat Arien du Futur (SCAF) programme. The event during the Luftwaffe's Timber Express exercise over northern Germany and the North Sea, announced by the company on 30 July, saw national Eurofighter and Panavia Tornado aircraft demonstrate interconnectivity with an RC network using the Link 16 datalink. “During the exercise, the Remote Carriers, which currently use the Compact Airborne Networking Data Link (CANDL), were successfully connected to Link 16, the operational tactical datalink of the armed forces. The Remote Carriers were not only visible to all tactical combat aircraft of the [German] Air Force, but could also receive and execute orders without the need for technical modifications to the aircraft,” Airbus said. As noted by the company, this event was followed up with a demonstration of RC interoperability with the NATO concept of Co-operative ESM Operations (CESMO); a reconnaissance network spanning several branches of the armed forces aimed at locating threat systems in the electromagnetic spectrum in real time. https://www.janes.com/defence-news/news-detail/airbus-demos-remote-carrier-loyal-wingman-connectivity-with-eurofighters-and-tornados

  • DIU awards $45M contract for weapon systems cybersecurity

    May 13, 2020 | International, C4ISR, Security

    DIU awards $45M contract for weapon systems cybersecurity

    Andrew Eversden The Defense Innovation Unit awarded a $45 million to a Silicon Valley-based tech startup to perform cybersecurity testing on Defense Department weapon systems' applications, the company announced May 11. The company, ForAllSecure, has been prototyping its cybersecurity testing platform, known as Mayhem, with DoD components for more than three years. DIU made the award on the five-year contract April 23, a ForAllSecure spokesperson said. ForAllSecure is working with the Air Force 96th Cyberspace Test Group, the Air Force 90th Cyberspace Operations Squadron, the Naval Sea Systems Command (NAVSEA) and the U.S. Army Command, Control, Communication, Computers, Cyber, Intelligence, Surveillance and Reconnaissance Center (C5ISR). The same DoD users have worked with ForAllSecure throughout the prototyping process for the company's platform, which finds bugs in applications and shows the user how they can be triggered. The platform will allow for a continuous testing for vulnerabilities in weapons systems. “One of the problems that [the department] run[s] into is this idea that there's a point in time when you're done" with cybersecurity," said David Brumley, chief executive officer of ForAllSecure. "It all comes down to how quickly can you test and retest.” In the last few years of prototyping, the company went through 10 iterations of Mayhem. One significant piece the company added to those iterations were cybersecurity tutorials for users. ForAllSecure's work on Mayhem started before a troubling report from the Government Accountability Office that highlighted several cybersecurity challenges and shortfalls that the Defense Department's weapons systems faced in light of potential advanced cyberattacks. “If you look at the GAO report, they simply weren't embedding cybersecurity testing in the process at all," Brumley said. “So this is adding this common sense measure and it's automating it.” In 2016, the company's Mayhem platform won the Defense Advanced Research Projects Agency's Cyber Grand Challenge, an automated defensive cybersecurity competition. That victory came with a $2 million prize. Since that victory, Brumley said that the company has run into a few unique challenges working with other DoD components, particularly around installing the platform. “When DARPA has their contest, it really only has to work for the developers,” Brumley said. “When you go to a product, you have to go to an unknown site, you have to install. You have to repeatedly do that.” https://www.fifthdomain.com/dod/2020/05/12/diu-awards-45m-contract-for-weapon-systems-cybersecurity/

All news