Prioritizing Weapon System Cybersecurity in a Post-Pandemic Defense Department
The coronavirus pandemic illustrates the extraordinary impact that invisible vulnerabilities—if unmitigated and exploited—can have on both the Department of Defense (DOD) and on national security more broadly. And while there are many lessons to be learned from today’s crisis, moving forward, the national security community should address its tendency to overlook invisible vulnerabilities—especially those which place critical systems and infrastructure at risk. This is especially true for DOD, which often prioritizes making very visible investments in new weapon systems over mitigating invisible vulnerabilities within existing systems.
The Cyberspace Solarium Commission recently advised DOD to shift this paradigm by institutionalizing a permanent process to evaluate weapon system cyber vulnerabilities. This recommendation builds upon past direction from Congress, which first tasked DOD to conduct cyber vulnerability assessments in 2016. And while DOD continues these assessments today, there is reason to worry that progress may stall in a post-pandemic Defense Department—especially if weapon systems are no longer a top national security priority or DOD’s budget is cut. Even under these circumstances, DOD can and should prioritize weapon system cybersecurity by further integrating cyber into its established acquisition processes and organizations.
Cyber-Securing DOD’s Weapon Systems
Just like traditional information technology (IT), such as personal computers and phones, DOD’s weapon systems are vulnerable to cyberattacks. Even though many weapon systems are air gapped (i.e., not directly connected to the internet), cyber-attackers can exploit external interfaces (e.g., radios, radars, and maintenance ports) to gain access to weapon systems’ internal computers, networks, and data. If a weapon system was not designed with cybersecurity in mind, attackers can exploit their initial access to disrupt or degrade a weapon system’s operation.
Since weapon systems support critical missions like nuclear command and control and position, navigation, and timing, DOD should continue prioritizing their cybersecurity, even as the department faces post-pandemic budget cuts. Traditionally, however, DOD’s cybersecurity efforts have focused on IT rather than on weapon systems. Even DOD’s newest cybersecurity initiative—the Cybersecurity Maturity Model Certification (CMMC)—focuses on IT, by levying new standards and certification processes on DOD’s contractors. Contractor IT systems do interface with weapon systems—through maintenance activities, for example—so securing them is important. However, securing contractor IT is not a substitute for also cyber-securing weapon systems themselves.
Ideally, DOD should address weapon system cybersecurity at the beginning of the acquisition process by defining cybersecurity requirements and designing systems to meet them. In 2017, DOD updated acquisition policies accordingly; today, acquisition program managers are responsible for defining, designing, and testing weapon systems to meet cybersecurity requirements.
In addition to defining requirements at the beginning of the acquisition process, since cyber threats are often dynamic, DOD should also assess and mitigate weapon system cyber vulnerabilities throughout the acquisition process, especially during sustainment. Assessments are particularly important for systems that were fielded before 2017 and potentially without cybersecurity requirements. The Government Accountability Office (GAO), for example, reports that DOD discovered mission-critical cyber vulnerabilities in nearly all of the weapons systems that it operationally tested between 2012 and 2017. It is unsurprising, therefore, that a Cyberspace Solarium Commissioner recently warned that “the volume of new vulnerabilities in weapons systems may now exceed the ability of the Defense Department to identify and patch the systems before adversaries can exploit them.”
In response, the Commission recommended DOD institutionalize a permanent process for assessing weapon system cyber vulnerabilities. In a cost-constrained, post-pandemic department, however, this recommendation may be cause for concern, since assessments can be costly. In 2019, for example, the military services requested approximately $220 million to complete congressionally mandated cyber vulnerability evaluations ($88, $48, and $85 million for the Army, Navy, and Air Force, respectively). Going forward, however, DOD should anticipate that any future assessment budgets may be cut.
Steps to Prioritize Weapon System Cybersecurity
Fortunately, DOD can still prioritize weapon system cybersecurity even if its budget is cut. Toward this end, DOD should complete the steps outlined below to better integrate cyber into its established acquisition processes and organizations. By doing so, DOD will improve its ability to efficiently allocate limited resources and to leverage expertise from across the department.
First, as suggested by the Cyberspace Solarium Commission, DOD should institute a permanent process to periodically assess weapon system cyber vulnerabilities. Part of that process, however, should include mitigations as well. DOD must move away from the paradigm observed by GAO, where repeat assessments discover the same vulnerabilities and DOD cannot explain past decisions to leave vulnerabilities unmitigated.
Ideally, such decisions should be informed by a risk calculation that considers threat likelihood and potential mission impact. The acquisition process provides an established mechanism for integrating threat, mission, and cost data to make risk-informed decisions related to weapon systems. For this reason, second, DOD should avoid creating a separate process for assessing and mitigating weapon system cyber vulnerabilities. Instead, DOD should integrate cybersecurity risk assessments into its established acquisition processes.
Toward this end, DOD has already established cybersecurity key performance parameters for future weapon systems. For current weapon systems, DOD should perform cyber vulnerability assessments and mitigations within established sustainment and upgrade processes. Within these processes, DOD should treat unmitigated cyber vulnerabilities as threats to readiness and should prioritize mitigations accordingly.
To ensure that cyber is appropriately prioritized within these processes, third, DOD should elevate responsibility for cybersecurity oversight within the acquisition community. Today, program managers are responsible for developing, fielding, and maintaining weapon systems that meet cybersecurity requirements. As the Cyberspace Solarium Commission noted, however, weapon systems are highly networked and cyberattacks on one system can propagate and affect other systems.
For this reason, program managers should report known cyber vulnerabilities to acquisition leaders within their military service. Armed with an understanding of risk across their service’s portfolio of weapon systems, acquisition leaders can then prioritize mitigations according to risk severity or commonality across multiple programs. By keeping such decisions within the service acquisition community, DOD can ensure that its decisionmakers enjoy both the authority and the resources to directly task program managers to mitigate cyber risks. The Navy, which recently reformed its Naval Sea Systems Command (NAVSEA) to elevate and integrate cybersecurity initiatives across ship and submarine programs, appears to already be taking steps in this direction. NAVSEA, therefore, may offer a useful model for the rest of the department.
Fourth, to encourage acquisition leadership to prioritize cybersecurity, DOD should clearly specify relationships between service acquisition organizations and new service principal cyber advisors. Congress created service principal cyber advisors in 2020 but did not specify reporting, coordinating, or authority links between the cyber advisors and the acquisition community. Strong organizational ties will encourage the acquisition community to prioritize cybersecurity and to leverage service cyber expertise toward this aim.
Related, fifth, DOD should consider opportunities to apply more service cyber expertise toward weapon system cybersecurity. Today, all cyber operations forces are assigned to U.S. Cyber Command. Cyber Command, in turn, allows the services to retain some cyber protection teams. These defense-focused teams execute service-specific missions, some of which reportedly include protecting weapon systems. Separate from Cyber Command, the military services also employ cybersecurity teams that focus on network maintenance and traditional IT-related tasks.
To prioritize weapon system cybersecurity using existing resources, DOD should leverage these teams’ expertise. If it has not already done so, DOD should assign some teams to persistently support organizations that operate and maintain weapon systems. When cybersecurity teams are organic to such organizations, they can build the specialized expertise that is unique to weapon system cyber defense and can institutionalize the vulnerability assessment and mitigation process. The Air Force, which recently converted traditional IT-focused squadrons into mission defense teams tasked with weapon system cyber defense, appears to be taking steps in this direction. The Air Force’s initiative, therefore, offers a model for leveraging the cyber expertise that already exists within the military services and applying it toward improving weapon system cybersecurity.
Mitigating Invisible Vulnerabilities instead of Making Visible Investments in Defense
After the coronavirus pandemic, DOD will be expected to do more with less. Budget constraints, however, should not prevent DOD from prioritizing weapon system cybersecurity. Rather than undertaking additional—and potentially costly—cyber vulnerability assessments, DOD should further integrate cyber into its established acquisition processes and organizations. By doing so, DOD will allocate resources more efficiently and will be better equipped to leverage expertise from across the department. Further, by continuing to prioritize weapon system cybersecurity—even while facing post-pandemic budget cuts—DOD can also demonstrate it has learned an important lesson from coronavirus: that mitigating invisible vulnerabilities is just as important as making traditional, visible investments in our nation’s defense.
Morgan Dwyer is a fellow in the International Security Program and deputy director for policy analysis in the Defense-Industrial Initiatives Group at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2020 by the Center for Strategic and International Studies. All rights reserved.