Congress: U.S. Military Highly Vulnerable to Cyber Attacks

Report: Defense Department 'should expect cyber attacks to be part of all conflicts in the future'

June 1, 2015

Congress wants the Pentagon to spend more than $200 million to identify holes in U.S. weapons and communications software that could allow foreign militaries to disrupt or defeat advanced arms in cyber attacks.

The House version of the $612 billion fiscal 2016 defense authorization bill warns that despite a 2013 Pentagon report warning of major vulnerabilities in the cyber security of weapons systems, the military is lagging behind in closing the software holes.

The Senate version of the defense bill authorizes $200 million for a three-year cyber vulnerability assessment of all major weapons systems focusing on whether they can be hacked. An additional $75 million was authorized for the U.S. Cyber Command to rapidly obtain critical cyber warfare capabilities.

The House has passed its version of the bill and the Senate bill will be debated within the next two weeks. A final version is expected to be completed by the end of summer.

China is considered the major cyber weapons threat to U.S. weapons systems. Over the past decade, Chinese military hackers have penetrated major defense contractors involved in cutting edge weapons systems, including the fifth generation F-35 Joint Strike Fighter.

Security analysts say that by gaining access to F-35 technology secrets, China might be able to conduct information-based attacks in the future that could disrupt the aircraft’s sophisticated electronics, rendering the jet either ineffective in combat or, more likely, vulnerable to increasingly sophisticated Chinese air defenses.

Chinese military writings have also identified U.S. command and control networks as vulnerable to disruption by cyber strikes and major targets for cyber warfare attacks.

U.S. weapons systems rely heavily on electronic networks for joint war fighting. The networking has taken place "without a sufficient appreciation of the cyber security threat environments currently facing such systems," the House report says.

The cyber threat to U.S. high-tech weapons systems was outlined in detail in a January 2013 report by the Defense Science Board.

The Science Board report, "Resilient Military Systems and the Advanced Cyber Threat," presents an alarming picture of military cyber security, describing current efforts as "fragmented" and warning that "DoD is not prepared to defend against this threat."

"DoD red teams, using cyber attack tools, which can be downloaded from the Internet, are very successful at defeating our systems," the report said. "U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components."

The main danger, according to the report, is a well-orchestrated, preemptive cyber attack using integrated cyber and kinetic weapons that "could render the U.S. incapable of using any of its own offensive capabilities for a retaliatory strike."

"DoD should expect cyber attacks to be part of all conflicts in the future, and DoD should not expect adversaries to play by U.S. versions of the rules (e.g. should expect that they will use surrogates for exploitation and offensive operations, share IP with local industries for economic gain, etc.)," the report said.

"It will take years for the department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities," the report concludes.

Among its recommendations are efforts to protect U.S. nuclear strike capabilities from cyber attacks; refocusing intelligence to better understand enemy cyber capabilities, plans, and intentions; and build a "cyber resilient force."

That resiliency will be modeled on the U.S. strategic nuclear deterrent system that uses segregation, inspection, trusted suppliers, and other measures.

Achieving resiliency will involve identifying conventional weapons systems capable of withstanding cyber attacks that can be relied upon in wartime. These cyber resistant forces must then be segmented and used for specific missions.

"Only these forces receive the highest degree of cyber resilience necessary for assured operation in the face of a full spectrum adversary," the report said.

"This protected-conventional capability, combined with offensive cyber [forces] … form the rungs of an escalation ladder with nuclear forces at the top," the report said. "To achieve a high degree of cyber resilience at an affordable cost, the department must segment and segregate the force structure that deliver the desired capability in response to a cyber threat."

The Senate bill called for the Pentagon and military services to develop an integrated policy designed to deter cyber enemies, and military options in response to cyber attacks. Regular military exercises to respond to critical infrastructure-related cyber attacks also will be required under the legislation.

The House noted that the military needs protection from cyber attacks involving weapons and "mission" systems as well as those involving traditional networks and information systems. It called for "cyber resiliency"—the ability to withstand cyber attacks and regenerate capabilities after cyber attacks.

The House Armed Services Committee "is concerned that progress on the identification and remediation of cyber vulnerabilities on vital legacy platforms may be lagging," the report said.

"Moreover, the committee is concerned that without the direction and funding to immediately address these vulnerabilities, program leaders will continue to focus limited resources on other platform needs."

The House called on the military chiefs to brief Congress on the vulnerabilities of legacy and weapons systems and efforts to close them.

Additionally, the Senate wants the Pentagon to set up an independent panel to assess the ability of national cyber mission forces to prevent or block large-scale cyber attacks "by foreign powers with capabilities comparable to those expected of China, Iran, North Korea, and Russia in years 2020 and 2025."

The legislative provisions make clear that the U.S. military and its joint war fighting capabilities remain vulnerable to cyber attacks