Department of Defense networks and weapon systems remain vulnerable to adversarial cyber attacks and programs, such as the Joint Regional Security Stacks and Cyber Protection Teams, and aren't meeting expectations, according to a new office of the Director, Operational Test and Evaluation (DOT&E) report published Jan. 25.
The new DOT&E report, which collects testing assessments from FY 2017, finds that while some aspects of network defenses have improved there are still persistent flaws with software patching, deploying new cyber defenses and meeting expertise needs.
“DOT&E assessments over the past fiscal year confirmed that the conclusion from previous years is still valid – DOD missions and systems remain at risk from adversarial cyber operations,” wrote DOT&E officials in their report. “Assessments during Combatant Command training exercises confirmed that DOD cyber defenses are improving, but not enough to stop adversarial teams from penetrating defenses, operating undetected, and degrading missions.”
Operational tests over the last fiscal year showed continuous mission-critical vulnerabilities in DoD network defenses and acquisition programs, according to report..
DOT&E assessments have shown that, without immediate improvement to network defenses, skilled adversaries will be able to gain significant access to systems holding information on warfighter missions and future plans.
“One of my top priorities will be to update cyber security and risk-based testing guidance to reflect best business practices,” said Robert Behler, director of OT&E, at the beginning of his office’s report. “I will advocate for additional resources for the development of automated software testing tools and the threat teams who use these tools. I will continue to advocate for rigorous cyber security testing and include evaluations of cyber security vulnerabilities in my assessments of systems.”
While Behler cites better results in defending against cyber threats in training environments over the last three years, current programs will need better results to ensure forces are able to defend networks outside of test situations.
The DoD-wide Joint Information Environment (JIE) program is behind on operational testing and officials have yet to make important capability fielding decisions.
DOT&E has recommended conducting thorough cyber security testing of all JIE capabilities before continuing its expansion.
The Joint Regional Security Stacks (JRSS) effort to better protect information networks also isn't meeting. DOT&E has recommended discontinuing JRSS capability deployment until the program can demonstrate it is capable of fully detecting and responding to operationally realistic cyber-attacks.
“JRSS operator training lags behind JRSS deployment, and is not sufficient to prepare operators to effectively integrate and configure the complex, room-sized suite of JRSS hardware and associated software,” writes DOT&E.
Similar issues exist with the Cyber Protection Teams (CPTs) tasked with deploying JRSS technology, according to DOT&E.
CPT’s continue to encounter operational challenges in integrating cyber defense mechanisms assessed in training exercises, and certain teams remain understaffed or with minimal operational experience.
“Some CPTs did not have the knowledge and experience on the intended networks to rapidly integrate with and supplement existing defenders,” the report said.
DOT&E has recommended DoD improve its speed and efficiency in fielding software patches, implementing U.S. Cyber Command’s directives in a more timely manner, reduce access to credentials and conduct active audits of all critical system configurations.
“As the number of lines of code increases so does the complexity of the system and cyber security vulnerabilities. As weapon systems increase their dependency on software, the potential cyber security attack surface also increases,” said Behler. “DOT&E has been a steady voice in the need to improve the cyber security posture of our systems, networks, and human interactions with networked systems.”