The Department of Defense’s annual report from the Director of Operational Test and Evaluation (DOT&E) identified 400 cybersecurity vulnerabilities across 33 systems.
“All of the problem discoveries could have and should have been identified prior to operational testing,” Director Michael Gilmore wrote in the fiscal year 2013 report.
Approximately 90 percent of the vulnerabilities could have been discovered during developmental testing before the systems were put into operational testing. Problems identified this late are classified as Case 1, which suggests that managers most likely focused too much on budget and schedule instead of test results. Gilmore noted that the report did not determine whether vulnerabilities had been found in developmental testing and ignored or if they had only appeared in operational testing.
“However, the fact that so many vulnerabilities are being found late in a program’s acquisition cycle is one of the main reasons why DOT&E and USD(AT&L) [Undersecretary of Defense for Acquisition, Technology and Logistics] are collaborating on a revised cybersecurity policy,” he wrote.
Nearly half of the 400 vulnerabilities were also classified as the highest category of risk for debilitating systems. The three most common cybersecurity issues at this level were: 1) out-of-date or unpatched software, 2) configurations that included known code vulnerabilities and 3) the use of default passwords in fielded systems.
The report did not elaborate on how these issues could be resolved. Apart from the obvious fixes of patching software as vulnerabilities are discovered, updating software as new versions are released and regularly changing passwords, code can be analyzed in the very early stages of development. Before the software is placed in the system, IT specialists can manually read program code or test it in a “sandbox”–an area isolated from the network where code can be tested and observed.
The report did not specify which 33 systems had undergone cybersecurity assessments, but several of the systems described as Case or Category 1 demonstrated significant cyber flaws.
The Navy’s Consolidated Afloat Networks and Enterprise Services (CANES), which connects ships, submarines and shore sites, showed 29 of the highest risk cyber vulnerabilities and 172 lower vulnerabilities. Only four of 32 baseline applications had been tested.
Due to coding problems, the Navy’s Acoustic Rapid Commercial Off-the-Shelf Insertion (A-RCI) submarine sonar system would not be able to identify ships in high reverberation areas. The environments used in the developmental phase were more “benign,” the report said. A fix has been implemented but not yet tested.
Testing of the already fielded Defense Enterprise Accounting and Management System (DEAMS) showed more than 200 software defects.
Without developmental testing, the Automated Biometric Identification System (ABIS) was unable to be updated. This problem should have been discovered in testing, the report said.
In addition to unreliability, the Joint Battle Command – Platform (JBC-P), which helps friendly forces community and target enemies, demonstrated spontaneous computer reboots and message problems. Messages were duplicated and changed formats during transmission.
The Public Key Infrastructure (PKI), which provides password tokens to allow DoD employees to access classified networks, showed inability to properly manage the tokens and identify tokens that were being reused.