Is the U.S. Failing at Cyberwarfare?
Recently, an investigation led by the Government Accountability Office (GAO) has revealed the Department of Defense (DoD) is severely lacking in appropriately trained IT and Cybersecurity staff needed to secure its weapons systems. This poses a threat that can hinder the department’s military capabilities. While many factors contribute to the current deficiencies in our armed forces cyber security, the greatest obstacle the department faces is the lack of qualified cyberspecialists in the DoD’s cyberwarfare command. In order to acquire and retain skilled personnel for cyberwarfare, changes will have to made to the culture of its cyberwarfare component.
The reason behind the GAO’s probe is the upcoming investment of hundreds of billions by the DoD for the development of weapons systems. The GAO was tasked with assessing the cybersecurity aspect of the DoD’s weapons system to ensure that current and future systems are properly protected from cyber threats. The probe found numerous mission-critical vulnerabilities in current weapons systems and ones under development.
The GAO reviewed reports completed by DoD testing teams between 2012 and 2017. In one instance, a two-person test team was able to penetrate cybersecurity protocols and gain unauthorized access to weapons systems within an hour. In another case, a tester was able to guess an administrator’s password. Even more startling, another team executed a denial of service attack which forced computer terminals to reboot. To make matters worse, this was achieved using basic penetration tools and techniques. The test report also showed poor password management practice such as using default passwords.
Historically, the DoD has not made cybersecurity its main priority, focusing more on the hardware aspect of its weapons systems. Now is the time for a shift in that philosophy, considering hackers of today are adept to the point that they can easily create and employ aggressive forms of malware like the GandCrab Ransomware threat, that has propagated at an alarming rate. One could conclude that such hackers have the ability to attack and penetrate weapon systems or other sensitive articles controlled by the U.S. government. The biggest takeaway from the investigation is the revelation that cyberoperators are not currently equipped with the skills needed to repeal the testers’ attacks. Maybe it’s time to employ hackers to fortify cybersecurity protocols?
Why is it harder for the military to secure skilled cyberwarriors? A likely reason could be the culture within the military. To understand why military culture affects the DoD’s cyber capabilities, we must first look at the organization in charge of cyberwarfare. Within the DoD, the United States Cyber Command (USCYBERCOM) is responsible for our military cyber operations and cyberdefense. USCYBERCOM is a unified command under the Army, Navy, Air Force, and Marine Corps. The NSA also contributes to the cybersecurity effort when needed.
Aside from the NSA, the majority of USCYBERCOM personnel are active-duty service members. Here is where military culture comes into play. For the most part, the military environment tends to focus on structure and discipline instead of flexibility and innovation which are essential to fields like cybersecurity.
One only needs to look at the result of a cyber wargame exercise conducted in Fort Meade, Maryland to realize the gap in IT proficiency. In this exercise, the military’s best active duty “cyberwarriors” were pitted against reservists who work in the civilian sector. To put it in the words of a Capitol Hill Staffer present during the event, the active-duty personnel were “pretty much obliterated.”
Lieutenant Colonel Gregory Conti and Lieutenant Colonel Jen Easterly highlight in an article the perception of prospective cyberpersonnel of the military. Some of the feedback from the technical community included lack of career advancement, technically ignorant leadership, and a bias towards noncombat roles.
An example of one of the points reflected in the report is leadership without technical knowledge. DoD officials questioned the validity of the reports based on the fact that they had more information and access than an outside attacker would. These claims were later refuted by the test organizations and the NSA on the grounds that cyberattackers are not operating under the same constraints, such as time limits for the test and limited funding.
Besides acquisition, another issue caused by military culture is the retention of skilled IT professionals. Regardless of pay, many service members stay in the military due to its housing and healthcare benefits, as well as the satisfaction of serving one's country. However, to not be respected by your branch because you have a desk job could lower motivation to stay. There is also very little room for career advancement in the military when it comes to technical jobs. This in turn creates the aforementioned issue where there is a lack of leadership with proficiency in information systems.
Given the amount of vulnerabilities uncovered via the investigations, it is safe to say that the U.S. cyber capabilities are not as efficient as they should be. This will not change unless skillful personnel are acquired. To do this, USCYBERCOM has to make changes to its culture in order to attract and retain capable IT technicians.