A new Defense Science Board report, produced by a special task force, has raised serious questions about how robust existing and future defense systems are and will be against cyber attacks and cyber intrusions. As the Trump administration rightly commits billions of dollars to overhaul worn-out weapons platforms, is attention being given to cyber threats? Or will our patched up systems be compromised and fail us when we most need them?
The task force’s report makes clear that most U.S. weapons already in the field have no formal cyber protection plan; cyber protection was not included in any design requirement. More recently, the Department of Defense began requiring Program Protection Plans, or PPP, for weapons, but these only apply to the design and development stage and not activities in the field, have been executed unevenly at best, and have lacked clear standards of implementation. The task force worries that vulnerabilities can be maliciously inserted into systems and there is no PPP-type analysis in the sustainment side of the acquisition process, meaning that once a weapon is fielded it can be years before corrections are made, if ever.
Take a familiar threat such as the Heartbleed bug, a vulnerability in what is known as the OpenSSL, a library that enables internet-encrypted information to be stolen. The bug was introduced in 2012 but not “discovered” until 2014, first by a Finnish cyber company and later by Google. There are reports that the National Security Agency knew about it sooner, but did not report it, probably because the NSA allegedly exploited the vulnerability. Because DoD systems increasingly use internet protocols for just about everything, all of them using such protocols are subject to exploitation by an adversary, whether the adversary was a nation state, terrorist organization or band of criminals such as drug dealers. It is unlikely, even at this late date, that the Heartbleed vulnerability has been cleaned out of military systems.
A critical problem facing the Defense Department is that too much of its critical hardware and software either is, or derives from, commercial off-the-shelf products. Because the DoD has limited influence over the commercial sector, there are certain systemic weaknesses beyond the normal security limitations of commercial products. Two among them are the lack of vetting of the engineers and technicians who produce the hardware and software; and the corollary that commercial companies often use community-sourced free code to save money and time. Heartbleed came from community-sourced code. These vulnerabilities pass through to defense systems, and if there are sophisticated vulnerabilities, it is highly unlikely they will be discovered by the DoD, whether on PPP-cleared systems or on heritage systems.
Take a familiar threat such as the Heartbleed bug, a vulnerability in what is known as the OpenSSL, a library that enables internet-encrypted information to be stolen. The bug was introduced in 2012 but not “discovered” until 2014, first by a Finnish cyber company and later by Google. There are reports that the National Security Agency knew about it sooner, but did not report it, probably because the NSA allegedly exploited the vulnerability. Because DoD systems increasingly use internet protocols for just about everything, all of them using such protocols are subject to exploitation by an adversary, whether the adversary was a nation state, terrorist organization or band of criminals such as drug dealers. It is unlikely, even at this late date, that the Heartbleed vulnerability has been cleaned out of military systems.
A critical problem facing the Defense Department is that too much of its critical hardware and software either is or derives from, commercial off-the-shelf products. Because the DoD has limited influence over the commercial sector, there are certain systemic weaknesses beyond the normal security limitations of commercial products. Two among them are the lack of vetting of the engineers and technicians who produce the hardware and software; and the corollary that commercial companies often use community-sourced free code to save money and time. Heartbleed came from community-sourced code. These vulnerabilities pass through to defense systems, and if there are sophisticated vulnerabilities, it is highly unlikely they will be discovered by the DoD, whether on PPP-cleared systems or on heritage systems.
What we know from past experience is that information about U.S. weapons is sought after. And where weapons have been supplied abroad or co-produced outside of American territory, they have been ruthlessly exploited, especially by Russia. More recently, as the U.S. uses high-tech systems in Afghanistan and Iraq, including advanced surveillance and killer drones, adversaries have had the chance to see how they operate and exploit them. Most notable was the loss of the RQ-170 drone to Iran.
In fact, the RQ-170 is a paradigm for what is wrong with the Pentagon’s weapons security.
Developed by Lockheed Martin’s famous Skunk Works, the RQ-170 is a stealth remotely piloted platform that operates at high altitude (50,000-plus feet) and can carry out highly sophisticated surveillance. The platform provides real-time imagery and advanced signals intelligence. It is equipped with the most advanced active electronically scanned array radar, a synthetic aperture radar meaning it can see clearly at night and through clouds and fog and signals intelligence gathering systems that can listen to enemy activity. The RQ-170 is a highly classified, advanced platform.
Even so, an RQ-170 probably doing intelligence gathering on Iran’s nuclear and missile programs was captured by Iran in 2011. Iran was able to take over positive control of the drone and land it at an Iranian air base, intact except for some wing damage. Iran had good intelligence on how the system operated, could override signals from the RQ-170’s base controller and could fly the aircraft. The flight management system was wide open to compromise — likely because it was built out of commercially available hardware and communications.
The task force focuses on the vulnerability of integrated circuits, including microprocessors and application-specific integrated circuits, or ASIC. Modern DoD systems use a lot of ASICs, and while they are customized for certain tasks, they are mostly built up from existing libraries maintained by semiconductor foundries and design houses, saving time and reducing costs. But using this open system leaves DoD systems with a hole that can only grow larger. Because the DoD holds onto systems for many, many years, the ASICs currently in use in defense systems are highly vulnerable to exploitation. In addition, in many cases, critical electronic parts are sourced from secondary global suppliers.
While the Trump administration should be lauded for tackling our broken-down weapons platforms, no funds appear to be directed at identifying and fixing the biggest cyber vulnerabilities. Maybe the Taliban and the Islamic State group don’t have the time or ability to take advantage of these weaknesses, but Russia, China and even North Korea do. It is time to commit real resources to cyber vulnerabilities before we find out that some of our best stuff, like the Terminal High Altitude Area Defense, or THAAD, (fielded first in 2008), doesn’t work when we push the button.
*Stephen Bryen was founder and first head of the Defense Technology Security Administration. He also worked in industry as the president of Finmeccanica North America and as president of SDB Partners LL, and is a Fellow at the American Center for Democracy.
* This commentary was published by DefenseNews, on March 29, 20127