Report: Combatant commands vulnerable to cyber attacks
Cyber red teams are still able to gain the upper hand in major training exercises, and combatant command missions "remain at risk when subjected to cyber-attacks emulating an advanced nation-state adversary," according to a Department of Defense report.
The Office of the Director, Operational Test and Evaluation FY 2016 Annual Report says that some DOD programs and networks have made significant improvements against cyber attacks and threats in recent years.
"DOT&E's cybersecurity assessment program has helped [combatant commands] address major cybersecurity vulnerabilities through its focus on finding vulnerabilities, helping the CCMD to fix the vulnerabilities, and independently verifying that the vulnerabilities have indeed been fixed," states the report.
However, the report's praise is short-lived. It goes on to say:
"DOD personnel too often treat network defense as an administrative function, not a war fighting capability. Until this paradigm changes, and the change is reflected in the Department's approach to cybersecurity personnel, resource allocation, training, accountability, and program and network management, the Department will continue to struggle to adequately defend its systems and networks from advanced cyberattacks."
The report states that red teams emulating even moderate-level adversaries are able to penetrate DOD networks and move around undetected for "extended periods of time."
While the annual Pentagon testing report expresses concerns about the cyber defense and resilience capabilities of military units in training exercises, it raises more concerns about the state of cyber training exercises and the growing unmet need for red team capabilities.
"DOD had an enviable share of master-level operators seven years ago, but a significant number of these cyber experts accepted positions in the private sector in the ensuing years, often because of the increased wages and more relaxed work environment," the report states.
The report states that in recent years, combatant commands have provided more opportunities for DOT&E to inject cyber attacks into training exercises and observe the results. "However, exercise and network authorities seldom allow fully representative cyberattacks, and complete assessments of protection, detection, and response capabilities."
In addition to the need for more red teams, DOT&E says the DOD needs more cyber training ranges with greater capabilities to emulate real-world cyberthreats.
"Existing ranges will not be able to fully support the anticipated near-term requirements, including: needed training for the Cyber Mission Forces (CMF), more realistic CCMD and Service exercises and assessments, and rapidly increasing acquisition program cyber testing requirements."
The report states that recent investments in the Persistent Training Environment and Cyber Test Ranges "should help remedy these shortfalls, but improvements are likely to remain sub-optimized due to lack of a single Executive Agent for cyber ranges."
The report goes on to warn that many of the DOD's Cyber Protection Teams have not received proper training and equipment, and many CPT members are schedule to depart, which means DOD needs to prioritize "attracting, training, and retaining skilled individuals for the CPT."
DOT&E also cautions that many combatant commands have become increasingly interested in Offensive Cyber Operations, but they lack confidence in those capabilities because "OCO developers have not tested the capabilities in a realistic environment."
The report recommends that commands and services "reduce restrictions that prevent testing and training against realistic cyber threats, and perform 'fight-through' events to demonstrate that their critical missions are resilient in contested cyber environments."
It also recommends upgrading red teams and testing environments to allow red teams to "portray relevant and representative adversaries, including advanced nation-state threats."
The report further recommends that DOD focus not just on hardening its systems, but to "assume breach" and increase resilience to contain adversaries that do penetrate systems.
Other recommendations include improving overall cyber testing planning and metrics, cyber testing fielded systems and more testing of legacy systems such as Programmable Logic Controllers and Cross-Domain Solutions that the report says could introduce cyber vulnerabilities.
FCW reached out to DOD and U.S. Cyber Command to discuss the report and its findings. Two weeks later, a USCYBERCOM spokesperson emailed a response.
"We have seen the DOT&E report on Cyber Security and continue to coordinate with them regarding their recommendations," stated the official.