U.S. military networks not prepared for cyber threats, report warns

Consequences of a full-scale cyber conflict could be major, Defense Science Board warns in unusually grim report

The U.S. is dangerously unprepared to face a full-scale cyber conflict launched by a peer adversary, a report by the military's Defense Science Board (DSB) warns.

The report, released in January, and first reported on by the Washington Post on Tuesday, is based on an 18-month study of the resilience of U.S. military systems to cyberattacks.

It reflects the perspective of 24-members of a DSB Task Forcem who interviewed more than four-dozen Department of Defense (DoD) officials, members of the U.S. intelligence community, policy makers and security practitioners from private industry, academia and national laboratories.

The conclusions in the report are grim, even by the often Cassandra-like standards of the cyber security industry.

"The benefits to an attacker using cyber exploits are potentially spectacular," the report warneds. "Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. "

The attacks could cause U.S. guns, missiles, and bombs to fail, misfire or be directed against the country's troops. Supply chains could be disrupted, resulting in critical shortages of food, water and ammunition. "Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces," the report noted.

The impact of a full-scale cyber assault on the civilian population would be even greater with the power grid, communications infrastructure, financial networks and fuel distribution infrastructure all getting crippled. "In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless," the report said.

Much of the problems have to do with the relative lack of readiness of U.S. military networks and critical infrastructure networks to withstand a sustained cyberattack. DoD networks and those belonging to many of its contractors have already been deeply compromised and have sustained "staggering losses" of system design information and other vital information reflecting decades of combat knowledge, the DSB report cautioned.

Many of the networks that the DoD relies on are built on "inherently insecure" architectures and technologies. Many critical systems used by the Pentagon incorporate foreign-built components that could be used by adversaries to spy on and gather information. As an example, the DSB report pointed to a 1970's Soviet operation codenamed Gunman, where Soviet intelligence operatives managed to insert keystroke-logging malware on 16 IBM Selectric typewriters at the U.S. embassy in Moscow.

DoD attempts to address the vulnerabilities on its networks have been numerous, but fragmented, the report noted. As a result, the military is simply not prepared to meet the cyber threats that are ranged against it. In recent penetration tests and mock attacks, U.S. Army "red teams" have been able to very easily penetrate and disrupt Army networks.

"Typically, the disruption is so great, that the exercise must be essentially reset without the cyber intrusion to allow enough operational capability to proceed," the report said. The demonstrations showed that many DoD systems are likely going to be unable t owithstand even a "modestly aggressive cyberattack."

The report offers several recommendations on what the government and the military need to do to address the problems. Among them is the need for a strong deterrent capability in cyberspace, the development of a strong incident response capability based on a thorough understanding of an adversary's cyber capabilities, and the need for robust cyber offensive capabilities.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITCybercrime and Hackingcyberwarfaresecuritygovernment

More about IBM AustraliaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place