Report: Combatant commands vulnerable to cyber attacks

Shutterstock image (by alienant): An aerial view of the pentagon rendered as a vector. 

Cyber red teams are still able to gain the upper hand in major training exercises, and combatant command missions "remain at risk when subjected to cyber-attacks emulating an advanced nation-state adversary," according to a Department of Defense report.

The Office of the Director, Operational Test and Evaluation FY 2016 Annual Report says that some DOD programs and networks have made significant improvements against cyber attacks and threats in recent years.

"DOT&E's cybersecurity assessment program has helped [combatant commands] address major cybersecurity vulnerabilities through its focus on finding vulnerabilities, helping the CCMD to fix the vulnerabilities, and independently verifying that the vulnerabilities have indeed been fixed," states the report.

However, the report's praise is short-lived. It goes on to say:

"DOD personnel too often treat network defense as an administrative function, not a war fighting capability. Until this paradigm changes, and the change is reflected in the Department's approach to cybersecurity personnel, resource allocation, training, accountability, and program and network management, the Department will continue to struggle to adequately defend its systems and networks from advanced cyberattacks."

The report states that red teams emulating even moderate-level adversaries are able to penetrate DOD networks and move around undetected for "extended periods of time."

While the annual Pentagon testing report expresses concerns about the cyber defense and resilience capabilities of military units in training exercises, it raises more concerns about the state of cyber training exercises and the growing unmet need for red team capabilities.

"DOD had an enviable share of master-level operators seven years ago, but a significant number of these cyber experts accepted positions in the private sector in the ensuing years, often because of the increased wages and more relaxed work environment," the report states.

The report states that in recent years, combatant commands have provided more opportunities for DOT&E to inject cyber attacks into training exercises and observe the results. "However, exercise and network authorities seldom allow fully representative cyberattacks, and complete assessments of protection, detection, and response capabilities."

In addition to the need for more red teams, DOT&E says the DOD needs more cyber training ranges with greater capabilities to emulate real-world cyberthreats.

"Existing ranges will not be able to fully support the anticipated near-term requirements, including: needed training for the Cyber Mission Forces (CMF), more realistic CCMD and Service exercises and assessments, and rapidly increasing acquisition program cyber testing requirements."

The report states that recent investments in the Persistent Training Environment and Cyber Test Ranges "should help remedy these shortfalls, but improvements are likely to remain sub-optimized due to lack of a single Executive Agent for cyber ranges."

The report goes on to warn that many of the DOD's Cyber Protection Teams have not received proper training and equipment, and many CPT members are schedule to depart, which means DOD needs to prioritize "attracting, training, and retaining skilled individuals for the CPT."

DOT&E also cautions that many combatant commands have become increasingly interested in Offensive Cyber Operations, but they lack confidence in those capabilities because "OCO developers have not tested the capabilities in a realistic environment."

The report recommends that commands and services "reduce restrictions that prevent testing and training against realistic cyber threats, and perform 'fight-through' events to demonstrate that their critical missions are resilient in contested cyber environments."

It also recommends upgrading red teams and testing environments to allow red teams to "portray relevant and representative adversaries, including advanced nation-state threats."

The report further recommends that DOD focus not just on hardening its systems, but to "assume breach" and increase resilience to contain adversaries that do penetrate systems.

Other recommendations include improving overall cyber testing planning and metrics, cyber testing fielded systems and more testing of legacy systems such as Programmable Logic Controllers and Cross-Domain Solutions that the report says could introduce cyber vulnerabilities.

FCW reached out to DOD and U.S. Cyber Command to discuss the report and its findings. Two weeks later, a USCYBERCOM spokesperson emailed a response.

"We have seen the DOT&E report on Cyber Security and continue to coordinate with them regarding their recommendations," stated the official.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.