The Biden administration's pick to lead the Defense Department's operational testing, Nickolas Guertin, called the department's inability to conduct independent cyber assessments of commercial cloud systems "a severe limitation."
The Biden administration's pick to lead weapons testing at the Department of Defense told lawmakers that the department's inability to conduct cyber assessments of commercial cloud systems was a "severe limitation."
"The only way to test whether a system can withstand an actual cyberattack is to actually conduct such an attack on the system in a test environment," Guertin wrote, adding that the cyber red teams certified by the National Security Agency that DOD uses for operational testing are "stretched thin" with limited resources.
"Regarding commercial cloud services, upon which DOD relies more and more to store highly sensitive, classified data, the biggest limitation is that DOD's current contracts with cloud vendors generally don't allow DOD to independently assess the security of cloud infrastructure owned by the commercial vendor. Unless this burden is lessened, it is difficult to assess the security of those clouds."
Guertin, who was most recently an applied researcher for software-reliant and cyber-physical systems at Carnegie Mellon University's Software Engineering Institute, testified during an Oct. 19 confirmation hearing before the Senate Armed Services Committee and repeatedly stressed the need for cybersecurity testing considerations throughout the acquisition and tech development process.
He also noted that determining suitability of cloud systems generally hasn't been an issue for DOD but the failure to conduct independent assessments of commercial infrastructure was "a severe limitation, which should be addressed in order to ensure that sensitive and classified data stored in such clouds are secure."
Guertin's comments are the latest in increased attention around the cybersecurity of the Defense Department's weapons systems, including multiple watchdog reports. In a report released earlier this year, the DOD inspector general praised five programs for successfully updating to meet cybersecurity requirements.
The Government Accountability Office had previously warned DOD about cyber vulnerabilities in their weapons systems, but cited in a March report, that cybersecurity requirements weren't always listed in contract language.
In written responses, Guertin said DOD should have the opportunity to evaluate security and performance of all its warfighting capabilities, including software, systems, and information services -- but policy changes are needed to require such testing in contracts with commercial vendors.
"It is my understanding that currently, DOD cannot adequately test and evaluate the cybersecurity of any DOD capability hosted in the commercial cloud, to include software factories. I believe that going forward, every contract for cloud services should permit such testing," Guertin wrote, adding that DOD should be immediately notified of commercial network breaches relevant to products it uses.
Sen. Angus King (I-Maine), who chairs the SASC subcommittee on strategic forces, said during the hearing that actively and aggressively cyber testing was "essential" because "nothing's going to work if it's subject to a cyberattack."
"There's no question in my mind that if there is some level of conflict it will begin with cyber," King said. "And we can have all the ships in the world in the Pacific, but if they are silenced, if they lose their communications capability, their navigation capability, then they're not going to be very effective in protecting the interests of this country."