Despite progress, DOD systems still vulnerable to hacking

Despite some key improvements from the previous fiscal year, Defense Department missions and systems remain vulnerable to hacking, according to an annual report from the Pentagon's weapons tester.

Cyber testing teams deployed on DOD networks were "frequently in a position to deliver cyber effects that could degrade the performance of operational missions," the fiscal 2015 report from the Office of the Director of Operational Test and Evaluation (DOT&E) states.

The report also notes that in the past year, the Pentagon has made important strides in cyber defense, including enhanced protection of some network elements and greater awareness from leaders of the potential impact of a hack on critical missions. But DOD network operators still face a daunting task in securing their networks.

The report also reveals that for months DOD personnel have been unable to access maintenance information on the F-35 stored in a Lockheed Martin database because it does not comply with information assurance policies implemented by U.S. Cyber Command in August 2015.

"Because of this non-compliance, government personnel have not been able to access the database via government networks, preventing the [evaluation team] from holding the planned reviews of maintenance records," the report states.

In the past couple of years, DOD officials have put greater emphasis on shoring up the cybersecurity of weapons systems. Frank Kendall, the Pentagon's top acquisition official, has made the issue a key piece of his latest round of acquisition guidance to the DOD workforce. Nonetheless, he has conceded that developing cybersecurity metrics for acquisition programs is a difficult task.

Officials have sought to chip away at the challenge. Curt Dukes, director of the National Security Agency's Information Assurance Directorate, said IAD will only be able to review a handful of weapons systems for vulnerabilities this fiscal year out of the "incredibly long list" IAD has been assigned.

Despite keen interest from military leaders in building the cyber mission force, there is still not enough expertise to go around, according to DOT&E's report. Some members of DOD's cyber protection teams lack the proper training, background or motivation to be effective, the report states.

Talented "red team" members who simulate cyberattacks are leaving for the private sector at a time when those teams are in particularly high demand, according to the report. "This trend must be reversed if the DOD is to retain the ability to effectively train and assess DOD systems and service members against realistic cyberthreats," the report states.

Cyber specialists who have not left for the private sector are not keeping pace with sophisticated adversaries, according to a Pentagon memo obtained by the Daily Beast.

Rep. Mac Thornberry (R-Texas), chairman of the House Armed Services Committee, has said his committee would make bolstering U.S. cybersecurity personnel a priority this year.

Speaking to reporters Feb. 1, Thornberry offered a two-pronged approach for his committee to tackle the cyber vulnerabilities in DOD weapons systems. One method is to go system by system, with the relevant subcommittees handling systems under their purview.

"But then you also have to look across because we are a networked enterprise increasingly, and that gives you great opportunities but also some vulnerabilities," Thornberry said, calling weapons cybersecurity a "huge issue."