Now that we have all had time to digest the OPM hack (which is, to borrow a phrase from the Hitchhiker’s Guide to the Galaxy, really big… you just won’t believe how vastly hugely mindbogglingly big it is), I would like to draw your attention back to something else. The Defense Science Board Report of January 2013 on the resilience of DoD systems to cyber attack.
After reviewing all available evidence and rigorously weighing threat information, a Task Force of the Defense Science Board (DSB) concluded that:
The United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent.
How does that make you feel? You know yourself what adversaries are doing with well resourced attacks against the US healthcare industry where over 80 million of us have had our private information stolen. And you have read about the devastating OPM attacks that have compromised the personal information of all government employees plus the security clearance information associated with investigations and the people interviewed on investigations. Now consider what a well resourced adversary could do to the US military when they decide to take offensive combat action against us. Well resourced adversaries could also offer these capabilities to lower tier adversaries to use against us for strategic advantage.
Read on for more about what the DSB reported as the threat to military systems.
Here are more details:
The Defense Science Board (DSB) provides advice, assessments and reports as chartered by DoD leadership. It has studied cyber security and related topics for years and has been instrumental in providing new ideas and perspectives for action by DoD leadership.
The DSB was recently chartered to look at an interesting and somewhat intellectually stimulating topic, that of how US military systems could withstand cyber attack and remain able to execute their mission. The chartered group, a task force on Resilient Military Systems, produced a report with a set of recommendations designed to improve DoD’s ability to accomplish its missions. The overarching strategy recommended by the DSB is one that enhanced the department’s defenses in the face of attacks, decreases the effectiveness of adversaries, increases the cost to adversaries, and deters the most significant adversaries by ensuring the US maintains the ability to deliver desired mission capabilities in the face of catastrophic cyber attack.
The task force also identified a framework to implement metrics collection systems and then develop appropriate performance metrics that can be used to shape DoD’s investment decisions. The report approved by DSB chairman Paul Kaminsky is at http://www.acq.osd.mil/dsb/
Here is more from the forwarding letter to the report:
The final report of the DSB Task Force on Resilient Military Systems is attached. This report is based on the perspective of 24 Task Force members who received more than 50 briefings from practitioners and senior officials throughout the Department of Defense (DoD), Intelligence Community (IC), commercial sector, academia, national laboratories, and policymakers. This Task Force was asked to review and make recommendations to improve the resilience of DoD systems to cyber attacks, and to develop a set of metrics that the Department could use to track progress and shape investment priorities.
After conducting an 18-month study, this Task Force concluded that the cyber threat is serious and that the United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities (a “full spectrum” adversary). While this is also true for others (e.g. Allies, rivals, and public/private networks), this Task Force strongly believes the DoD needs to take the lead and build an effective response to measurably increase confidence in the IT systems we depend on (public and private) and at the same time decrease a would-be attacker’s confidence in the effectiveness of their capabilities to compromise DoD systems. This conclusion was developed upon several factors, including the success adversaries have had penetrating our networks; the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems. The Task Force believes that the recommendations of this report create the basis for a strategy to address this broad and pervasive threat.
Nearly every conceivable component within DoD is networked. These networked systems and components are inextricably linked to the Department’s ability to project military force and the associated mission assurance. Yet, DoD’s networks are built on inherently insecure architectures that are composed of, and increasingly using, foreign parts. While DoD takes great care to secure the use and operation of the “hardware” of its weapon systems, the same level of resource and attention is not spent on the complex network of information technology (IT) systems that are used to support and operate those weapons or critical IT capabilities embedded within them.
DoD’s dependence on this vulnerable technology is a magnet to U.S. opponents. In fact, DoD and its contractor base have already sustained staggering losses of system design information incorporating decades of combat knowledge and experience that provide adversaries insight to technical designs and system use. Despite numerous DoD actions, efforts are fragmented, and the Department is not currently prepared to mitigate the threat.
That forwarding letter was signed by the task force co-chairs, Mr. Lewis Von Thaer and Mr. James R. Gosler, two of the most professional, well thought out leaders I have ever worked with.
Please dive deep into the full document now. You will find some information you already know, but I promise some surprises as well. Find more at http://www.acq.osd.mil/dsb/reports2010s.htm