This month, the Wall Street Journal reported that the Navy and its industry partners are “under cyber siege” by Chinese hackers and others who have stolen national security secrets in recent years, exploiting critical weaknesses that threaten the United States’ standing as the world’s top military power, an internal Navy review concluded. The assessment depicts a branch of the armed forces under relentless cyberattack by foreign adversaries.
It’s a scary time to be responsible for the cybersecurity of United States Department of Defense (DoD) weapon systems. Not only are our adversaries very determined and capable, but our systems are highly vulnerable, as most were developed without cyber resilience as a priority.
Fortunately, opportunity might be emerging as the DoD is finally signaling its commitment to increasing the cyber resilience of its weapon systems. Marine Corps Brigadier General Dennis Crall, the Pentagon’s principal deputy cyber advisor and senior military advisor for cyber policy, said in recent testimony to the Senate Armed Services Committee on January 29th: “There’s a sense of optimism. I think the department has turned a corner, but this is the year that we really have to show the results of that effort.”
We in the DoD contractor (and subcontractor) community can build upon the DoD’s recognition of cyber vulnerabilities through three measurable actions that must be taken immediately. These are not technical actions, but rather cultural adjustments. This type of bottoms-up, widespread approach to incremental cultural change is likely to be more successful than top-down initiatives (e.g., mandates from senior leaders), especially when these changes will be given visibility via measurable action tracking.
1) Commit Jointly to Significant Discussions About How to Address Vulnerabilities
Compliance with the Risk Management Framework (RMF) is not enough. As a retired USAF Colonel recently said, “RMF compliance is like passing a car inspection. It has nothing to do with actual performance or mission assurance.” So, we need to engage with our customers to elevate new cybersecurity technologies and approaches. There’s no stigma to raising cyber vulnerability issues with customers as it is what keeps many of our customers awake at night. Everyone has already acknowledged that we need to do more, so let’s commit to doing more. The measurable event here is formal cyber vulnerability discussions with your customer; how many occurred in the past three months and how many are planned in the next three.
2) Reallocate Funding Now
Part of the commitment to doing more includes reallocating committed funds to harden software binaries. The technology process is termed cyberhardening, and it combats memory corruption errors and buffer overflow exploits – the weaknesses that attackers typically use to gain control of embedded systems and devices that underpin weapon systems. We don’t have time to go through a new procurement cycle. We can get through the contractual hurdles of adjusting tasking.
Availability of people to do cybersecurity work may be a concern as well. Let’s trust that the smart people already working the programs can adapt to fill the gap. There will be some learning curves to overcome, and different tools are needed. Also, different people may need to take on technical leadership roles. Let’s stop waiting for the next procurement. The measurable event here is the amount of GFY19 funds re-directed toward cyber resilience.
3) Increase Cyber Resilience Capabilities Included in Upcoming System Upgrades
Operational weapon systems have detailed upgrade plans to insert new capabilities. However, if these upgrade plans become rigid, they can delay much needed corrections for years. Cyber resilience initiatives need to jump the queue and have a clear path out of the lab into the operational capabilities. Whatever the timing of the next system upgrade, cyber resilience measures need to be added to the upgrade portfolio. The benefit of increased cyber resilience and mission assurance is worth the costs and risks associated with adjusting the system upgrade plan. In addition, as part of a scheduled upgrade, changes for increased cyber resilience should leverage the already planned development and operational testing associated with the upgrade.
Cyberhardening Software Binaries Prevents a Class of Cyberattacks
Traditional IT cyber processes may not prevent interruption of weapon systems functionality since they follow a process of detection, action reporting and later patching, if and when patches become available and can be applied. Weapons have much different missions than traditional IT systems, and must have protection that enables them to fight through the cyberattack and remain available during critical times of engagement.
RunSafe Security’s Alkemist offers cyberhardening for existing software. Our binary transformation approach prevents an entire class of very effective memory corruption attacks.
There’s a clear opportunity to increase cyber resilience in DoD weapon systems because everyone is acknowledging the need to do so. Making these incremental, measurable, bottoms-up cultural changes will give DoD contractors a better framework for developing a cyber resilience strategy.
Contact us today to set up a consultation.