Cyber Security For US Weapons Systems Criticised

US Air Force weapon systems are heavily reliant on complex software and high interconnectivity to per- form their missions. Cyber capabilities enable many of the advanced features, such as electronic attack, sensor fusion, and communications that give the Air Force its edge over potential adversaries, but they also create potential opportunities for adversaries to counter US advantages through cyber attacks. 

Despite the US Defense Department’s (DoD) efforts to build networked weapon systems heavily dependent on software and information technologies, the military service branches have not all issued clear guidance describing how acquisition officials should incorporate cybersecurity requirements into contracts for these systems.  

Of the four services, the Air Force is the only branch to have issued service wide guidance for defining and incorporating cybersecurity requirements into contracts, according to a recent Government Accountability Office (GAO) audit report. The report builds on another audit from 2018 when GAO found DOD was in the early stages of understanding how to apply cyber security to weapon systems. 

While DOD has made improvements in this area since 2018, for example, by ensuring programs have access to adequate cyber expertise, increasing the use of cyber security assessments, and releasing more guidance, the agency is still learning how to contract for cyber security in weapon systems, according to the audit. “Current military service guidance, except for the Air Force, does not address how acquisition programs should contract for weapon systems cybersecurity requirements, acceptance criteria, and verification, which DOD and program officials told GAO would be helpful.” 

The GAO did not include the Cybersecurity Maturity Model Certification program, which requires defense contractors to undergo audits by independent third parties overseen by an accreditation body to validate the security of their systems, in this review.  The audit was released in a time of the disastrous SolarWinds attack, which affected multiple federal agencies.

The Chair of the House Armed Services Committee, Adam Smith, emphasised the importance of securing information systems and command and control. “We cannot have the single points of failure, we have to be able to protect those systems,” Smith said.  

The GAO reviewed five programs for the audit: a radar, an anti-jammer, a ship, a ground vehicle, and a missile. The focus of the audit was on weapon systems that include platform IT, which the report defined as hardware and software for real-time mission performance of special-purpose systems. The acquisition programs reviewed lacked cyber security requirements, or at least clear cyber security requirements, in contracts, according to the audit.

Three of the five programs had no cyber security requirements in the contracts whatsoever when they were awarded. 

Even after contracts were modified post-award, some only included generic instruction to comply with DOD policy. “Contractors we spoke to said it is common for requests for proposals to include generic statements regarding cyber security, such as ‘be cyber resilient’ or ‘comply with risk management framework' according to the audit. “The contractors said such statements do not provide enough information to determine what the government wants or how to design a system.”

None of the five contracts defined how cyber security requirements would be verified at the time of the award/. Officials also said contracts usually focus on the controls programs must have rather than on establishing performance-based requirements geared toward achieving desired outcomes. 

The US Air Force’s System Program Protection and Systems Security Engineering Guidebook, created by the Cyber Resiliency Office for Weapons Systems, or CROWS, was the posistive highlight spot of the GAO audit.  

The guidebook consolidates DOD and Air Force guidance into a single, detailed document complete with suggestions for implementation, according to the audit.  GAO recommended the other service branches develop cyber security requirements guidance for acquisition programs like the guidebook. DOD concurred with the recommendations for the Army and the Navy and asked the Marine Corps to be considered under the recommendation for the Navy. 

The US Air Force relies heavily on advanced computer and software systems, so it is paramount to keep those systems safe. It's the job of Cyber Systems Operations specialists to design, install and support our systems to ensure they operate properly and remain secure from outside intrusion. 

US AirForce:        RAND:      US GAO:     US Airforce University:       NextGov:      Image: Unsplash

You Might Also Read: 

US Air Force Hacked By Teenager:

 

« Is Blockchain The Future Of SSL Certificates?
British Companies Compromised By Exchange Email Hacking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

APMG International (APM Group)

APMG International (APM Group)

APM Group is a global accreditation, certification and examination body specializing in certification schemes for individuals, organizations and software.

Alliance for Cyber Security

Alliance for Cyber Security

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

IoTsploit

IoTsploit

IoTsploit provides 20/20 visibility of network connections, protecting critical infrastructure assets from IoT vulnerabilities.

SHIELD

SHIELD

SHIELD is an established end-to-end fraud management solution that blocks fraudulent activities such as account takeovers, fake accounts creation, fraudulent payments, loyalty fraud and more.

White & Black

White & Black

White & Black are specialist corporate & technology lawyers based in London & Oxford.

CyberCube

CyberCube

CyberCube provide world-leading cyber risk analytics for the cyber insurance market.

RhodeCode

RhodeCode

RhodeCode is an open source repository management platform. It provides unified security and team collaboration across Git, Subversion, and Mercurial.

Informatics International

Informatics International

Informatics is a leading ICT provider in Sri Lanka, providing cutting-edge software & infrastructure solutions and services including cyber security.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Enginsight

Enginsight

Enginsight provides a comprehensive solution for monitoring and securing your servers and clients.

Fortiedge

Fortiedge

Fortiedge is an IT Security solution provider specializing in Cyber Security practices and solutions for our clients.

Netgo

Netgo

Netgo group meet the requirements of a complex, digitized world with IT consulting, IT solutions & services, managed & cloud services and software products & development.

Q5id

Q5id

At Q5id, we prove that your customers' digital identity and real-world identity are the same, our verification and authentication solution delivers a Proven and Secure digital identity for everyone.

Tozny

Tozny

Tozny offers products with security and privacy in mind that are built on the foundation of end-to-end encryption, and open-source verifiable software.

US Department of State - Bureau of Cyberspace & Digital Policy

US Department of State - Bureau of Cyberspace & Digital Policy

The Bureau of Cyberspace and Digital Policy leads and coordinates the Department’s work on cyberspace and digital diplomacy to encourage responsible state behavior in cyberspace.

Afripol

Afripol

AFRIPOL was set up to strengthen cooperation between the police agencies of AU member states in the prevention and fight against organized transnational crime, terrorism, and cybercrime.