WASHINGTON — Amid a growing focus on the Pentagon’s cyber vulnerabilities, it plans to reprogram $100 million toward uncovering such flaws in major weapon systems, according to budget documents posted this week.
Defense Department Comptroller Mike McCord notified Congress Aug. 29 of plans to move the money from a technology analysis account to a research, test and evaluation account—described as classified in the DoD’s 2016 budget justification. The notice was first reported by Inside Defense.
The Defense Department is bound by
to evaluate the cyber vulnerabilities of major weapons systems and report to Congress by the end of 2019, with $200 million authorized for the project. The mandate was the marquee provision in military cybersecurity legislation the president signed last year as part of the 2016 defense policy bill.
Weapons systems developed over the past 20 years are "highly effective on the battlefield and yet also highly vulnerable to network attack," as they are increasingly dependent on "network targeting information, digital satellite communication to GPS networks, and digital command operating pictures/blue force trackers," Jacquelyn Schneider, a scholar at George Washington University warns in a
published this week by the Center for New American Security.
The highly networked nature of two key military systems, the the F-35 Lightning II and Distributed Common Ground System-Army, the service's intelligence dissemination system, illustrate how digitally dependent the US military has become.
Indeed, the Pentagon's Director of Operations, Test and Evaluation (DOT&E), Michael Gilmore announced last year he found that nearly all of DoD's major weapons systems were vulnerable to cyber attacks. Forty systems in 2014 needed to fix cyber vulnerabilities, including the Army's Warfighter Information Network-Tactical, the Navy's Joint High Speed Vessel and the Freedom class of Littoral Combat Ship.
A 2013 Defense Science Board
warned that while DoD takes care to secure the use and operation of its weapons systems, it neglects the information technology systems used to operate and support them, or the cyber capabilities embedded within them. As a result, a foe could cut communication links and inactivate, redirect or destroy US weapon systems.
“In today’s world of hyper-connectivity and automation, any device with electronic processing, storage, or software is a potential attack point and every system is a potential victim–including our own weapons systems,” the report reads.
The report stressed the difficulty of predicting the cyber security of any system, noting, “A few critical bits manipulated in a weapon fire control system can render that weapon ineffectual.”
The Defense Department has been focusing on fixing cyber vulnerabilities beyond its weapons systems. In June, white-hat hackers found 138 vulnerabilities in a DoD sponsored bug bounty event. That came a year after intruders — suspected to be Russian — hacked into an unclassified email system used by the Joint Chiefs of Staff, forcing the military to take it off line temporarily.