Editor's Note: This story has been updated to include comment from an industry official.
WASHINGTON — Cyber vulnerabilities continue to plague the Army’s battlefield communications, according to the Pentagon’s top weapons tester, while the service works to harden its network against cyber attacks.
The Army’s Warfighter Information Network-Tactical (WIN-T), the Mid-Tier Networking Vehicular Radio (MNVR), the Joint Battle Command-Platform (JBC-P) and the Rifleman Radio were all cited as having problematic cybersecurity vulnerabilities in a report released Monday by the Pentagon’s Director, Operational Test & Evaluation (DOT&E), J. Michael Gilmore.
The WIN-T Increment 2, which is the second iteration of the Army’s communications network, allows units to exchange voice, video, data and imagery through the battlefield on-the-move. The previous increment allowed similar capability but “at-the-halt.”
Gilmore found, in evaluating the May 2015 WIN-T Increment 2’s full operational test and evaluation, that “although improved, WIN-T Increment 2 continues to demonstrate cybersecurity vulnerabilities.”
He adds, “this is a complex challenge for the Army since WIN-T is dependent upon cyber defense capabilities of all mission command systems connected to the network.”
The MNVR “has cyber security vulnerabilities that could degrade the unit’s ability to accomplish its mission,” Gilmore writes, and adds the Soldier Radio Waveform on the Rifleman Radio is not survivable against cyber attacks. Cyber vulnerabilities were also identified in a classified annex of a report on the JBC-P.
The Army’s Program Executive Office for Command, Control and Communications-Tactical (PEO C3T) said in a written response to Defense News that it is working to incrementally improve WIN-T’s cybersecurity.
“Of the three main cyber security vulnerabilities identified from the May 2014 [Multi-Service Operational Test and Evaluation for the JBC-P], two of the issues have been addressed and the third has a partial fix in place, with a full fix schedule to be complete by 2018,” the program office writes.
The JBC-P is a networked battle command information system that shows units in “near real-time” where friendly and enemy forces are on the battlefield through maps, graphics and messages.
PEO C3T continues to conduct cybersecurity testing “multiple times a year,” according to the statement.
The office also provided DOT&E an update on cybersecurity developments in September 2015 and will continue to invite the Pentagon’s tester to future test events.
The MNVR, which provides software-programmable digital radio communications from the company through brigade level, experienced electronic warfare and cybersecurity issues in the Network Integration Evaluation in the second half of 2015 at Fort Bliss, Texas. But, “these will be addressed during MNVR’s [initial operational test and evaluation],” the program office said.
The IOT&E is scheduled for the summer of 2017.
During the test event, a stable anti-jamming waveform will be introduced. The waveform is being assessed on the latest version of MNVR during government regression tests, according to the program office.
Cyber vulnerabilities were not the only issues Gilmore found when examining the various components of the Army’s tactical communications network.
While the service was able to integrate WIN-T onto mine-resistant ambush-protected all-terrain vehicles (M-ATVs), it struggled to integrate WIN-T onto Stryker vehicle platforms.
“The Stryker [point of presence] and [soldier network extension] were not operationally suitable due to poor integration of WIN-T Increment 2 equipment that interfered with the soldiers’ performance of mission,” Gilmore writes.
Integration issues include displays in front of the gunner’s position, antennas that prevented a 360-degree gun coverage, operations with the engine off that drained batteries “to the point of replacement,” and preventing Strykers from “silent watch” operations in order to support WIN-T by running the engine.
WIN-T Increment 2 capabilities are integrated on M-ATVs, MRAPs, Humvees and Strykers.
“The WIN-T program office is closely working with the Stryker program office in regards to WIN-T component integration feedback that has been generated from both the NIE and operational unit use,” the program office writes.
Solutions include, “a flexible mounted commander’s display, redesigning interior integration of WIN-T and network component gear to allow for space ‘buy back’ and reduction of exterior component mounting footprint,” according to the program office. Integration timelines are being established between the two offices.
The next step is to determine “the best possible” integration timeline to put WIN-T into heavy brigade combat teams. WIN-T is projected to be integrated onto the Armored Multi-Purpose Vehicle (AMPV) to support HBCT networking. The prototype kit is being developed and first fielding is planned for fiscal year 2021.
According to Gilmore, WIN-T’s Highband Networking Waveform (HNW) and the Tactical Relay - Tower (TR-T) “were not effective due to limited transmission range and throughput for on-the-move links, poor quality at-the-halt links, inability to maintain a non-fragmented network in the absence of satellite, lack of use of the [range throughput extension kit] and poor network operations tools.”
The WIN-T program conducted two large-scale developmental tests in June and November in order to address these deficiencies, PEO C3T said.
The same vehicles, equipment, terrain and network topology were used in the tests, according to the program office.
The tests showed “that from a technical perspective the HNW and TR-T performed as designed when properly configured and employed in an operational environment and provided a critical and significant line-of-sight network capability,” the office said.
Other tests and improved radio performance have shown the HNR network can support a brigade combat team data load in a satellite communications-denied environment, the office adds.
The Rifleman Radio is struggling mainly with overheating batteries and short battery life, Gilmore found.
The Army is conducting qualification tests with two vendors chosen in April to provide Rifleman Radios: Harris and Thales Defense and Security. Once the vendors pass through qualification testing, the radios will proceed into an initial operational test expected to be complete at the end of fiscal 2016. Full-rate production is expected as soon as the third quarter of fiscal 2017.
Gilmore reported, based on the January 2015 Multiservice Operational Test & Evaluation (MOT&E) for the JBC-P 6.0, that it is not “operationally effective” due to low message completion rates, phantom MAYDAY messages and inaccurate representation of blue force icons among other issues.
PEO C3T said, since the MOT&E, the Army has resolved all but two Army materiel release conditions: fixing the unintentional MAYDAY messages and developing and delivering an interactive multimedia instruction product.
The program office is fielding the JBC-P under a conditional materiel release until full material release is received.
The office is also confident the unintentional MAYDAY messages issue has been resolved and expects to verify this at the next NIE and during a follow-on test scheduled in fiscal 2017.
In assessing the MNVR, Gilmore found that when operating in a reduced satellite network environment, the message completion rate was less than 76 percent, which is below the 90 percent at-the-halt and 85 percent on-the-move requirement.
The network also experienced problems during the limited user test that prevented four of 12 battalion MNVRs from sending or receiving data for “extended time periods (up to 36 hours),” Gilmore writes, adding that they were all within line-of-sight of other MNVRs and “should have had communications.”
The program office noted that the MNVR was rated as effective and suitable by the Army Test and Evaluation Command at the Limited User Test NIE 15.2.
“Many of the [MNVR] issues identified in the DOT&E have been addressed,” the office said. “For example, as observed in the NIE, MNVR Command and Control message completion rate was documented at 88 percent effective for meeting the mobile requirements.”
The DOT&E report "reinforces that a balance needs to be met between ensuring the operational viability of programs of record within DoD and ensuring the cyber hardening of these systems," ret. Rear Adm. Bill Leigher, Raytheon's director of government cyber solutions, told Defense News. "Within DoD, there’s no software patch. Instead, a focused effort to create hardening solutions for not just combat systems but, navigation, hull, mechanical and electrical systems. The DoD is positioning this as a conversation not only for current systems, but also for any systems it procures moving forward.”