The Defense Department ― both on its own and at the direction of Congress ― has been taking aim at the cybersecurity vulnerability of all its weapon systems, to include legacy systems.
While “cyber” has been a concern among a small cadre of the workforce, namely the networking community, leadership is beginning to take this vulnerability very seriously.
“We have always treated out networks and our weapon systems” differently, Marianne Bailey, deputy national manager for national security systems at NSA, said during a panel at a defense conference in Charleston, S.C., Dec. 7 hosted by the Charleston Defense Contractors Association. “We really didn’t look at them the same, we didn’t monitor them the same.”
Bailey, who previously served in the DoD CIO’s office, lauded the DoD cybersecurity scorecard, which grades DoD components’ cybersecurity practices on a monthly basis, as critical in bringing the awareness to senior leadership levels, calling it a huge change at the Pentagon.
People used to joke, she said, when NSA red teams were sent in to do penetration testing of weapon systems because while they would always get in, the excuse was NSA always gets into its targets. Bailey explained that despite that fact, the red teams “didn’t even get to use the cool tools,” as they got in using basic methods because the department had not done great on that basic cybersecurity.
The scorecard really brought that awareness to senior level folks at that Pentagon, she said, providing an anecdote of a conversation at a quarterly meeting at the Pentagon between the deputy secretary of defense, the vice chairman and the undersecretaries of the services in which the undersecretary of the Navy said only 60 percent of the users on Navy networks were using multi-factor authentication.
Bailey said she was sure that was the first time such a conversation has ever occurred at such a high level, showing that this is really important, it’s a threat to networks and systems and leadership is taking notice.
While these types of security measures have been taken in the networking world, Bailey said they’re still not quite there with weapons systems but are along the path.