Weapons programs from the U.S. Department of Defense (DoD) are falling short when it comes to incorporating cybersecurity requirements, according to a new watchdog report.
While the DoD has developed a range of policies aimed at hardening the security for its weapon systems, the guidance leaves out a key detail — the contracts for procuring various weapons.
These contracts are awarded to various manufacturers, from massive military contractors to small businesses, for hundreds of billions of dollars each year by the U.S. government. And according to a new report by the U.S. Government Accountability Office (GAO), 60 percent of the contracts included zero requirements when it comes to cybersecurity protection measures.
The GAO, which is an independent, non-partisan agency that works for Congress and acts as a “congressional watchdog” and third-party auditor, noted that the inclusion of cybersecurity stipulations in the contracts is “key.” When it comes to any type of requirement in weapons contracts, whether it’s cybersecurity- or services-related, “if it is not in the contract, do not expect to get it,” according to the report.
“Specifically, cybersecurity requirements should be defined in acquisition program contracts, and criteria should be established for accepting or rejecting the work and for how the government will verify that requirements have been met,” according to the GAO’s report, released Thursday [PDF]. “However, GAO found examples of program contracts omitting cybersecurity requirements, acceptance criteria or verification processes.”
Weapons Contracts
When it comes to security, the weapons contracts should define requirements “to satisfy the needs of the agency, identify criteria for accepting or rejecting the work, and where applicable, establish how the government will verify that requirements have been met,” according to the GAO.
However, the majority of the DoD’s weapons contracts do not include any cybersecurity requirements at all — and if they do, the terms remain vague in terms of how security measures would be implemented, or shy away from defining cybersecurity activities “in objective terms with a clear basis for accepting or rejecting the system.”
Another issue is that the contracts do not identify measures for verifying that security requirements are met.
“For example, one of the programs had a cybersecurity strategy that identified the [risk-management framework] RMF categorization and described how the program would select security controls,” according to the GAO’s report. “However, when the contract was awarded, it did not include cybersecurity requirements in the statement of work, the system specification or the contract deliverables.”
Brandon Hoffman, CISO at Netenrich, said it is “stunning” that at this point, cybersecurity requirements are largely not part of the government’s weapons-systems contracts.
“It is equally hard to consider why cybersecurity would not be critical to the acquisition of a weapons system,” Hoffman told Threatpost. “Thinking about the potential damage that could be done with unauthorized access to networks related to weapons systems, for actual human life or the loss of IP/military advantage, these contracts should absolutely have strict cyber-requirements.”
DoD Weapons Security Risks
Most modern DoD weapon systems depend on software and various IT systems to operate. As an example, the U.S. Army plans to replace its decades-old vehicles – such as the Bradley infantry-fighting vehicle and the Abrams main battle tank – with new systems incorporating autonomous systems, said the GAO.
Should the DoD’s network of sophisticated, expensive weapons systems be hit by cybercriminals, they could become incapacitated, leading to potentially dangerous outcomes. Dirk Schrader, global vice president of security research at New Net Technologies (NNT), told Threatpost that the top risk here is to lose communication of – and ultimately control over – those systems.
“A loss of confidentiality means the enemy can gain vital intelligence about operations, tactics and strategies during battle,” he said. “Losing the integrity can hamper a weapons system in its functions, for example its target acquisition subsystem. Or, worse, it could be used against the own forces. If availability is lost, central command’s momentum is likely affected.”
Key Recommendations For DoD
Moving forward, the GAO made three recommendations: Each suggesting that the Army, Navy and Marine Corps provide better guidance on how programs should incorporate tailored cybersecurity requirements into contracts.
“DoD concurred with two recommendations, and stated that the third — to the Marine Corps — should be merged with the one to the Navy,” according to the GAO. “DoD’s response aligns with the intent of the recommendation.”
Government cybersecurity measures have been under scrutiny, particularly over the past few months after the sprawling SolarWinds cyberespionage campaign hit various U.S. government agencies and others hard.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
· March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
· April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)