US nation’s military considered unprepared for a cyber-conflict

A report titled “Resilient Military Systems and the Advanced Cyber Threat” written  by Defense Science Board (DSB), a Federal Advisory Committee established to provide independent advice to the Secretary of Defense, presented alarming scenarios on US nation’s military considered unprepared for a full-scale cyber-conflict.

The 138-page report alerts Pentagon on the necessity to improve cyber capabilities to deal with such event, top-tier adversary represents a serious menace in case of cyber war. The numerous initiatives conducted by US Government to improve cyber capabilities are not sufficient to face with sophisticated cyebr attacks by hostile countries, the report remarks that Defense Department “is not prepared to defend against these threats” and its effort leak of a proper coordination, the document also alert central authorities on a “fragmented” dispersion of commitments.

“Current DoD actions, though numerous, are fragmented. Thus, DoD is not  prepared to defend againstthis threat DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems The study by the Defense Science Board urges the intelligence community to maintain the threat of a nuclear strike as a deterrent to a major cyberattack.”

“DoD needs to take the lead and build an effective response to measurably increase confidence in the IT systems we depend on (public and private) and at the same time decrease a would-be attacker’s confidence in the effectiveness of their capabilities to compromise DoD systems” “the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems”

The statements are shocking,  you do not need sophisticated computing platforms to hit the country in its vital centers, the technologies are readily available from the Internet. In various occasion cyber warfare experts alerted on the possibility that a conventional warfare operation could be integrated by a cyber offensive, a valuable option that could allow attackers to defense capabilities of adversary.

To describe cyber capabilities of attackers is has been defined the following threat hierarchy, it takes into account level of skills and breadth of available resources:

• Tiers I and II attackers primarily exploit known vulnerabilities.
• Tiers III and IV attackers are better funded and have a level of expertise and sophistication sufficient to discover new vulnerabilities in systems and to exploit them.
• Tiers V and VI attackers can invest large amounts of money (billions) and time (years) to actually create vulnerabilities in systems, including systems that are otherwise strongly protected.

The report alerted on the capabilities of US militias to respond to a joint attack that could adopt conventional weapon and cyber tools to create large damage to the country. The document try to draw a scenario of a global cyber conflict in which skilled adversaries could crash national networks, hit critical infrastructures, corrupt data.

“U.S. guns, missiles, and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military commanders may rapidly lose trust in the information and ability to control U.S. systems and forces. Once lost, that trust is very difficult to regain.”

The report sustains the thesis that “with present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks”, the document states that the process of improvement of cyber capabilities could take years for the Department. The principal need is the building of an effective response to the cyber threats that must include elements of deterrence, mission assurance and offensive cyber capabilities.

Offensive cyber capabilities are fundamental to preserve cyber security of US, the report suggests  establishing a well-defined response strategy for cyber attacks  contemplating also the use offensive preemptively cyber operations.

Another aspect highlighted by the report is the necessity of hardware/software qualification for all those components produced in countries having high-end cyber-capabilities such as Russia and China, the fears is that these governments could distribute systems and application that could include a backdoor or any other mechanism to interfere with hosting environment.

The report agree on the impossibility to protect any military system, it propose to isolate critical environments reserving for them most advanced defensive measures.

As reported above nuclear option remains ultimate response for deterrence strategy,  but it is absolutely necessary that Government is able to ensure security of high critical system also within a full-spectrum, cyber-stressed environment.

“Nuclear weapons would remain the ultimate response and anchor the deterrence ladder. This strategy builds a real ladder of capabilities and alleviates the need to protect all of our systems to the highest level requirements, which is unaffordable for the nation. Similar to the prior argument regarding the cyber resiliency of the nuclear deterrent, DoD must ensure that some portion of its conventional capability is able to provide assured operations for theater and regional operations within a full-spectrum, cyber-stressed environment.”

The report also raises questions about whether the command-and-control systems for U.S. nuclear weapons are evaluated sufficiently for vulnerabilities to cyber attack and sabotage. A senior defense official said the Pentagon “has great confidence that our nuclear command, control and communications systems are secure, reliable and resilient.”

The great question is, how much cost this?

Despite it is not simple to define exactly the needed amount of money necessary neither the timeline, the task force that wrote the report attempted to predict the ranges of cost and approximate time frames for which these recommendations could be accomplished as shown in the following table:

It’s clear that there is no time to lose.

Pierluigi Paganini

(Security Affairs – US)