The Pentagon's Cybersecurity Priorities Have Not Changed in a Decade
That's good. And bad.
Photo: US Air Force
A recently-released document highlights how little the Pentagon's concerns and responses to threats in cyberspace have changed in the past decade. As American legislators debate the future of the military's top cybersecurity headquarters, experts say that's both good and bad.
In 2006, the Pentagon organized a first-of-its-kind exercise involving a "directed professional attack" across military computer networks. The "Bulwark Defender" cyber war game was supposed to help military planners determine how well troops from different units communicated with each other while enemy agents hacked their computers.
The exercise would "confirm [the] importance of defending networks," according to an official review. War Is Boring obtained the report—previously labeled "for official use only"—via the Freedom of Information Act.
Given the content of the briefing, the Pentagon comes across as "pretty forward-looking," Samuel Visner, a cybersecurity expert and senior vice president at ICF International, told War Is Boring via email. They "did a pretty fair job of characterizing threats to their networks."
The exercise pitted a mock enemy "red team" against US Air Force, Army, and Navy and Marine Corps personnel in more than two-dozen command centers across the country. Over the course of two weeks, the attackers tried to break in, damage and otherwise harass computer systems.
The red team hit the defenders with everything in its hacking arsenal—hijacking their printers, stealing passwords and slowing or entirely shutting down networks.
In one phase of the exercise, the attackers were able to break into the computer networks at offices in the Air Force's headquarters overseeing operations in the Pacific and Europe. They also gained control of, or turned off, networks in eight other locations.
In another mock cyber-strike, the red team gained access to critical information at nine American bases in the United States and Turkey via a phishing attack. Phishing involves sending fake messages—purporting to be from an official source—that ask for passwords or other identifying information. Three of the red-team phishing assaults gave the attackers unfettered access to secure systems.
The Pentagon spent nearly $290,000 on the exercise, drawing the money from a special account called the Combatant Commanders' Initiative Fund. The money is there for "unforeseen contingencies," according to a 2008 review of the program.
Despite the worrying results, US Strategic Command praised the wargame for showing what was, and wasn't, working when it came to security procedures. In many cases, physical protections and quick responses stopped attacks before they could do any real damage.
Defenders had "awareness of enterprise-wide attacks in minutes," the review pointed out. Still, "many … focused on restoring service at the expense of defense."
The exercise "did not give as much attention to resilience—operating through an attack/exploit—while defending and recovering as one might give today," Visner noted. On top of that, the scenarios didn't include private computers operated by defense contractors providing critical services or managing vital programs.
Visner pointed out that the concept of a military realm that extended into the "defense industrial base" was new in 2006.
Fast forward to 2016 and it doesn't look like much has changed in the halls of the Pentagon or among its opponents. "The after-action report indicates that many of the concerns of 2016 were concerns in 2006," Dr. Jeffrey Richelson, who currently manages the National Security Archive's Cyber Vault project, told War Is Boring in an email.
The Pentagon has been consistent in its approach to cybersecurity. But how well that approach has worked is a major topic of debate in Washington.
For three years running, members of Congress have accused China and other countries of hacking the military's and defense contractors' networks. In one particularly troubling hack, Beijing may have stolen data from the F-35 Joint Strike Fighter program. Legislators have lambasted the Pentagon for not doing more to stop such intrusions.
"So it's okay for them to steal our secrets that are most important because we live in a glass house?" Sen. John McCain, an Arizona Republican, angrily asked Deputy Secretary of Defense Bob Work at a hearing on Sept. 29, 2015. McCain had slammed Work over the Pentagon's refusals to specifically name China as the culprit in some of the worst cyber-assaults.
Nine months earlier, terrorists linked to Islamic State briefly gained control of US Central Command's Twitter account. Elsewhere in the federal government, the Office of Personnel management admitted hackers had stolen millions of personal files from its servers in multiple attacks.
"I don't think it is a question of things not having changed in a multitude of areas with regard to specifics," Richelson said. "But that the general components of cyber-operations are the same because they are only logical components."
In short, the Pentagon's focus isn't necessarily the problem. As the 2006 wargame showed, defending networks and bolstering defenses has been a long-standing and obvious goal. Instead, how military officials go about implementing the policy—or not—is the real issue.
Regardless of how small the improvements might be, the military "loves to pat itself on the back," Robert Lee, a former Air Force cyber warfare officer and fellow at New America, a Washington, DC think tank, told War Is Boring in an email.
In 2009, the Pentagon stood up a central Cyber Command to try and fix the lingering issues. But after nearly seven years, the headquarters still hasn't been able to solve the problems officials spotted back in 2006.
With regards to cybersecurity, the US military "writ large has faced a culture change," Lee explained. Still, "Cybercom is not ready," he added.
Since the end of World War II, the Pentagon has sought technological solutions to specific problems on the battlefield. If your enemy has tanks, you buy more tanks and anti-tanks weapons. If your opponent sets up deadly surface-to-air missiles and powerful radars, you buy stealth fighters.
This thought process doesn't translate well to problems in cyberspace, Lee said. While the central problem of defending networks might stay the same, the tools are constantly—and dramatically—changing.
The Pentagon has an "over-focus on malware," Lee said, referring to software that can hijack computer functions. "It's just a tool."
Hackers are constantly improving their technology and looking for new ways to infiltrate computers. And American troops are doing the same—sometimes. A May 2016 Government Accountability Office report pointed out that the Air Force is still using 40-year old computers and eight-inch floppy disks to manage certain parts of its nuclear mission.
More importantly, the flying branch is "still trying to figure out why this is important," Lee added. It doesn't help that the White House, Congress and the Pentagon can't seem to decide whether cyberwarfare should be primarily offensive or defensive—or both.
With confusing and sometimes contradictory goals, the individual services have tried to implement their own, often disjointed, policies as best they can. And yet, the training for cyber-troops is too frequently "abysmal," Lee said.
The Pentagon's 2006 plan to build a common cyber "range" where troops could practice network warfare "has made somewhat less progress than one would have imagined, based on the briefing's clarion call," Visner said. The unified training regimen could help standardize military cyberwar tactics.
But the military fears these lessons and tactics could, ironically, represent a juicy target for enemy hackers. So it's wrapping cybersecurity efforts in layer after layer of classification, all of which complicate standardized training and operations across the military branches. It's gotten to the point where it's harder in many ways for military offices to buy a new router than for troops in the field to call in an airstrike, Lee lamented.
That's why Lee supports "taking off the training wheels" and turning Cyber Command into a free-standing headquarters with more freedom to make its own decisions. At present, Cybercom is a component of Strategic Command, but its top official is the head of the National Security Agency—arguably a needlessly complicated arrangement.
The nebulous command structure also means that Cyber Command never really has to own up to its own failings. It can to run to either of these other entities for help in a crisis.
Both NSA chief Adm. Michael Rogers and Secretary of Defense Ashton Carter back the proposal to expand Cyber Command and make it more independent. Congress is considering funding the expansion as part of the Pentagon's budget for the 2017 fiscal year.
To really start fixing the Pentagon's cyber-problems, Congress needs to outline clear policies for cybersecurity, Lee said. Only then will troops be able to develop workable plans.
Regardless, the Pentagon's core cyberwar objectives are unlikely to change in the near future, Richelson added. While the exact tools and tactics might evolve, a decade from now troops could still be dealing with the same kinds of network threats.