A panel of cyber experts told lawmakers that improved protections are needed to secure weapons and supply chain processes from cyberattacks.
“Cyber is a domain of warfare in itself, but its technologies also undergird most all of our defense efforts……technologies offer great opportunity but are also a vulnerability that must be defended,” Rep. Mac Thornberry (R-TX), Chairman of the House Armed Services Committee, said at a March 1st hearing on Cyber Warfare in the 21st Century: Threats, Challenges and Opportunities
“We need to look at supply chain vulnerability as a broader end-to-end process,” Martin Libicki, adjunct management scientist at RAND Corp., told the committee.
Peter Singer, strategist and senior fellow at the New America Foundation, said that DOD needed a better understanding of its cyber defenses and vulnerabilities.
While Singer emphasized that it will not be possible to prevent all cyberattacks, he did suggest that new policy or acquisition law may be necessary to address these supply chain concerns so they can better defend weapons systems.
“We are better at creating technologies than we have policy to deal with them,” Thornberry said.
Singer said that weapons were particularly vulnerable to cyberattack, adding that protections need to be built-in from the earliest phases of the acquisition process and original design efforts. New policies may incentivize weapons developers to more fully incorporate cyber protections.
“What are the changes needed in acquisition law or policy to create better requirements for resiliency from cyberattacks? We also need to think about how we can build training into our education systems,” Singer said.
Libicki said some available remedies could make an impact upon better securing networks, such as wider use of end-to-end encryption.
“There are tools that can give you much more trust over the system as a whole,” he explained.
While Libicki said that available defenses could be harnessed to greater effect, he did say that a national DOD firewall would not provide sufficient defenses against malware or encrypted attacks.
“The state of firewall technology is not there,” he said.
The Defense Advanced Research Project Agency’s (DARPA) forward-looking cybersecurity efforts were mentioned by several expert panelists as places where DOD would be well-served to investigate. In particular, Singer mentioned DARPA’s “high assurance computer service” designed to help engender “hack-proof” drones by using mathematical code.
Improved cyberattack battle damage assessments are also necessary to help DOD understand the extent to which they can still operate after being attacked.
“If you lose ten percent of communication, maybe it means your entire organization can’t work because it cannot trust coms. If an adversary inserts false information, does that mean you no longer trust the system itself?” Singer said.
Panelists also addressed the challenges which accompany increased cyber interoperability between networks.
“We need to monitor the amount of information sharing. If the Chinese find a vulnerability in a network, they could use that connection to hack all of them,” Singer explained.
Supercomputers able to assess their own vulnerability would be necessary to thwart high-tech malicious attacks, panelists added.
Some of what the panel addressed aligns closely with what many U.S. services are now pursuing; for example, the Air Force is pursuing a specially-crafted “seven lines of effort” cybersecurity campaign which, among other things, seeks to “bake-in” cyber defenses earlier in the acquisition process.