Persistent Vulnerabilities: Strengthening Cybersecurity Requirements for the Department of Defense

Erica D. Borghard is a senior director and lead, Task Force One, at the U.S. Cyberspace Solarium Commission. She is also an assistant professor at the Army Cyber Institute at West Point.

Madison Creery is a cyber strategy and policy analyst for Task Force One at the U.S. Cyberspace Solarium Commission. The views expressed in this article are personal.

Cyber vulnerabilities in major weapons platforms pose a significant threat to U.S. national security. Cyber espionage targeting the U.S. military and defense industrial base continues to cause staggering losses of information and intellectual property, and there is the risk that the exploitation of vulnerabilities in U.S. military systems could render them ineffective or distort their uses. These challenges threaten to undermine the United States’ ability to deter its adversaries and could harm its conventional military capabilities in times of crisis and conflict. Cybersecurity for weapon systems is a critical area in which the Department of Defense (DOD) must improve [PDF].

This month, the Government Accountability Office (GAO) released a report [PDF] detailing its annual assessment on the status of DOD acquisitions programs. The report indicates that, despite congressional statute [PDF] requiring the DOD to conduct cybersecurity vulnerability evaluations of major weapons programs, significant delays and challenges persist. This is not the first time that the GAO has raised warnings about cybersecurity concerns in this area. In 2018, GAO issued a report [PDF] noting that there were critical gaps in incorporating cybersecurity into complex weapon systems throughout the acquisitions lifecycle.

In 2015, the DOD incorporated cyberattack survivability as a key performance parameter [PDF] as part of its main requirements policy [PDF]. In addition, as requested by Congress in Section 1647 of the FY2016 National Defense Authorization Act (NDAA) [PDF], the DOD was required to complete a cybersecurity vulnerability evaluation for individual weapons platforms by December 31, 2019. The FY2020 NDAA [PDF] further tightened these requirements, and cybersecurity investments are a crucial priority in the DOD’s most recent budget request.

However, problems remain. In particular, GAO found that the Major Defense Acquisition Programs [PDF] (MDAPs)—which represent some of the DOD’s top-priority acquisition programs and consume 36 percent [PDF] of the FY2021 modernization funding—had significant delays in completing cybersecurity vulnerability evaluations by the congressionally mandated deadline. Out of the nineteen major programs that the GAO assessed as requiring a cybersecurity vulnerability evaluation, only four indicated that they had completed one. Meanwhile, eleven were found to have not yet completed any or were delayed; three did not identify a date for anticipated completion; and one did not know if an evaluation had even been conducted.

Establishing cybersecurity requirements early in the acquisitions process is essential. If they are tacked on later in the process, or even after a weapon system has been fielded, addressing vulnerabilities is far more difficult and expensive [PDF]. However, the 2020 GAO report indicates that, out of the forty-two surveyed MDAPs, twenty-five reported that none of their key performance parameters address cybersecurity. Key performance parameters represent the most essential military requirements; incorporating cybersecurity into them at earlier stages is essential for effectively addressing cyber-related vulnerabilities.

Beyond the issues described in the 2020 GAO report, cybersecurity vulnerabilities are compounded by the interaction of legacy and newer weapon systems. Numerous, highly complex weapons from different generations interact with one another on a routine basis. For instance, the U.S. Air Force’s B-52 bomber, which entered service in 1955, is still in use today and currently operates alongside modern systems such as the F-35 joint strike fighter. When legacy platforms—which make up a majority [PDF] of the DOD’s inventory—operate alongside newly fielded ones, cybersecurity measures should take an integrated, systematic approach that evaluates how a cyberattack on one system could affect the rest.

To address this challenge, the Cyberspace Solarium Commission recommended in its March 2020 report that the DOD annually report the status of ongoing cyber vulnerability evaluations of all major weapon systems to Congress. Currently, there is no permanent process to periodically assess the cybersecurity of major weapon systems. Institutionalizing a recurring process to assess this is important because, as evidenced by repeated GAO reports, problems continue.

The commission also recommends that the DOD ensure that it assesses legacy platforms and cyber vulnerabilities across networked systems in broader mission areas. It is not sufficient to take a siloed approach to evaluating vulnerabilities in individual systems when these platforms interact with one another as part of a larger, interdependent network. Moreover, these assessments should prioritize mission assurance and ensuring the resilience of weapon systems to cyberattacks during military operations.

Right now, there is an opportunity for Congress to remedy existing gaps through the upcoming NDAA legislation. It should do so by building on the FY2020 NDAA amendments to Section 1647 of the FY2016 NDAA and institutionalize more meaningful and comprehensive cybersecurity requirements. As the 2020 GAO report indicates, the current congressionally mandated requirements and reporting processes have been insufficient to ensure the cyber resilience of U.S. weapon systems. Taken together, the commission’s recommendations would complement existing DOD efforts and enhance the security and resilience of the department. Developing a comprehensive, enduring evaluation process for weapon systems may be a time-consuming course of action. However, it is essential to ensuring the security and resilience of the capabilities that underpin U.S. deterrence and warfighting.