DoD Weapons Systems Cybersecurity – Opportunities for a Different Cyber Skill Set

For decades the Department of Defense (DoD) and its component military departments have sought to leverage the most advanced technologies for U.S. weapons systems and related platforms. As the DOD's weapons have become more computerized and inter-networked they have also brought greater challenges to protect these weapons systems from increasingly sophisticated cyber-attacks. And

Unfortunately, the DoD is just beginning to grapple with scale of the cyber- vulnerabilities of these weapons systems, according to a recent report by the Government Accountability Office (GAO) that include such stark language in the report’s subtitle.

Stemming from provisions in the FY 2016 National Defense Authorization Act (NDAA) the GAO was asked to review the state of DoD weapon systems cybersecurity to assess the factors that contribute to the current state of weapon systems cybersecurity, the vulnerabilities in weapons that are currently under development, and what steps the DoD is taking to develop more cyber- resilient weapon systems. The report’s content seems especially geared toward policy makers to provide a layman’s context to the issues of cybersecurity of these systems. Among other illustrations, the report includes an info graphic of a fictitious aerial weapon system that highlights the pervasiveness of embedded software and other IT systems within such platforms – including flight software systems, communications, collision avoidance, life support, maintenance, targeting, logistics and others.

Playing Catch-up

In their review GAO provides several examples of vulnerabilities and security holes that they found in some existing weapons systems that allowed them to penetrate and control them in a short period of time and using fairly simple tools and techniques.  GAO noted that weapon system cybersecurity has lagged in prominence and priority to more traditional information systems and the DOD’s understanding of how to bake in security as they develop weapon systems continues to emerge.

Up until a few years ago, cybersecurity was not a key focus of weapon systems development requirements, acquisitions provisions and other decision-making policies. Although this has been changing, the DoD is playing catch-up and is still determining how best to address weapon systems cybersecurity given weapon systems’ different and particularly challenging cybersecurity needs.

Unique Needs Present Opportunities

While the GAO audit addresses the broad scope and multifaceted efforts that the DoD will need to take simultaneously to improve in this area, there is one element of the mix that presents a somewhat different opportunity than one traditionally considers when thinking about cybersecurity. This pertains to the cybersecurity workforce and the skills needed to secure these weapons systems.

The sheer complexity of many weapons systems (a system of systems by most accounts) makes the need for very tailored security measures necessary and at the same time makes effectiveness very challenging. Down-stream implications of cyber-hardening are often unanticipated or unknown. GAO noted that the limited understanding that many program offices have about the cyber- impacts of their systems designs makes it difficult to secure their systems.

GAO notes that the DoD continues to struggle to hire and retain cybersecurity personnel, particularly those with weapon systems cybersecurity expertise. This is an important nuance to the federal cyber- workforce challenge that might escape our notice if we limit our focus to more traditional concepts of network and information security.

The right cyber- skill set in this wider context includes an adept knowledge of the weapon system and how to bring cybersecurity to bear. These are not likely to be filled by fresh military recruits, new college hires or even cyber warriors from the component CYBERCOMS.  

What is likely to be needed is a cyber-practitioner that is an amalgam of weapons system-specific design engineer and a cybersecurity engineer, and possibly with a measure of cyberwarrior mindset mixed in to help poke at potential vulnerabilities. I may be wrong in my assumptions, but within this mix it would seem that system-specific design knowledge would take the longest to develop and be the most difficult to replicate, meaning that this skill must precede the others.

It would seem then that the defense industrial base partners that have the design and manufacturing knowledge and experience with these weapon systems (or one of its major component systems) are best positioned to develop or acquire the cybersecurity capabilities to secure these systems – either retroactively for legacy platforms or proactively as they design new systems.

Much attention has been paid to the need for securing federal networks, communications and data – and industry has responded by building capacity in these areas. Many companies in the traditional IT security space also have a long history of participation in the military industrial sector in other business units, but some may not have yet connected the two capabilities. If not, do not miss this opportunity to leverage a core competency in the weapons system area to develop a competitive advantage the adjacent market for cybersecurity.