Cyber attacks can come from anywhere: a global power like China, weak and non-state actors, states like Iran or Syria, or even individual cyber criminals. And the government agencies responsible for defending the nation’s cyberspace cannot even prevent breaches and attacks into their own systems.
The Department of Defense (DOD) and the General Services Administration (GSA) both issued reports in the past week that underscored “the importance of beefing up cyber security and cited escalating cyber threats.” Also this past week, Director of National Intelligence James R. Clapper listed cyber as the number one threat in the annual global threat assessment, and the Government Accountability Office reported that emergency services like 911 are no longer safe from cyber attacks.
This alarming trend continues, as shown by the annual report recently released by the office of the Director, Operational Test & Evaluation (DOT&E). In it, chief weapons tester Michael Gilmore warned that the military’s major weapons systems are “insufficient to protect against a determined or well-resourced cyber adversary and warfighter missions should be considered at moderate to high risk.”
Gilmore also criticized the lack of rigor and unrealistic nature of the DOD’s operational testing. The assessments that were completed focused mostly on lower-tier defenses. In the few tests that were done, red teams “were consistently able to penetrate and exploit networks.” He also discovered that “fundamental problems” with the weapons systems “could have been uncovered and resolved in early phases of development and testing,” but were not due to poor testing.
Gilmore points to national security spending cuts as one of the reasons for the lack of developmental testing. The report warned that these defense cuts overseen by the Obama Administration—which are affecting much of the military—are “constraining the ability of DOT&E assessment teams to observe and assess network defenses.” This is particularly dangerous, because as Gilmore added, “the asymmetric nature of cyber operations permits even a single default or discovered password to lead to rapid exploitation of the network.”
To counter these cyber threats, Congress should build on cost-effective, cooperative policies like the Defense Industrial Base Voluntary Cyber Security and Information Assurance Program. Congress should also work to improve security within “all tiers of the supply chain,” which the GSA warns is “under constant attack,” through a voluntary supply chain accreditation program for technology producers. Furthermore, it is vital that Congress provide a robust defense budget to restore the military’s capabilities and readiness, not only for cyber resilience, but for traditional defense as well.
While the U.S. is beginning to act on cybersecurity, it is clear that it still has a long way to go.
Jared Ferris is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.