Mike Weigand, CEO, Shift5
Just under two years ago, the U.S. Government Accountability Office, in the report GAO-19-128, called upon the Department of Defense (DOD) to take urgent action to protect military weapons systems and critical infrastructure from cyberattack.
This may come as surprise to those who know we’ve been thwarting cyberattacks for over 50 years—at least since 1971, when the first few users of the network ARPANET (think of it as the first version of the Internet) were interrupted by a screen display that read, “I’m the creeper, catch me if you can.” It ended up being a “worm,” or computer virus that replicated and spread to other systems. Fortunately, the effect was limited to displaying messages on affected computers.
Over ten years later, in 1983, the first U.S. patent for a cybersecurity technology was granted to MIT for a “cryptographic communications system and method,” introducing the RSA (Rivest-Shamir-Adleman) algorithm, which was recognized as one of the first public key crypto-systems. Clearly, just as the technology stack—devices, software, hardware, and networks—has become more sophisticated, so has the ability for adversaries to shut them down, cause significant damage, or even loss of lives. If we have known about this potential threat and have witnessed its damaging impacts across industries, why is it just now becoming a priority for DOD military weapons systems?
What Has the Past Taught Us About the Future?
One thing we know, despite fiction of Hollywood, is that we can’t go back in time to rebuild military weapons systems with cybersecurity capabilities. But in this case, hindsight isn’t 20/20. While we haven’t had a major public cyberattack on military systems in the United States, are we waiting for something to happen after which we will fix the problem?
Given what we know about IT cybersecurity vulnerabilities and the multiple attacks and breaches plagued by governments around the world and across other highly regulated industries, such as financial services and telecommunications, DOD at least has the sense that it isn’t a question of “if” military weapons systems will be attacked, it is a question of “when” and that the likelihood increases daily.
It is certainly good news that the federal government has shined a light on these mission-critical cyber vulnerabilities, but will issuing and revising policies and guidance to better incorporate cybersecurity considerations and enhancing testing, be enough? Those of us in the private sector believe not necessarily. So many of us have built our company missions on helping public and private sector companies secure networks, systems, hardware, and software because we are aware of the problem and want to do everything we can to mitigate the impact of adversaries. Why isn't there a clear solution?
The report exposes the issues and factors that contribute to the current state of DOD weapons systems’ cybersecurity, and the vulnerabilities in weapons that are under development, but it falls short of offering solutions outside of a plan to begin initiatives to better understand and address cyber vulnerabilities. This is because the scale and complexity of the security vulnerabilities are immense across the enterprise:
- Many weapons systems (over 80%) utilize redundant serial data buses to communicate critical information between embedded computers, called Line Replaceable Units (LRUs), but the bus protocols aren’t designed to provide data message authentication and therefore redesigning and integrating with more secure LRUs is cost prohibitive.
- DoD is experiencing cybersecurity workforce challenges and has difficulties sharing information and lessons about vulnerabilities across programs and services.
- Rigorously testing all military weapons systems down to the subcomponent and firmware level is too costly and time consuming and therefore it is impossible to identify all of the vulnerabilities that an adversary could exploit.
More Sophistication Means More Cybersecurity Attacks
Today’s military weapons systems have certainly evolved and are far more sophisticated than their early models, with significant connectivity and automation benefiting improvements in lethality, mobility, and communications, directly improving successful execution of missions.
But with automation and increased connectivity come significant security challenges, further complicated by diversity across embedded operating systems, hardware, software, and other subcomponents from different manufacturers all communicating together. While we are building up our systems to make them more capable, we are also making them more susceptible to cyberattacks.
Picture a real military mission platform, one that requires a highly complex, integrated system of sensors, communication systems, embedded compute, and physical control systems, all communicating over unsecured and unmonitored embedded communication networks. What would a single disruption to a critical subsystem, say mobility or fires, do? Mission over.
Shift5 Protects Platforms from Cyberattack
Our mission at Shift5 is to defend operational platforms across the entire cyberattack lifecycle. And although the GAO report specifically addresses military weapons systems, adversaries can apply their same tactics to any Operational Technology (OT) platform across the commercial and industrial landscape, impacting national or economic security there as well. We have developed the most cost-effective, single-security appliance that directly addresses the cyberattack vulnerabilities emphasized in the GAO report to protect major weapons and commercial systems against all phases of cyberattack, while enabling operators, commanders, maintainers, and incident responders with operational insights to better understand systems’ security and operational health.
We’d love to show you how! Contact us at firstname.lastname@example.org to schedule your demonstration today.