By: Bill Wright
Airman 1st Class Tevin Miller and Airman 1st Class Amanda Button, 707th Communications Squadron client system technicians, update software for computers that will be used on Air Force networks January 9, 2018, at Fort George G. Meade, Maryland. The 707th CS, aligned under the 70th Intelligence, Surveillance and Reconnaissance Wing, supports more than 5,700 global personnel and 57 National Security Agency missions with their 230 ‘Thunder Warriors.’ (Staff Sgt. Alexandre Montes/Air Force)
The modern U.S. military is the most effective fighting and peace-keeping force ever to form on Earth. Multiple factors make that true, but perhaps one of the most important is the cutting-edge technology the United States employs as a force multiplier. The ability to detect threats, move information and understand the battlefield that technology grants is critical to the modern war fighter.
However, the same technological prowess that is one of our biggest assets is also growing into one of our biggest liabilities.
In October, a Government Accountability Office (GAO) report revealed that many of the current and in-development weapon systems do an insufficient job defending against cyberattacks. The report noted that the increasingly computerized and networked nature of Department of Defense weapons systems, along with their greater dependency on software and IT, has opened new threat vectors for adversaries to attack and disrupt DoD operations.
Take, for example, a weapon system designed to use radar and tracking technologies, combined with computer systems, to identify and destroy enemy targets. This requires a highly complex, integrated system of radar arrays, target identification, threat tracking and networking that all must function seamlessly in real-time to execute a long and complex kill chain.
Unfortunately, any disruption to this kill chain (or any other similarly complex systems) … kills the chain.
Shooting in the dark
The GAO report also cited visibility and detection capabilities (or lack thereof) as one of the greatest difficulties. After all, you can neither protect assets nor defeat threats you cannot see. This is a major challenge indeed, but also an opportunity.
That’s because cyber activity almost always leaves traces in log files — odd network traffic, unusual data being accessed, or weird log-in patterns. That’s why reviewing system log data for unusual occurrences is one of the most common ways to detect adversarial cyber activity.
But, sifting through log data is one of those “easier said than done” jobs, especially when lacking the right tools and when faced with no common data language. That’s the case with today’s weapon systems. Indeed, the GAO report found that across multiple tests conducted by cyber red teams, suspicious activity was recorded in system logs. However, those logs were never reviewed by operators. Worse, in some cases, operators alerted by warning systems intentionally ignored them due to alert fatigue because warning statuses were “always red.”
The challenge the DoD faces is not a lack of data — that would be harder to address — but a lack of the ability to read and understand the data it collects.
It’s all in the data
It goes without saying that weapon system cybersecurity is a challenge and one that must be addressed if the United States is to maintain its mission readiness and confidence in its weapon systems. Hopefully, future weapon system designs will incorporate cybersecurity as key performance indicators. But for those already deployed, improving visibility, the accuracy of alerts and the ability to automate responses to them would significantly benefit the DoD.
Sadly, data is messy. It often presents itself in unstructured and disparate streams. This makes it hard to understand and spot important information without the right tools. However, the DoD need not start from scratch.
Though weapon systems are inherently unique in design and have complex data structures, they are not fundamentally different from the complex networks and technologies operating time-sensitive, high-impact and high-security operations, such as financial institutions. Both weapons systems and financial systems rely heavily synchronicity between multiple networks and technology nodes to execute a successful chain of events. In other words, both rely on data and the successes of financial institutions can offer insight into the tools needed to proceed.
What does that mean? It means DoD does not need to rebuild any of their existing systems. Nor does DoD need to spend billions of dollars to conduct rip-and-replace operations to harden them against cyberattack.
The challenges the GAO identified are not new problems. DoD should look to the current slate of security information and event management (SIEM) tools, which easily layer on top of existing information systems to ingest data then use artificial intelligence and machine learning to identify threat indicators in real-time. The most advanced SIEM tools will even allow the DoD to automate incident responses.
In fact, financial institutions like the Financial Industry Regulatory Authority (FINRA)are already using data to gain visibility into their networks, detect odd behaviors and set up smarter alerting/remediation practices to safeguard the investors, traders and companies that rely on the organization. So, too, is the NASDAQ.
A future without fighting is still dangerous
“The supreme art of war is to subdue the enemy without fighting.”
Sun Zhu likely wasn’t referring to adversarial cyber operations some 2,500 years ago, but in the 21st century, his words take on new meaning. In an age dominated by extraordinary reliance on technology, cyberwarfare holds the potential for disabling or subduing an enemy without ever firing a shot.
Strengthening the cybersecurity of our weapons systems should be an ongoing priority for DoD. It won’t happen overnight, but Department of Defense leaders should rest assured solutions exist that make it possible. The data is there; the tools exist.
Bill Wright is director of federal government affairs at data analysis company Splunk.