The 138-page report by the panel of civilian and government experts bluntly states that, despite numerous Pentagon actions to parry sophisticated attacks by other countries, efforts are “fragmented” and the Defense Department “is not prepared to defend against this threat.”
The report lays out a scenario in which cyberattacks in conjunction with conventional warfare damaged the ability of U.S. forces to respond, creating confusion on the battlefield and weakening traditional defenses.
In one of the more critical comments, the report notes that Pentagon “red” teams established to test the military’s cyberdefense abilities have “relative ease . . . in disrupting, or completely beating, our forces in exercises using exploits [software] available on the Internet.”
The 33-member task force recommends a strategy combining deterrence, refocused intelligence priorities, and a stronger offense and defense.
“Defense can take you part of the way, but it needs to be balanced with cyber-offense and conventional capabilities,” said Lewis Von Thaer, task force co-chairman and president of General Dynamics Advanced Information Systems.
The Pentagon cannot be confident that its military computer systems are not compromised because some use components made in countries with high-end cyber-capabilities, the report says. It says only a few countries, including China and Russia, have the skills to create vulnerabilities in protected systems by interfering with components.
To illustrate the danger, the report describes a recently declassified Cold War-era case in which the Soviets modified IBM Selectric typewriters used at the U.S. Embassy in Moscow so that every keystroke was transmitted to a nearby listening post.
The report advocates establishing a clear response strategy for cyberattacks, outlining the need to use offensive cyber-capabilities preemptively or in response to an attack when the president decides it is appropriate.
The report calls for better understanding of the parameters of a full-scale military conflict in cyberspace, which it said could include hundreds of simultaneous, synchronized offensive cyber-operations.
The Pentagon’s Cyber Command is in the process of expanding by as many as several thousand personnel, some of whom will focus on offense. But Von Thaer said “there’s still a lot of work to be done” to master the staging of military cyber-operations.
In describing a potential conflict with a skilled adversary, the report says that attackers could crash servers, corrupt data, tamper with the supply chain and insert malicious software into critical systems. The cyberattacks could be combined with conventional attacks at sea and in space.
“U.S. guns, missiles and bombs may not fire, or may be directed against our own troops,” the report warns, and military commanders “may rapidly lose trust” in their ability to control their forces or to conduct counterstrikes.
The task force concluded that protecting every military system from cyberthreats is not feasible. Instead, the report recommends isolating critical systems and weapons, and equipping small numbers with advanced defensive measures to ensure they survive an attack.
Some experts tempered such scenarios. “These things are really harder to do than they look,” said Martin Libicki, a cyber expert at the RAND Corp. “If you don’t have real time control over a system, it’s very difficult to get something to malfunction at a time and a place of your own choosing.”
The report also raises questions about whether the command-and-control systems for U.S. nuclear weapons are evaluated sufficiently for vulnerabilities to cyberattack and sabotage.
A senior defense official said the Pentagon “has great confidence that our nuclear command, control and communications systems are secure, reliable and resilient.”