Cyber security remains an issue for Army acquisition, and the solution may mean investing in resources to take some defense contractors completely “off the net,” according to the principal military deputy to the Army acquisition chief.
The Army is well poised to stop cyber attacks by independent criminals, but when an attack is sponsored by a nation such as China, the odds of repelling it get dicey.
“From a novice, we got you covered. From an intermediate, we probably have you covered,” Lt. Gen. Paul Ostrowski said at an Association of the U.S. Army event Tuesday. “But if you’re a state actor, your ability to tap into stuff is probably pretty extensive.”
The concern about cyber security has rippled throughout the military, but is especially important for each service as they acquire new technology to outmatch peer-adversaries.
The Army has been undergoing an expensive modernization initiative, which includes building out long-range fires, getting soldiers new combat gear, developing directed-energy weapons, testing future vertical lift platforms and more.
But major breaches, like the 2018 hack of Pentagon travel records, risk sensitive personnel information. And continued cyber attacks against defense contractors can compromise innovation and intellectual property rights.
“My stuff’s out there. The Chinese have already broken into my stuff. The personnel system has been broken into,” Ostrowski said. “This is something that has risen to the top of the concern list. Not only within the Army, but within [the Office of the Secretary of Defense].”
A team has been stood up by the acting deputy defense secretary and charged with looking into stemming cyber breaches.
At the moment, the best solution appears to be investing in taking some defense contractors offline, Ostrowski said.
That means putting in more money to buy the IT systems necessary to take companies working on classified material off the net so that their data can’t be accessed externally by hackers.
“If you’re on the net right now, you’re vulnerable,” Ostrowski said. “Now that’s not going to stop an inside threat, because they can download stuff. You know that’s going to potentially happen.”
An internal threat could involve an individual inserting a thumb drive, sometimes by accident, into a computer and infecting that system with malware. Or it could involve someone with technical expertise, like a system administrator or programmer, who is knowingly acting on behalf of a foreign government.
While defense contracts already require companies to provide basic cyber security measures, “it doesn’t really mean a whole lot and nobody is enforcing it with respect to industry,” Ostrowski added. “And they’re just as vulnerable as we are on our side.”
“The only way we’re going to prevent that from an outside attack — can’t do anything about the inside — is get you off the net,” he said. “And we may be in a position where we need to invest in companies to make that happen. So that’s just one way I’m looking at.”
Cyber vulnerabilities exist within older military systems as well, such as the upgunned Stryker-Dragoon fleet in Europe.
An annual report from the Director of Operational Test and Evaluation for the Pentagon stated that “adversaries demonstrated the ability to degrade select capabilities of the [Stryker-Dragoon] when operating in a contested cyber environment.”
That Stryker variant was beefed up with 30mm cannons on some and others with remote-firing Javelin missiles, making it better ready to take on light armored and armored threats.
The Pentagon report stated that the Stryker-Dragoon and the Stryker CROWS-J, or Common Remotely Operated Weapons Station – Javelin, both have “cybersecurity vulnerabilities that can be exploited.”
The report added that in most cases, the exploited vulnerabilities predate the upgrades.
In March, Army Gen. Paul Nakasone, head of U.S. Cyber Command, laid out to Congress the escalating cyber war that the U.S. government is facing, noting that a major deterrent to cyber attacks involves “defending forward” with persistent engagement by providing information and intelligence regarding threats.
“The other foundational concept of persistent engagement is to act,” Nakasone said. “Act is everything from understanding what our adversaries are doing within their networks [to] providing early warning.”
“But, it’s also the idea of sending teams forward,” he said regarding countering Russian attempts to meddle in last fall’s midterm elections. “So, we sent defensive teams forward in November to three different European countries. That’s acting outside of our borders that imposes costs against our adversaries.”