The Pentagon’s new cybersecurity strategy, which it released late last month, says the Defense Department will counter cyber campaigns that threaten the U.S. military’s advantage by “defending forward” to block and stop such cyberthreats and by strengthening the cybersecurity of systems and networks that support DOD missions.
To do so, the strategy emphasizes that the DOD needs to adopt more commercial, off-the-shelf technology and procure IT solutions that allow the department to keep pace with commercial tech. Notably, the strategy document, an update to the Pentagon’s 2015 cybersecurity strategy, also says the department will use automation and data analysis to makes its defenses more effective.
The strategy sets five objectives the DOD will aim to achieve:
- Ensuring the Joint Force can achieve its missions in a contested cyberspace domain
- Enhancing Joint Force military advantages through the integration of cyber capabilities into planning and operations
- Deterring, preempting, or defeating malicious cyber activity targeting U.S. critical infrastructure that is likely to cause a significant cyber incident
- Securing DOD information and systems, including on non-DOD-owned networks, against cyber espionage and malicious cyber activity
- Expanding DOD cyber cooperation with allies, partners and private sector entities
Just weeks after the report was released, the Government Accountability Office released a report that found that, from 2012 to 2017, DOD testers “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.”
GAO did not make any specific recommendations and said it will continue to evaluate the issue, but the report underscores the need for the Pentagon to ramp up its cybersecurity. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report says. “In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations.”
How the DOD Aims to Enhance Cybersecurity
In the strategy document, the Pentagon says it will accelerate the development of cyber capabilities for both war fighting and countering malicious cyber actors.
“Our focus will be on fielding capabilities that are scalable, adaptable, and diverse to provide maximum flexibility to Joint Force commanders,” the strategy says. “The Joint Force will be capable of employing cyberspace operations throughout the spectrum of conflict, from day-to-day operations to wartime, in order to advance U.S. interests.”
To bolster the DOD’s cybersecurity defenses, the DOD says it will “make greater use of COTS capabilities that can be optimized for DOD use,” in addition to creating cyber capabilities tailored for specific operational problems.
The Pentagon says it will seek solutions that are affordable, flexible and robust and cut procurement times for software and hardware “in order to keep pace with the rapid advance of technology.” Additionally, the DOD says it will “identify opportunities to procure scalable services, such as cloud storage and scalable computing power, to ensure that our systems keep pace with commercial information technology and can scale when necessary to match changing requirements.”
The DOD is in the midst of selecting vendors for its massive, $10 billion Joint Enterprise Defense Infrastructure cloud contract. JEDI is designed to give the DOD greater access to commercial Infrastructure as a Service and Platform as a Service capabilities.
DOD also says it will “leverage COTS capabilities where feasible to reduce our reliance on expensive, custom-built software that is difficult to maintain or upgrade.”
Artificial intelligence and data analytics will also be key components of the DOD’s cybersecurity strategy. Notably, DOD also says it will “leverage automation and data analysis to improve effectiveness” of its cybersecurity and will use cyber enterprise solutions “to operate at machine speed and large-scale data analytics to identify malicious cyber activity across different networks and systems.”
DOD also plans to use these capabilities to improve its defensive posture and to “ensure that our cyber capabilities will continue to be effective against competitors armed with cutting edge technology.”