New Report Indicates DOD Networks Still Vulnerable to Cyber Attacks
U.S. Department of Defense (DOD) networks and weapon systems remain vulnerable to adversarial cyber-attacks and programs, such as the Joint Regional Security Stacks and Cyber Protection Teams, and aren’t meeting expectations, according to an office of the Director, Operational Test and Evaluation (DOT&E) report published Jan. 25. The DOT&E report, which collects testing assessments from FY 2017, finds that, while some aspects of network defenses have improved, there are still persistent flaws with software patching, deploying new cyber defenses and meeting expertise needs.
“DOT&E assessments over the past fiscal year confirmed that the conclusion from previous years is still valid — DOD missions and systems remain at risk from adversarial cyber operations,” wrote DOT&E officials in their report. “Assessments during Combatant Command training exercises confirmed that DOD cyber defenses are improving, but not enough to stop adversarial teams from penetrating defenses, operating undetected, and degrading missions.”
Operational tests over the last fiscal year showed continuous mission-critical vulnerabilities in DOD network defenses and acquisition programs, according to the report. DOT&E assessments have shown that, without immediate improvement to network defenses, skilled adversaries will be able to gain significant access to systems holding information on warfighter missions and future plans.
The DOD-wide Joint Information Environment (JIE) program is behind on operational testing and officials have yet to make important capability fielding decisions. DOT&E has recommended conducting thorough cyber security testing of all JIE capabilities before continuing its expansion.
The Joint Regional Security Stacks (JRSS) effort to better protect information networks also isn’t meeting. DOT&E has recommended discontinuing JRSS capability deployment until the program can demonstrate it is capable of fully detecting and responding to operationally realistic cyber-attacks. Similar issues exist with the Cyber Protection Teams (CPTs) tasked with deploying JRSS technology, according to DOT&E.