WASHINGTON — The Department of Defense must bolster its resilience in mission platforms in order to stay ahead of threats, a new think tank report says.

With the military’s shift toward great power competition, or conflict against nation states, its systems and platforms will be under greater stress than technological inferior adversaries battled during the counterterrorism fight of the last decade-plus.

Systems and networks are expected to be contested, disrupted and even destroyed, meaning officials need to build redundancy and resilience in from the start to work through such challenges. In fact, top defense officials have been warning for several years that they are engaged in conflict that is taking place below the threshold of armed conflict in which adversaries are probing networks and systems daily for espionage or disruptive purposes.

“Resilience is a key challenge for combat mission systems in the defense community as a result of accumulating technical debt, outdated procurement frameworks, and a recurring failure to prioritize learning over compliance. The result is brittle technology systems and organizations strained to the point of compromising basic mission functions in the face of changing technology and evolving threats,” said a new report out today by the Atlantic Council titled “How Do You Fix a Flying Computer? Seeking Resilience in Software-Intensive Mission Systems.”

“Mission resilience must be a priority area of work for the defense community. Resilience offers a critical pathway to sustain the long-term utility of software-intensive mission systems, while avoiding organizational brittleness in technology use and resulting national security risks. The United States and its allies face an unprecedented defense landscape in the 2020s and beyond.”

This resilience, is built upon three pillars, the authors write: robustness, which is the ability of a system to negate the impact of disruption; responsiveness, which is the ability of a system to provide feedback and incorporate changes on a disruption, and; adaptability, which is the ability to a system to change itself to continue operating despite a disruption.

Systems, the report notes, are more than just the sum of its parts — hardware and software — but rather are much broader to include people, organizational processes and technologies.

To date, DoD has struggled to manage complexity and develop robust and reliable mission systems, even in a relatively benign environment, the report bluntly asserts, citing problems with the F-35′s Autonomic Logistics Information System (ALIS) as one key example.

“A conflict or more contested environment would only exacerbate these issues. The F-35 is not alone in a generation of combat systems so dependent on IT and software that failures in code are as critical as a malfunctioning munition or faulty engine — other examples include Navy ships and military satellites,” the authors write. “To ensure mission systems like the F-35 remain available, capable, and lethal in conflicts to come demands the United States and its allies prioritize the resilience of these systems. Not merely security against compromise, mission resilience is the ability of a mission system to prevent, respond to, and adapt to both anticipated and unanticipated disruptions, to optimize efficacy under uncertainty, and to maximize value over the long term. Adaptability is measured by the capacity to change — not only to modify lines of software code, but to overturn and replace the entire organization and the processes by which it performs the mission, if necessary. Any aspect that an organization cannot or will not change may turn out to be the weakest link, or at least a highly reliable target for an adversary.”

The report offers four principles that defense organizations can undertake to me more resilient in future conflicts against sophisticated adversaries:

  • Embrace failure: DoD must be more willing to take risks and embrace failure to stay ahead of the curve. Organizations can adopt concepts such as chaos engineering, experimenting on a system to build confidence in its ability to withstand turbulent conditions in production, and planning for loss of confidentiality in compromised systems.
  • Improve speed: DoD must be faster at adapting and developing, which includes improving its antiquated acquisition policies and adopt agile methodologies of continuous integration and delivery. Of note, DoD has created a software acquisition pathway and is implementing agile methodologies of continuous integration and delivery, though on small scales.
  • Always be learning: Defense organizations operate in a highly contested cyber environment, the report notes, and as the department grows more complex, how it learns and adapts to rapidly evolving threats grows in importance. Thus, it must embrace experimentation and continuous learning at all levels of systems as a tool to drive improvement.
  • Manage trade-offs and complexity: DoD should improve mission system programs’ understanding of the trade-offs between near-term functionality and long-term complexity to include their impact on systems’ resilience.

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In Cyber