In the fifteen months since Putin’s unprovoked and illegal invasion of Ukraine, the Ukrainian armed forces have been engaged in what some have called the first hybrid war, combatting their invaders on the ground, in the air, at sea, and in cyberspace at the same time. As the largest military conflict of the cyber age, there is much to be learned from the war in Ukraine. But today, one thing is already clear: weapon systems are vulnerable to cyberattack.
In recent years, there has been a growing drumbeat of warnings about the vulnerability of American weapon systems. In its January 2023 report Challenges in Establishing a Comprehensive Cybersecurity Strategy and Performing Effective Oversight, the Government Accountability Office raised warnings about mission-critical vulnerabilities and security risks to Operational Technology assets – such as the Department of Defense’s weapon systems. As far back as 2018, GAO had raised the issue in its report, Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities; very little has changed in the ensuing five years.
There is, however, reason to be hopeful.
In recent months, many senior leaders at the DoD and in Congress have all approached weapon system’s vulnerabilities with a renewed sense of urgency.
In March, DoD Chief Information Officer John Sherman testified before the House Armed Services Subcommittee on Cyber, Information Technologies and Innovation that, “While we didn’t necessarily have to worry about terrorists and insurgents hacking into our jets, ships or tanks over the last 20 years, we know that nation states will [now] certainly try to do so.” At an April 2023 Senate Armed Services Subcommittee on Cybersecurity hearing, General Paul Nakasone noted that “when a foreign power like China can get into our networks, our data, and our weapon systems, that puts our Nation at risk.”
The demand signals are clear that now is the time to act. We need to turn those demand signals into clear actions. Considering a three-pronged approach, the Department has a tremendous opportunity to secure our systems, increase operational readiness, and leverage data to deter aggression from pacing threats.
Protection: First, we must protect weapon systems in contested environments where they could be compromised. Applying proven network security solutions is a critical line of defense, so that attacks on connected onboard IT cannot infiltrate connected onboard OT networks which are the critical but often ignored embedded communications systems that literally make most weapon systems shoot and move. Warfighters must also be trained on preventive practices – as Secretary Austin often says, the DoD’s most critical asset is their personnel, both in and out of uniform.
Maintenance: Second, weapon systems are also at risk if they can’t keep up with the maintenance demands. Another recent GAO report, “Actions Needed to Further Implement Predictive Maintenance on Weapon Systems”, called out the DoD for being woefully behind on implementing advanced maintenance techniques required to sustain readiness. With fewer than 10% of DoD aircraft fleets meeting their annual maintenance objectives over the last two decades, and the average age of everything from Naval vessels to Army tanks growing longer in the tooth, maintenance is increasingly serious and difficult business.
But operators and maintainers lack methods to get comprehensive OT data off their platforms. Solving this significant part of the problem provides vast amount of data, enabling insights into component, system, and fleet conditions so operational readiness can be improved. That brings us to the third prong, which is to affect proper stewardship of that data – capturing, translating, enriching, storing and processing it to maximum benefit.
Data: To echo Lt. General Christopher Donahue’s message from Scarlet Dragon, “we have to get our data straight.” Following the January instance of the exercise, Donahue further added that, “whoever can control and access the right data will win or have a decisive advantage in conflicts today and tomorrow.” This is exactly the sort of forward leaning approach to modernization that should be adopted across the entire Department. Congress is paying attention, too. As the Pentagon looks to integrate advanced capabilities like AI/ML in to weapon systems,
West Virginia Senator Joe Manchin recently called data “the DoD’s most crucial resource in AI development,” at a recent Senate Armed Services Subcommittee on Cybersecurity hearing where the issue was extensively discussed. Just as kinetic capabilities are crucial to success on the ground, so too is data crucial to operational success in cyberspace. Modernization initiatives like Combined Joint All Domain Command and Control – an important initiative that will have massive implications for the joint force of tomorrow – simply will not work if our endpoints and the data they generate are not protected and utilized to their best advantage. By democratizing data and ensuring the responsible curation of that data, DoD can also gain additional benefits from innovations in AI-powered capabilities for cyber, maintenance, and operations.
The National Defense Science & Technology Strategy 2023 plainly states: “The challenges we face modernizing our defense science and technology enterprise have been decades in the making. Moreover, we now face in the People’s Republic of China a strategic competitor with access to cutting-edge research and development and the will to mount a sustained challenge to a stable and open international system. This represents a clear challenge to the DoD’s technological edge.”
To put an even finer point on it: These practices must be implemented now. They cannot wait. The threat could not be more stark, and the opportunity to make demonstrable change could not be more clear -- the Department must act now to better protect their national security assets on which our warfighters and intelligence professionals depend. Let’s get our data straight and secure our systems, to be best postured to deter aggression.
Mike Weigand is Co-Founder and Chief Growth Officer at Shift5, a supplier of data management tools and services to military and industry.