Russia’s war with Ukraine is an act of ruthless ambition exemplifying the commitment of President Vladimir Putin to achieve “victory” at all costs. The motions of a hybrid war are in swing, as we witness the fusion of conventional and unconventional tools of conflict on the battlefield. Russian state-backed actors have employed cyber operations to disrupt, degrade, and deny Ukrainian infrastructure, including its power grid, transportation networks, and satellite communications. Encoded in Russian cyber doctrine is the reliance on asymmetric tactics to create parity with, or gain advantage over, adversaries. As the conflict fans wider and deeper, U.S. defenders and policymakers must consider additional nonconventional capabilities Russia may implement to gain battlefield advantage. One such possibility is the use of cyberattacks against modern Western weapon systems.
Many weapons systems are built upon technologies that carry inherent digital vulnerabilities, making them susceptible to cyberattack. As the possibility of a miscalculation that results in a NATO/Russia confrontation increases, so does the risk of exposure of such digital weaknesses.
Power to create improvements in weapon system cybersecurity exists within the U.S. Congress; however, with each passing fiscal year, policymakers lose opportunity to buy down the fiscal burden of remediation. Known digital vulnerabilities in Joint Force weapon systems introduce unintended and unrealized risk from technologically advanced adversaries, and Congress has the opportunity to address them in the National Defense Authorization Act (NDAA) for Fiscal Year 2023.
Battlefield within weapons systems
The seminal 2018 Government Accountability Office (GAO) report, “Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities” represents an inflection point. The report revealed mission-critical cyber vulnerabilities in nearly all developmental and prototyped Department of Defense weapon systems. Declassified examples aren’t rare:
- A 2021 briefing from the DOD Inspector General revealed cybersecurity vulnerabilities in a B-2 Spirit Bomber, guided missile, missile warning system, and tactical radio system.
- The 2018 annual report from the Director of Operational Testing and Evaluation found legacy variants of the Infantry Carrier Vehicle are susceptible to cyberattack in contested environments.
- A 2021 GAO report demonstrated the ease with which an adversary could compromise and assume control of weapon system platforms, undetected.
There are a number of challenges that make weapon systems difficult to secure. Supply chain disruptions, and compatibility and maintenance supportability of systems with decades-long lifecycles are some. The modernization of legacy weapon system technology with bolt-on information technology (IT) and operational technologies (OT) is another. OT components control the most sensitive functions of aircraft, ground combat vehicles, and artillery, like engine and transmission controllers and braking systems. Converged OT and IT are under-secured, creating opportunities for adversaries to penetrate critical environments, move laterally across defense networks, and wreak havoc on operations.
National Cyber Director Chris Inglis recently said enhanced scrutiny must be applied to OT as “critical functions depend upon that to an even greater degree than they do upon general-purpose IT.”
Awareness into action
Beginning with the FY 2016 NDAA, Congress has directed multiple reports aimed at scoping the extent of digital vulnerabilities of DOD weapon systems; however, it has failed to assign accountability measures or appropriate commensurate funding to remediate them.
There are several instances of congressional efforts to drive awareness. The House Armed Services Future of Defense Task Force issued a 2020 report concluding the volume of vulnerabilities within weapon systems, compared to the threat from adversaries, presents a national security risk. The 2020 Cyberspace Solarium Commission legislative proposal recommended DOD assess and address cyber vulnerabilities of weapon systems annually.
This year, the Undersecretary of Defense for Research and Engineering and Chief Technology Officer for the DOD released a memo unveiling a National Defense Science and Technology Strategy to strengthen U.S. military technology.
Notably, a 2022 letter from a bipartisan group of House Armed Services Committee (HASC) members commended the Department for efforts to ensure new weapon systems are developed with OT vulnerabilities in mind, reiterating the need for further work to address weaknesses in systems.
Other steps to take
U.S. Representative Jim Langevin, outgoing Chairman for HASC’s Cyber, Innovative Technologies, and Information Systems (CITI) subcommittee recently stated, it’s time to move “from admiring the problem of cybersecurity to providing actionable solutions.”
There are promising homegrown initiatives emerging across the DOD, commercial providers developing innovative technologies, and ongoing military training to enable weapon system operators. For instance, this years’ Emerald Warrior exercise simulated cyberattacks within aircraft operations for the first time.
Such initiatives are important, but more is needed from the 2023 NDAA.
Expand existing programs: Given the evolving threat landscape and OT commonality among platforms, DOD should expand programs to cover a wider range of systems and establish plans to address cybersecurity vulnerabilities on older systems. At the core of these plans should be robust monitoring and discovery programs.
Include remediation upfront: Congress should approve language for inclusion in the NDAA around remediation for cyber incidents, and finalization of commercial technology maturation and expansion into DOD programs and weapon systems.
Create a baseline: Congress should include language directing the DOD to address serial data network vulnerabilities, certify a baseline to track technological improvements, and build upon efforts to reduce cybersecurity risk.
Accountability measures: Codify mechanisms to assess progress against legislative and policy requirements. Such efforts would hold DOD responsible for ensuring the security and readiness of Joint Force Weapon Systems.
Russia’s willingness to engage in Ukraine, coupled with the potential for miscalculation on the battlefield that draws in NATO, increases the urgency by which Congress and the DOD should secure weapon systems from cyberattack.
Few would argue that maintaining control of weapons systems is a national security imperative to address immediately. Congress and the DOD should work diligently and quickly to require, fund, and deploy cyber security solutions that protect U.S. weapon systems as soon as possible.
Whether a B-52 or Stryker, fully remediating legacy and modern weapons systems across the Joint Force requires investment today to ensure U.S. and NATO maintain a strategic advantage if called upon to perform operations tomorrow.
Alexander Gates is the chief research officer at OT cybersecurity firm Shift5. He previously had a 40-year career serving at some of the highest levels of U.S. national security in the areas of cyber threat, signals intelligence, research, and information assurance. He served in the U.S. Air Force; led cyber initiatives at the NSA, including standing up its Threat Operations Center; and as a former Senior Advisor for Cyberspace at the U.S. Department of Energy, he led intelligence-driven initiatives to secure the nation’s electric grid. Gates has also represented the NSA and DOE at the White House and Pentagon, and before congressional committees.