Red teaming isn't easy

The IT that supports the armed force's new Joint Strike Fighter is a complex system that serves as an example of the widening cybersecurity blind spots that can confront agencies, according to one Defense Department expert.

While the Autonomic Logistics Information System (ALIS) provides a single information environment for the Joint Strike Fighter's operations, maintenance, prognostics, supply chain, customer support services, training and technical data, it was also designed without considering some critical cybersecurity aspects, said Dr. Michael Gilmore, director of operational test and evaluation in the Office of the Secretary of Defense.

Experts on an Oct. 20 cyber resiliency panel sponsored by the Consortium for IT Software Quality in Arlington, Va., pointed to the rapidly growing Internet of Things as a difficult obstacle to cover, especially for complex defense systems.

Standard cybersecurity testing that's taken for granted to protect commercial IoT systems, Gilmore said, are not easy to get implemented in the defense environment. Unlike the standard continuous "red team" testing many commercial companies do on their software and system cybersecurity systems, the JSF and ALIS hadn't been developed with that kind of immediate, hands-on cybersecurity process. For instance, he said, ALIS requires workstations to be distributed across the globe to support the aircraft's deployment.

"That means all kind of people worldwide will have access" to the system and the aircraft's systems, he said.

There are other issues as well, Gilmore said.

 "If ALIS goes down, there was no thought about how to restore it" during the development of the system, he said. Also, getting defense program management offices to accept "red teaming" of systems, he said, "has been a struggle."

"It took months to get [JSF's contractor] Lockheed to arrange red team tests for the aircraft," he said. To be truly secure, both ALIS and the aircraft itself need to get red team tests to they're vulnerable. The aircraft can't get in the air without ALIS, he said.

Although there are efforts to develop cybersecurity testing in the defense procurement process, those efforts have been stalled, said Gilmore.

Intensive, immediate testing for system vulnerability, according to Gilmore and other federal officials on the panel, isn't as common across the federal acquisition process as it should be.

Getting basic, specific cybersecurity language into federal contracts, said Gilmore, is a problem. Without it, he said, security is hard to pin down. Program management offices at vendors will say "'It's not fair to test that way because it's not in the contract specifications,'" he said.

"Until you get meaningful metrics in specifications, the rest is just nonsense," he said.

"There's not a lot of specificity" in the cybersecurity language in solicitations to industry, said Ray Letteer, chief of the Marine Corps' Cybersecurity Division. Letteer, speaking on the same panel, said the Marine Corp. uses its Cyber Range to "test the [expletive] out of systems" it plans to deploy to produce quantifiable data on them that can be addressed.

Martin Stanley, the branch chief of the Department of Homeland Security's Cybersecurity Assurance Branch, said his agency has found that below the need for cyber specifications, lies a more fundamental requirement to get basic IT practices and governance in place. "We share a lot of the same findings in civilian agencies and we're focusing on securing high value assets" under the president's Cybersecurity National Action Plan. As that assessment moves along, he said, the agency is finding that "basics matter."

DHS' review of other federal agencies under CNAP has found that some system's boundaries aren't well known by some operators, and that others have segmentation issues.