The Government Accountability Office report holds implications for cybersecurity considerations in procurement processes.
The Defense Department agreed with Government Accountability Office recommendations on the importance of highlighting reliability—a foundational principle of cybersecurity—in procuring weapons systems, amid consternation from some stakeholders about security requirements for such systems being assumed, rather than explicitly expressed.
“In an environment emphasizing speed, without senior leadership focus on a broader range of key reliability practices, DOD runs the risk of delivering less reliable systems than promised to the warfighter and spending more than anticipated on rework and maintenance of major weapon systems,” reads the report GAO released Tuesday.
As noted in a white paper by Ebonése Olfus, vice president of cyber strategy and emerging technologies at military technology company Envistacom, the reliability principle is closely tied to achieving a core cybersecurity feature: resilience.
“Resilience is related to survivability, which builds on the disciplines of security, fault tolerance, safety, reliability, and performance,” reads the paper.
GAO previously flagged the issue in a 2018 report that found “an entire generation of systems that were designed and built without adequately considering cybersecurity.”
“Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning,” GAO wrote. The 2018 report also noted that Defense required operational testing for major weapon systems to “reflect cyber threats with the same rigor as other threats” in a 2014 memo.
In the latest report, GAO found a majority of programs examined “did not effectively emphasize reliability with suppliers” and “deferred reliability engineering activities.”
The inspector general for Defense may be looking into the issue. In a Jan. 8 memo, the IG flagged an audit that would get underway this month “to determine the extent to which DoD Components took action to accept, mitigate, or remediate cybersecurity vulnerabilities identified during the cybersecurity test and evaluation of DoD acquisition programs.”
The IG’s memo said the office plans to audit military department cyber commands, the director of Operational Test and Evaluation within the Office of the Secretary of Defense, operational test agencies, combatant commands, and Defense acquisition programs.
“We may identify additional locations during the audit,” the memo said, noting “We will consider suggestions from management on additional or revised objectives.”
Some stakeholders commenting on weapons systems’ cybersecurity at a meeting of the Software Supply Chain Assurance forum—held under the Chatham House Rule—Wednesday, said the biggest part of the challenge is a lack of requirements for suppliers of weapons systems.
“I’ve asked people on the joint staff: Why don’t you require secure software on certain weapons systems? The answer was, ‘it’s a weapons system, of course, it will be secure,’” one participant at the meeting, attended by public and private sector entities related to the Defense Department, said. “Well, no wonder we’re not getting it there.”