The U.S. Defense Department is taking aggressive action to bolster the security of U.S. weapons systems against cyberattacks, including issuing new rules for acquisitions that will be finalized in coming months, officials told.
In addition to the acquisition policy, the department is producing a guidebook to help program managers assess the cost and risk tradeoffs in structuring new weapons programs and making them more secure, said Assistant Secretary of Defense Katrina McFarland.
In January, the department's chief weapons tester told Congress that nearly every U.S. arms program showed "significant vulnerabilities" to cyberattacks, including misconfigured, unpatched and outdated software. Both documents should be completed in the fourth quarter of this fiscal year, which ends Sept. 30, McFarland told in an interview this week. She said officials were reviewing the documents to avoid inadvertently pointing would-be attackers to possible vulnerabilities.
Chief U.S. arms buyer Frank Kendall said this month cyberattacks on U.S. weapons and manufacturers are a "pervasive" problem that requires greater attention. Increased focus on cybersecurity could create opportunities for Lockheed Martin Corp, General Dynamics Corp and other suppliers that do cybersecurity work for the Pentagon.
He said the Pentagon was also evaluating the risk of so-called insiders sabotaging weapons systems and had taken some "preemptive actions" to guard against that. McFarland said all major U.S. weapons programs had been reviewed for cyber vulnerabilities. New programs like the Air Force long-range bomber - to be awarded this summer - would benefit from getting the best protections from the start.
The new measures follow a change in federal defense acquisition rules announced last November that require Pentagon contractors to incorporate established security standards on the unclassified networks that they use to communicate with suppliers, and to report any cyberattacks that result in the loss of technical data from those networks.
Those standards had already been in place for classified networks. Halvorsen said some weapons systems and sectors were particularly targeted by hackers, but gave no details. He and McFarland declined to say if U.S. government networks or those of private companies had suffered any attacks similar to the attack that damaged some 30,000 computers at Saudi Arabia's national oil company in 2012.
Admiral Mike Rogers, director of the National Security Agency and head of U.S. Cyber Command, told lawmakers this week the United States was at a tipping point and needed to step up its offensive cyber capabilities. McFarland said the guidebook would ensure that program managers and acquisition officials did a better job sharing data about potential threats to avoid falling prey to the same malicious software twice.
