U.S. firepower could be crippled by software flaws. The Pentagon has been slow to respond.

October 16, 2018

by Brian E. Finch  Mr. Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he is a leader of the firm’s cybersecurity team. His clients include cybersecurity vendors that may support the U.S. Defense Department under Comply to Connect.


Modern American military history is replete with examples of poorly designed weapons. Submarine torpedoes failed to explode after hitting Japanese ships. M16 rifles only could be counted on to jam in the middle of a firefight in Vietnam. Pentagon planners have since spent countless hours and billions of dollars to create acquisition programs that wring the bugs out of U.S. arms before they reach the hands of soldiers and sailors.

Despite the hard work, the U.S. still fields weapons systems with dramatic weaknesses. A new Government Accountability Office auditthis month indicates that huge swaths of American firepower could be rendered inert by software flaws. There are solutions to the cyber weaknesses plaguing our arsenal, but bureaucratic inertia at the Defense Department is hampering their implementation. Faster action is needed to clear the logjam and harden America’s weapons before it’s too late.

The GAO could not have been clearer about the threat: “A successful attack on one of the systems the weapon depends on can potentially limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life.” American ships, airplanes, combat vehicles, satellites and other systems have design flaws that leave them vulnerable to debilitating cyberattacks. Meanwhile, the Pentagon is growing more reliant on automation and artificial intelligence.

The threat is far from hypothetical. Over the past decade, adversaries such as China and Russia have electronically stolen the technical plans for essentially every major project undertaken by the U.S. military, including the advanced Patriot missile system, the littoral combat ship and the F-35 Joint Strike Fighter. With those blueprints, rivals can try to take over U.S. weapons.

They can also try to fool critical military subsystems. Iranian interference with global positioning systems is suspected to be behind the capture of an American drone in 2011 as well as the 2016 “navigational error” that led to the detainment of a U.S. Navy patrol boat.

In 2015 Congress directed the Pentagon to develop plans to mitigate the cyber vulnerabilities of its weapons systems. In response, the Pentagon has been conducting vulnerability evaluations, but the GAO found the evaluations limited in scope and in need of monitoring and coordination.

The Pentagon has to pick up the pace dramatically and deploy measures to improve the cybersecurity posture of its weapons systems significantly. One such example is the Comply to Connect program, which Congress directed the military to implement in 2016. C2C tracks which devices are connected to Pentagon networks and assesses if those devices pose a security risk, allowing military officials to decide whether to upgrade each device’s security or remove it from the network.

C2C is no “moonshot” program. It was piloted by the Marines and Air Force at least five years ago, with terrific results that led to sporadic implementation in pockets of the Pentagon. In each case, C2C tools enabled cybersecurity officials to identify thousands of previously undetected network-connected devices quickly and remove them or bring them into compliance with security requirements. Meanwhile, the Department of Homeland Security has successfully installed its version of C2C, the Continuous Diagnostics and Mitigation program, on nonmilitary systems across the U.S. government.

Yet the Pentagon remains slow in deploying the C2C across all systems, so much so that Congress was forced to reissue its directive to implement the program in the latest defense authorization bill.

Expediting C2C’s deployment is just one way the Pentagon could close the gaping holes in its cyber defenses. Centralizing cybersecurity programs for weapons systems in a single office would also be helpful, along with ensuring programs like C2C cover more devices as the Internet of Things grows.

Securing weapons systems for the sprawling behemoth that is the Pentagon is a massive undertaking, but it must become a top priority. Anything less will put Americans in uniform at risk.

Mr. Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he is a leader of the firm’s cybersecurity team. His clients include cybersecurity vendors that may support the U.S. Defense Department under Comply to Connect.




Leave a Reply

Search All Posts