Pentagon cyber security capabilities trail growing capabilities of potential adversaries

Vulnerabilities in the latest F-35 aircraft remain unaddressed, while veterans' medical records systems are wide open to hackers

The Pentagon's cyber security capabilities are increasingly being outpaced by the growing capabilities of the US military's potential adversaries, a blunt assessment by the Pentagon's combat testing office has warned.

The assessment report - prepared by Robert Behler, the US Defence Department's director of operational test and evaluation - also found that the US military has not yet fully developed an understanding of the measures that it will need to adopt to counter the use of artificial intelligence and automation by attackers.

The test office's annual assessment of cyber threats is expected to be discussed on Tuesday during a Senate Armed Services hearing with Pentagon CIO Dana Deasy.

Red Teams recently conducted three successful cyber-attacks on Genesis - the new health care records management system

Behler's evaluation found that Department of Defense's (DoD) 'Red Teams' that test defence capabilities of the military's networks currently lack resources. Moreover, the Pentagon's cyber testing capabilities lack expertise and suffer from a shortage of software tools to evaluate software-intensive weapons systems.

"We have not reviewed the latest report, but the DoD faces significant challenges in securing its weapon systems from cyber threats," Cristina Chaplain, the Government Accountability Officer (GAO) director, told Bloomberg in an email.

"DOD testers routinely found mission-critical vulnerabilities in systems under development, and in some cases, repeatedly over the years," she added.

Security testing of F-35 aircraft also found several vulnerabilities that had been identified previously but still hadn't been addressed

According to Bloomberg, Red Teams recently conducted three successful cyber-attacks on Genesis - the new health care records management system created for the US Defence Department's Department of Veterans Affairs. The successful attacks indicated that the Genesis system will fail to survive during a cyber-contested environment.

Cyber security testing of Lockheed Martin's F-35 aircraft also found several vulnerabilities that had been identified previously, but still hadn't been addressed.

Earlier this month, a report from the Defence Department Inspector General (IG) highlighted more than 250 cybersecurity vulnerabilities in the Defence Department's networks. These vulnerabilities were found by multiple watchdogs between July 2017 and June 2018. The most concerning thing was that some of these vulnerabilities were more than a decade old.

The Defence Department Inspector General (IG) highlighted more than 250 cybersecurity vulnerabilities in the Defence Department's networks.

However, despite all those weaknesses, Behler's office did notice some improvement in defenders' abilities to resist attacks staged by in-house Red Teams.

Defenders have demonstrated increasing competence to identify Red Team activity, although there is still huge scope to improve accuracy and speed for processing reported incidents.