The United States Department of Defense (DOD) is tasked with the mandate of keeping the nation secure against domestic and international threats. In order to fulfill this mandate, the department needs to build a robust infrastructure that combines the latest technologies through which it detects and eliminates threats. For the most part, the DOD has successful adopted strategies, structures and processes that enhance its capacity to protect the American people. However, a review of its cybersecurity strategy and the condition of its infrastructure indicates that there are numerous vulnerabilities that expose the department to the threat of attacks that could have devastating consequences. From its outdated computers to its failure to adopt the latest security protocols, there are multiple avenues that hackers can exploit to attack the DOD’s cyber system. If the department is to be successful in fulfilling its obligations to the American people, it needs to urgently implement a raft of measures designed to address the vulnerabilities and eliminate risks. Unless it adopts these measures, the department’s systems could become a gateway for hackers who wish to cripple America’s defenses.
Vulnerabilities and Risk Profile
Vulnerabilities
In order to understand the need for urgent action at the DOD, one simply needs to examine the numerous vulnerabilities that exist in the department’s systems and networks. Recently, the US Government Accountability Office (GAO) released a scathing report in which it identified the vulnerabilities in the weapon systems that the DOD employs in its missions. According to the DOD, these systems are so vulnerable that an adversary who possesses appropriate competencies can assume control of the systems (GAO, 2018). In the report, GAO noted further that the DOD relied heavily on computers to manipulate its weapon systems. The computerization of the department’s systems introduces new vulnerabilities that can be exploited by adversaries keen on causing harm. It is clear that the DOD needs to address the vulnerabilities because the US faces threats on various fronts and its adversaries could exploit these vulnerabilities to carry out attacks or weaken the nation’s defenses. Therefore, it is important for all concerned stakeholders to play their role and ensure that the nation is secure against any and all forms of cyberattacks.
Delegate your assignment to our experts and they will do the rest.
The vulnerabilities at the US DOD extend beyond its weapon systems that have been discussed above. Writing for The Hill, Mario Trujillo (2016) identified the DOD as among the government departments whose systems are deeply flawed, thereby exposing them to the risk of cyberattack. In his article, Trujillo notes that together with other departments and agencies, the DOD continues to use computers that were built in the 1970s (Trujillo, 2016). Outdated technologies are among the vulnerabilities that provide attackers with the opportunity to infiltrate an organization’s networks and computer systems. Partnering with Jansen van Vuuren and Zaaiman, Grobler (2011) penned an article that focuses on the security risks that firms in South Africa face. Among the issues that they discuss is that owing to their continued reliance on outdated computers, these firms are at an elevated risk of suffering cyberattacks. The insights that Grobler and his colleagues share highlight the need for action at the DOD. In many cases, outdated computers run old software which lacks the features needed to secure against the latest cybersecurity threats. Furthermore, these computers were constructed using techniques and protocols that did not account for the complex cybersecurity threats that organizations face today. For the DOD to successfully honor its obligation, it must address the problem that its use of outdated computers presents.
Constant monitoring is among the practices that enhances cybersecurity (Yunfei et al., 2015). By monitoring their systems, organizations are able to detect vulnerabilities and attempts to infiltrate these systems. Recent revelations suggest that the DOD does not recognize the critical role that monitoring plays. According to GAO, it is only recently that the DOD began to develop a full understanding of the scale of its vulnerability (Nicholas & Chirgwin, 2018). It should worry the American people that the department tasked with the responsibility of detecting and thwarting threats does not routinely examine its own systems to ensure that they do not possess any flaws that can be exploited by adversaries. By failing to establish constant monitoring as part of its culture, the DOD essentially created a platform for adversaries to launch attacks. There is no doubt that the DOD desperately needs to reform its practices and culture. Its mission is simply too serious for the department to fail to eliminate loopholes.
The changes that an organization makes to its infrastructure as it seeks to prevent cyberattacks are indeed vital. However, unless accompanied with appropriate cultural reforms and the adoption of new and better policies, the impact of these changes will be limited. It has been observed with concern that the policies that the DOD implements in its cybersecurity affairs are inadequate to address the complex challenges that the world faces today (“Cybersecurity of Air Force”, 2015). According to the Rand Corporation, the DOD’s policies are rather simple and were designed for predictable situations. These policies make it nearly impossible for the department to brace for and actively tackle the sophisticated threats that America’s adversaries are developing. In its brief, the Rand Corporation noted further that the DOD’s structure lacks integration and this situation creates vulnerability (“Cybersecurity of Air Force”, 2015). For the department to effectively tackle cyber threats, all its units should work as a single unit. Integration holds the key to the adoption of standard guidelines and processes which will go a long way in insulating the organization’s networks and systems against attacks.
In an effort to enhance its defenses, the DOD has developed a program through which its invites the members of the public to penetrate its defenses. Thanks to this program, this department has identified vulnerabilities and taken steps to fix them. However, the program has also revealed that the department’s defenses are ridiculously weak. There have been instances where individuals participating in the program have been able to successfully hack the department using simple tools and techniques (Szoldra, 2018). America’s adversaries employ more sophisticated tools and methods as they truly to penetrate the defenses that the DOD has constructed. Since these defenses are rather weak, it can be expected that the country’s enemies will be able to conduct attacks with ease. Apart from the DOD-sponsored bug bounty programs, there are other initiatives that have revealed the deep flaws that could compromise national security. For example, there are security experts who, acting on their own initiative, have conducted an assessment of DOD’s cybersecurity practices, networks and process. The experts have observed that there are loopholes that hackers can use to gain personal information such as names and addresses of the employees working at DOD (Franceschi-Bicchierai, 2016). It is critical for the DOD to go beyond merely creating a “bug bounty” initiative. It needs to take more concrete steps to ensure that its systems are immune from all forms of cyberattacks.
It is true that for the most part, computer networks have been automated and the need for human involvement has almost been eliminated. However, the DOD continues to rely heavily on its human resources. The employees present another vulnerability. Experts have raised fears that some of the practices in which the employees engage could be exploited by hackers. For example, it is understood that the department’s employees are required to file compliance reports (O’Hanlon, 2017). This requirement makes it difficult for the employees to identify and fix vulnerabilities. As has already been noted, the modern military environment is characterized by fierce competition among adversaries. If the US is to maintain its dominance on the global geopolitical landscape, it must ensure that DOD’s human resource management is aligned with the country’s cybersecurity strategy. Currently, the department’s employees are simply ill-equipped to successfully thwart cybersecurity threats.
In the discussion above, the initiative that the DOD has developed as it strives to identify vulnerabilities has been explored. As a result of this initiative, the department has moved closer to eliminating the vulnerabilities. However, it should be noted that as is the case with other government departments, the DOD is rather slow in resolving vulnerabilities once they have been identified. Susan Miller (2018) penned an article in which she condemns the DOD and other agencies for failing to fix vulnerabilities in good time. According to Miller, it takes as many as 68 days for government agencies to address vulnerabilities after they have been detected (Miller, 2018). During the period between detection and elimination of the vulnerabilities, there is a large window that adversaries can leverage to carry out attacks. The DOD’s failure to fix vulnerabilities in a timely fashion raises questions about the purpose of the bug bounty initiatives. These initiatives do not yield any meaningful results if the department fails to take action in good time.
It is only fair to acknowledge the measures that the DOD has implemented as part of its cybersecurity strategy. Among other measures, the DOD has secured its engineering information and business systems (“Cybersecurity for Advanced”, n.d). While it has adopted strategies to ensure that American security is not compromised, the DOD has also failed to address the vulnerabilities in other aspects of cybersecurity. For instance, the DOD has not adequately fixed the vulnerabilities in the defense of its technical data and control systems (“Cybersecurity for Advanced”, n.d). Essentially, the DOD’s cybersecurity approach is riddled with blind spots which hamper the department’s cybersecurity strategies. This department needs to re-examine its approach. It should ensure that its strategy is broad and includes as many threats as possible.
Risk Profile
The discussion above has identified the different vulnerabilities that define the DOD’s cybersecurity system. What is clear from the discussion is that the system is riddled with serious flaws that underscore the lack of commitment from the department’s leadership. If the organization’s leaders truly recognized the gravity of the department’s mandate, they would take concrete steps to fix the vulnerabilities. Given the vulnerabilities, the DOD’s risk of suffering an attack is high. One of the main vulnerabilities that have been examined above is the low level of security in the organization’s systems. The lack of robust security protocols have allowed hackers to successfully attack the department using basic tools and methods. Using more complex strategies, state sponsors of attacks can easily exploit the vulnerabilities. There is no question that if things stay as they are, it is only a matter of time before the DOD’s systems become the victim of a devastating attack.
Recommendations
The DOD has developed a strategic framework for enhancing cybersecurity. It is therefore surprising and disappointing that the department has not fully implemented the strategies to address the vulnerabilities identified above. As part of its strategy, the department places focus on the training of its workforce and establishing partnerships with other government agencies (NIST, 2011). The purpose of the partnerships is to enable the agencies to leverage each other’s competencies and resources to promote security. Furthermore, the DOD strives to build coalitions with America’s allies as it seeks to solve the threats that all nations face (NIST, 2011). The first step that the DOD should adopt to boost the security of its systems is fully implementing all the elements of its framework. In particular, the department should dedicate resources and effort to training. As it trains its employees, it will equip them with the technical know-how and perspectives that they need in order to become more vigilant in an age where cyber threats have become a serious challenge.
The cybersecurity strategy that the DOD has created will play an important role in shielding the department. However, this strategy is not sufficient. For total protection, the department needs to combine the strategy with other best practices that have been established to be effective. Creating a culture through which it prioritizes cybersecurity is among the best practices (Forbes Technology Council, 2018). Currently, it appears that the DOD does not prioritize cybersecurity. This state of affairs can be blamed on the lack of the appropriate culture. By establishing a culture through which it challenges its employees, leadership and other stakeholders to take all necessary steps to protect its installations, the DOD will inch closer to perfecting its defenses. As part of the culture, the DOD could require its information technology department to make threat detection a routine component of its operations. Essentially, a culture inspires all stakeholders to join forces so as to create a secure and inviolable cyber environment.
One of the shortcomings that hamper the DOD’s cybersecurity strategy is the department’s failure to embrace constant monitoring. As noted earlier, monitoring is needed for threat and vulnerability detection. It is strongly advised that the DOD should incorporate monitoring into its approaches, mission and strategies. Research has shown that by monitoring their networks and systems, organizations are able to safeguard their critical infrastructure against threats (Chen et al., 2016). It is only proper to acknowledge that the DOD has taken some commendable steps as it aims to monitor its systems. As stated previously, this department hosts events through which members of the public attempt to infiltrate its systems. The organization should build on these initiatives by establishing more formal frameworks and guidelines that govern the threat detection and monitoring process. For example, the DOD could charge some of its employees with the duty of staying alert and reporting any suspicious activity that they observe occurring on the department’s systems. With these measures in place, the organization will be able to detect threats early and take steps to eliminate them before they cause damage.
Outdated technology was identified as among the loopholes that could be used to attack the DOD. To fix this vulnerability, the DOD needs to implement a simple solution: updating its systems. This solution has proven effective in enabling organizations to eliminate risks and stay on the cutting edge of technology (“Top 10 Secure Computing”, n.d). One of the simple steps that the department can adopt involves applying patches and installing the latest software. For example, suppose that at one of its bug bounty events, the department determines that there are bugs in the programs on which its computers run. After conducting a careful analysis of the bug, the DOD needs to promptly install a patch that fixes the bug. Furthermore, the department needs to make software updates an essential component of its strategy. These updates often introduce new features that enable systems to eliminate risks and withstand attacks. For example, the update that the department installs on its computers could fix a serious flaw that is identified through network monitoring. Apart from updating its programs, the DOD also needs to modernize its physical infrastructure. It is one of the government departments that continue to use outdated computers that were developed in the 1970s. In addition to being a national embarrassment, these computers are also a security threat. The department’s leaders need to lobby the government for more funding for the acquisition of more modern computers and other resources that it desperately needs. As it integrates modern equipment and devices into its infrastructure, the DOD will be able to leverage the tremendous advances that continue to be made in cybersecurity.
Effective cybersecurity practices combine robust infrastructure with appropriate employee management. In addition to updating their systems, firms should also ensure that their employees share their commitment to tackling cyber threats. It has been observed that many employees lack the information that they need to fully participate in cybersecurity initiatives (Donovan, n.d). For example, there are some employees who share their login credentials and use network storage devices such as memory sticks, in violation of the best cybersecurity standards. The information that the DOD holds in its systems is highly sensitive and demands the adoption of the strictest security standards. For the department to protect this information, it requires the full commitment of all its employees. The employees need to faithfully implement the department’s cybersecurity policy and understand that they have a personal mandate to protect the nation. It is only when they recognize the gravity of their mandate that DOD’s employees will help the department to develop a fully-integrated cybersecurity framework.
In the discussion above, it has been recommended that the DOD’s employees should lead the charge in the adoption of the best cybersecurity standards. To develop this discussion further, it is helpful to consider some of the specific measures that the employees can incorporate into their routine practices. Avoiding interactions with documents, files and other items from untrusted sources is one of the strategies that yield improved security (“Cybersecurity Best Practices”, n.d). Today, phishing scams through which hackers attempt to obtain information from individuals have become a serious problem. Since DOD’s employees are not adequately prepared to address the challenges that define the cyberspace, there is a real risk that these employees could become victims of the scams. Another best practice that the employees can adopt involves refraining from providing personal information that can be used to access the DOD’s networks. Furthermore, the employees could use multi-factor authentication so as to tighten the department’s security protocols. For example, in addition to providing passwords, the employees could also use fingerprint verification when accessing highly sensitive files. While simple, these strategies will place the department’s employees at the forefront of its war against cyber threats.
All the strategies proposed above hold immense potential and if implemented successfully will transform the DOD into a cybersecurity powerhouse. However, for the full implementation of the strategies to occur, effective and capable leadership is required. Among other things, the leaders are needed to solicit funding and create a sense of urgency within the organization. Furthermore, the leader has the mandate of rallying all the stakeholders to support the implementation of the recommendations. The various loopholes and vulnerabilities at the DOD indicate a lack of effective leadership. If it were that the department’s leaders are indeed serious about cybersecurity, they would have taken more robust steps to eliminate the vulnerabilities. It is essential for the department’s leaders to be more aggressive in their pursuit and implementation of the strategies. More importantly, the leaders need to challenge the employees to acknowledge that the DOD operates in an increasingly dangerous environment and that cybersecurity measures are a necessary tool for success in this environment.
Wisdom dictates that the DOD should implement all the strategies and best practices that have been presented above. However, the implementation of these strategies does not mark the end of the process. It is vital for the department to engage in an evaluation. Through this process, it will be able to establish the impact that the strategies have had on its operations and cybersecurity defenses. For example, as revealed earlier, the bug bounty contests have established that the department’s networks are seriously flawed. After the implementation of the proposed measures, it can be expected that the number of bugs, vulnerabilities and loopholes will reduce. The evaluation process enables the department to confirm that there has indeed been a decline in the vulnerability as a result of the implemented strategies. Additionally, through evaluation, the department will be able to engage in continuous and experiential learning. The adoption of cyber-security approaches is not a one-off incident. Instead, it should be a continuous process where a firm constantly identifies new threats and opportunities for improvement.
This far, focus has been given to general and broad strategies that the DOD can implement. One should recognize that the department faces targeted attacks that are launched by specific adversaries. It is therefore important for the department to align its cyber strategies with the specific threats that it faces. Citing a government report, Morgan Chalfant (2018) identified Russia, China and Iran as among the state sponsors of cyber-attacks who pose the most serious threat to US security. In fact, such adversaries as Russia have successful orchestrated attacks against the country’s cyber infrastructure. For example, there are allegations that Russia has hacked the US electoral systems in an effort to influence the country’s electoral processes. These allegations underscore the grave threat that the US faces. There is a dire need for the DOD to focus its cybersecurity strategy on eliminating the threat that such countries as Russia poses. One of the measures that it could adopt involves monitoring the operations of Russian agencies and organizations. The monitoring process will enable the DOD to stay ahead in the race for dominance in the cyberspace.
Conclusion
The U.S. Department of Defense is among the key apparatus that the country relies on for its security. For years, this department has faithfully pursued its mission of keeping the American people secure and protecting America’s interests abroad. Brute force has remained the main tool that the department employs in its quest to eliminate security threats. However, as the security landscape evolves, the department has been forced to rethink its approach. While it continues to rely on the sacrifice and courage of American soldiers, this department has included information technologies in its arsenal. The information technologies have presented a new problem for the department: cyber threats. A risk analysis revealed that there are many loopholes that the DOD has failed to address adequately. These vulnerabilities include failure to fix vulnerabilities immediately after they are detected, outdated technologies and low levels of employee competence and preparedness. Furthermore, the DOD lacks an organization-wide policy and the failure to conduct regular and constant threat detection and monitoring. Combined, these vulnerabilities create opportunities for hackers. It is indeed fortunate that the department has not suffered a massive attack yet. In order to rid itself of the various vulnerabilities, the DOD needs to implement a raft of measures. They include employee training, replacing the old technology with modern infrastructure and installing the latest software. A desperate plea is issued to the DOD to implement all of these recommendations fully. The security of the United States hinges on the cybersecurity policies and strategies of the department. Such other stakeholders as political leaders should lend support to the department. Funding and imposing pressure on the DOD’s leadership are some of the forms that the support that the stakeholders offer can assume.
References
Chalfant, M. (2018). China, Russia, Iran pose grave cyber espionage threat: government report. The Hill. Retrieved November 19, 2018 from https://thehill.com/policy/cybersecurity/399087-china-russia-iran-pose-grave-cyber-espionage-threat-government-report
Chen, Z., Xu, G., Mahalingam, V., Ge, L., Nguyen, J., Yu, W., & Lu, C. (2016). A cloud computing based network monitoring and threat detection system for critical infrastructures. Big Data Research, 3, 10-23.
Cybersecurity best practices. (n.d). State of New Jersey. Retrieved November 19, 2018 from https://www.cyber.nj.gov/general-cybersecurity-best-practices/
Cybersecurity of Air Force weapon systems. (2015). Rand Corporation. Retrieved November 19, 2018 from https://www.rand.org/content/dam/rand/pubs/research_briefs/RB9800/RB9835/RAND_RB9835.pdf
Donovan, F. (n.d). Healthcare workers uninformed about cybersecurity best practices. Health IT Security. Retrieved November 19, 2018 fromhttps://healthitsecurity.com/news/healthcare-workers-uninformed-about-cybersecurity-best-practices
Forbes Technology Council. (2018). 10 tactics for teaching cybersecurity best practices for your whole company. Forbes. Retrieved November 19, 2018 from https://www.forbes.com/sites/forbestechcouncil/2018/09/26/10-tactics-for-teaching-cybersecurity-best-practices-to-your-whole-company/#411069df17fc
Franceschi-Bicchierai, L. (2016). Researcher finds several ‘serious’ vulnerabilities in US military websites. Motherboard. Retrieved November 19, 2018 from https://motherboard.vice.com/en_us/article/ezpnj4/researcher-finds-several-serious-vulnerabilities-in-us-military-websites
Grobler, M., Jansen van Vuuren, J., & Zaaiman, J. (2011). Evaluating cybersecurity awareness in South Africa. 10 th European Conference on Information Warfare and Security. http://hdl.handle.net/10204/5108
Hanlon, M. E. (2017). Cyber threats and how the United States should prepare. Brookings Institution. Retrieved November 19, 2018 https://www.brookings.edu/blog/order-from-chaos/2017/06/14/cyber-threats-and-how-the-united-states-should-prepare/
Miller, S. (2018). DOD leads the way in outsourced security. Defense Systems. Retrieved November 19, 2018 from https://defensesystems.com/articles/2018/07/13/government-bug-bounties.aspx
National Institute of Standards and Technology (NIST). (2011). Department of Defense strategy for operating in cyberspace. NIST. Retrieved November 10, 2018 from https://csrc.nist.gov/CSRC/media/Projects/ISPAB/documents/DOD-Strategy-for-Operating-in-Cyberspace.pdf
Nicholas, S., & Chirgwin, R. (2018). Hunt for red bugtober: US military’s weapon systems riddled with security holes- auditors. The Register. Retrieved November 19, 2018 from https://www.theregister.co.uk/2018/10/15/us_military_weapn_system_vulnerabilities/
Szoldra, P. (2016). The Department of Defense wants more people to ‘hack the Pentagon’- and is willing to pay them too. Business Insider. Retrieved November 19, 2018 from https://www.businessinsider.com/department-defense-wants-people-hack-pentagon-2018-10?IR=T
Top 10 secure computing tips. (n.d). University of California Berkeley. Retrieved November 19, 2018 from https://security.berkeley.edu/resources/best-practices-how-to-articles/top-10-secure-computing-tips
Trujillo, M. (2016). Five of the most outdated IT system in the government. The Hill. Retrieved November 19, 2018 from https://thehill.com/policy/technology/281560-five-of-the-most-outdated-it-system-in-the-government
U.S. Governemnt Accountability Office (GAO). (2018). Weapon systems cybersecurity: DOD just beginning to grapple with scale of vulnerabilities. GAO. Retrieved November 19, 2018 from https://www.gao.gov/products/GAO-19-128
Yunfei, L., Yuanbao, C., Xuan, W., & Qi, Z. (2015). A framework of cyber-security protection for warship systems. 2015 Sixth International Conference on Intelligent Systems Design and Engineering Applications (ISDEA). DOI: 10.1109/ISDEA.2015.14
