The Pentagon’s chief weapons tester said that the red teams the military uses to find cyber vulnerabilities and to mimic enemy actions “urgently” need more resources, including additional personnel, training and advanced capabilities.
The director of operational test and evaluation, in its annual report released Jan. 31, said that in several instances in the past year, red teams were not available to support assessments of systems. In addition, red teams currently lack time and funding to develop new tools and capabilities, the report notes, and manning models for service red teams vary.
“There remains a gap between DOD cyber red team capabilities and the advanced persistent threat," the report read. “Assessments that do not include a fully representative threat portrayal may leave warﬁghters and network owners with a false sense of conﬁdence about the magnitude and scope of cyber-attacks facing the Department."
Moreover, reviews of red teams in fiscal 2018 showed the best teams where overscheduled and overworked. This is problematic because DOT&E relies on these teams to conduct assessments of cyber vulnerabilities in DoD systems. In October 2018, a report from the Government Accountability Office said testers found “mission critical cyber vulnerabilities in nearly all weapon systems that were under development.”
In addition, DOT&E weapons testers documented “a growing number of instances where the Red Team needed more time to achieve objectives,” the report said. “This was due in part to improved network defenses, but also due to insuﬃcient time to prepare the array of representative cyber-attacks attributed to the portrayed adversary.”
Without having more time, red teams struggle to “probe deeper into networks and system vulnerabilities.”
The report said the Pentagon monitored more than 70 such tests across 38 acquisition programs, including the Command Post Computing Environment, the Family of Beyond Line of Sight Terminals known as FAB-T and the Global Command and Control System. In the document, the weapons testers noted that “at the request of the DOD Chief Information Oﬃcer and the Defense Threat Reduction Agency, DOT&E participated in classiﬁed cybersecurity assessments to characterize the status and identify options for improving the mission assurance and cyber-related aspects of the Nuclear Command, Control and Communications capability.”
In fiscal 2019, DOT&E says it plans to conduct assessments in which more advanced threat portrayals will be required. However, it notes the ability of red teams to meet these requirements is in question.
The Department of Defense has a year to work on a plan to establish a program that includes commercial companies to improve the security of critical DoD infrastructure.
DOT&E said it observed numerous losses of master level red team members in fiscal 2018 to commercial jobs, just as demand for them is increasing.
As such, red team capacity and retention options must be increased to meet demands of testing, training and other assessment activities.