The U.S. Army continually transforms over time, and the latest iteration is the transformation to support the concept of Multi-Domain Battle. This concept describes how the Army will operate, fight and campaign successfully across space, cyberspace, air, land and maritime domains. While cyberspace is defined as a domain, it is not separate and integrates across all other domains. Maintaining cyber physical systems is critical to succeed across all domains.
Future conflict will likely unfold quickly and immediately initiate U.S. forces to move from current positions to theater. Therefore, readiness is key to success, and maintained equipment is a part of the preparation for these transitions to war fighting. That is a known fact.
Incrementally, over the last decades, cyber physical systems — which include all digital assets, computers and networking equipment — have been added to the inventory without a structured way to ensure the highest level of readiness. We propose that cyber maintenance is embedded in the maintenance cycle as any other military hardware. The cyber maintenance routine should go beyond the current checking of hardware against a ledger, and just capturing the presence of hardware, such as batteries, cables, switch boxes and antennas. What is important is to verify the actual functionality and the appropriate level of cybersecurity to ensure confidentiality, integrity and availability of these assets.
Tasks performed during cyber maintenance can be exemplified by updating firmware, software and password-maintenance plans; verifying antivirus and malware signatures are up to date; ensuring host-based and network-based firewalls are properly configured; and testing functionality by executing a set of operational tasks.
The Army and the other branches of the Department of Defense have structured maintenance plans that are executed to ensure unit readiness and the functionality of the equipment. The execution of these plans is monitored by commanders and thorough inspections. For example, many units conduct motor pool maintenance once a week where soldiers conduct preventive maintenance checks and services, or PMCS, on their vehicles. As of today, a PMCS for cyber maintenance has not been built into these programs. However, the amount of time to secure our systems is increasing as we add more physical cyber systems to the battlefield.
The war fighter preparing for the future fight must be able to trust the cyber equipment’s readiness, and the absence of ordered cyber maintenance is an ongoing vulnerability. This issue must be addressed immediately since we in competition in cyberspace. Either consciously or unconsciously, there is an assumption that there will be time to sort this out as a future conflict unfolds. We already know that such an assumption is spurious; there will not be time to address cyber maintenance during conflict, and then, as a result, we enter the conflict with insecure, unpatched and vulnerable equipment.
Our near-peer adversaries are skilled and potentially have the ability to target networked update servers, which would deny us the ability to patch and update in the early stage of a conflict. There could even be false updating sites and patches, exploiting the lack of order in our patch management. We consider it to be a major vulnerability to wait until the last minute to patch and update the cyber equipment. There is a tangible need to address this immediately and integrate cyber maintenance into the command maintenance program.
The cyber maintenance routines are trained and manifested in a cyber-secure culture that is reoccurring, structured and supported from the top, down. The alternative is to rely on personal interest. Even if updates are pushed out by security administrators, there is no verification that the updates are done. Once cyber maintenance is built into the Command Maintenance Program, it becomes an integrated part of the maintenance cycle, and assesses through the Command Inspection Program.
Cyber maintenance must be a topic taught at all levels of leadership schools (noncommissioned officer courses, the Captains Career Course, intermediate-level education and senior service colleges) because cybersecurity that doesn’t have leadership buy-in will fail.
Physical cyber systems have been integrated step-wise into traditional systems within Army units over the last few decades, which might be an explanation for why cyber maintenance programs have not been put in place. There has not been an overnight transformation similar to when the Army became motorized. A hundred years ago, when the Army became motorized, it was a concentrated, defining shift that required retraining and the establishment of motor-maintenance procedures. It is time to recognize the increased reliance on computer and digital assets, and integrate cyber maintenance as a part of how we do business. It is long overdue.
Col. Stephen Hamilton is the technical director of the Army Cyber Institute at West Point and an academy professor at the U.S. Military Academy. Jan Kallberg is a research scientist at the Army Cyber Institute at West Point and an assistant professor at the U.S. Military Academy. The views expressed are those of the authors and do not reflect the official policy or position of the Army Cyber Institute at West Point, the U.S. Military Academy or the Defense Department.