13 May 2021

Missile Defense Agency scrapped cybersecurity tests last year for a new approach, watchdog finds

Mark Pomerleau

WASHINGTON — The Missile Defense Agency canceled all 17 planned cybersecurity operational assessments last year opting instead for a new approach designed to improve cyber requirements, a new watchdog report says.

The agency responsible for developing and fielding defense systems for ballistic missiles — and recently hypersonic missiles — has failed to complete assessments since 2017 to identify cyber vulnerabilities and possible attack routes, the nonpartisan Government Accountability Office noted.

“The lack of testing during fiscal year 2020 coupled with persistent testing shortcomings over the last 3 years are representative of a broader MDA cybersecurity development issue,” the GAO report said.

Missile defense technologies are vulnerable to cyber and other electronic attacks that can target their software or radars, potentially rendering them ineffective.

MDA told assessors that it scrapped the operational cybersecurity assessments for seven programs because the results weren’t needed given that fiscal 2020 operational capability baseline decisions had been completed. Instead, MDA restructured its cybersecurity test planning to align with its 2019 four-phase cybersecurity test concept, GAO said.

Now, the MDA will plan tests and documented results using the same process as flight and ground tests with internal and external stakeholder input informing test requirements. This will drive cyber test design and execution for each capability increment.

“MDA officials stated that this new approach will improve cyber system requirements while streamlining cyber test planning, resource allocation, and results analysis,” the report said.

The GAO did not make any recommendations in the annual report, though it pointed out that continued cyber vulnerability testing will be critical for the MDA. It is too early to know how effective the new approach will be because it hasn’t been fully implemented, the watchdog said.

The MDA programs with canceled tests last year include Aegis Ballistic Missile Defense; Army Navy/Transportable Radar Surveillance and Control Model 2; Command, Control Battle Management and Communications; Ground-based Midcourse Defense, Long Range Discrimination Radar; Sea-Based X-Band Radar; and the Terminal High Altitude Area Defense.

The cybersecurity assessments that weren’t completed fell into two categories: element level cooperative assessments, which provide initial information about a system’s resilience in an operational context, and adversarial assessments, which characterize the operational effects caused by potential cyberattacks and test defensive measures. MDA had scheduled 13 cooperative and four adversary assessments for 2020.

No comments: