Cybersecurity Operational Tests And Assessments – US Defence can’t check F-35 data due to insecure systems

Cybersecurity Operational Tests And Assessments conducted by the US Defence are essential to improve overall security … and discover that US Govt can’t check F-35 data due to insecure systems.

It is difficult to understand the importance of concept like information sharing when dealing with daily work, but officers at the Pentagon are learning at their own expense. The Pentagon is currently unable to check in on key maintenance of the F-35 joint strike fighter (JSF) because the data are stored in an insecure database managed by the Giant Lockheed Martin.

The precious information related to F-35 components and air-frame maintenance data is contained in the database that is non-compliant with August US Cyber Command security requirements, for this reason, the Government personnel cannot access the archive from government networks.

According to the “FY 2015 Annual Report for the Office of the Director, Operational Test & Evaluation,” the Government staff cannot access non-compliance systems via government networks for security reasons.

Michael Gilmore, Defense Department operational test and evaluation chief, also discovered a number of security issues affecting the Defence architectures, including misconfigured and unpatched systems, and poorly authentication process.

This is disconcerting is we consider the effort of the Department of Defense (DOD) in the Cybersecurity Operational Tests And Assessments In FY15.

“DOD cyber teams include organizations that provide OPFOR aggressors (Red Teams) as well as penetration testers and teams that perform other cybersecurity assessments (Blue Teams). DOT&E guidance establishes data and reporting requirements for cyber team involvement in both operational tests of acquisition systems and exercise assessments. The demand on DOD-certified Red Teams, which are the core of the cyber OPFOR teams, has increased significantly in the past 3 years.” states a report on cyber security and operational tests “In the same timeframe, the Cyber Mission Force and private sector have hired away members of Red Teams, resulting in staffing shortfalls at a time when demand is likely to continue to increase. This trend must be reversed if the DOD is to retain the ability to effectively train and assess DOD systems and Service members against realistic cyber threats.”

f2

Despite the Defence is largely investing in operational tests, it often limits the red teams full scope to operate as opposing forces (OPFOR) during training because it fears possible effects.

“DOT&E believes the reluctance by Combatant Commands (CCMDs) and Services to permit realistic cyber effects during major exercises is due to the requirement to achieve numerous other training objectives in those exercises. Additionally, exercise authorities have stated they fear that cyber attacks could distract from—and possibly preclude—achieving these objectives. “

This is a totally wrong approach, threat actors would attack Defense and mission-critical systems by using any method and in any moment, it is important to stress systems in an attempt to find flaws before the intruders.

Gilmore explained that Defence red teams, read OPFOR (opposing forces in war games), are deployed in only the most security-savvy organisations.

“In order to attain a high state of mission readiness, CCMDs (Combatant Commands) and supporting defenders should conduct realistic tests and training that include cyber attacks and effects representative of those that advanced nation states would execute,” Gilmore writes.

Training effort and cyber security assessments are crucial to have an architecture resilient to cyber attacks, the US government is aware of this and has already planned cyber security tests in 2016.

f3

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW