“Shortfalls” in the Department of Defense’s cyber posture can be attributed to the rapid loss of talent to private industry, according to the Pentagon’s chief weapons tester.
The recently released fiscal 2022 annual report of the Office of the Director, Operational Test and Evaluation asserts that “the DOD’s abilities to assess against Red Teams portraying nation state adversaries remain limited due to persistent resource and personnel shortfalls,” adding “[a]nother persistent shortfall in the DOD’s cyber posture is the lack of adequate cyber test capabilities.”
The report notes that advanced adversaries such as Russia and China are devoting significant resources to offensive cyber operations directed at the U.S. — and comparable test capabilities are needed to assess DOD’s ability to withstand those feints.
While the report points to a lack of assessment of cyber tools, it notes there must be top level developmental and operational test capabilities. However, there aren’t enough skilled cyber operators to support such requirements.
The document highlights how the Pentagon is continuing to lose top talent to more lucrative private sector offers. As a result, the department is investing in more automated test capabilities to relieve overtaxed cyber operators and test teams..
A report published by the Government Accountability Office in December also highlighted the challenges DOD faces from the private sector and outlined the services’ attempts to compete with certain incentives and bonuses.
DOT&E noted that additional changes to current Pentagon policy would allow for higher pay, more efficient hiring practices and more flexible work-from-home opportunities for certain personnel such as experienced red team operators.
A ‘fight-through’ objective
DOT&E’s cyber assessment program, a congressionally mandated effort that focuses on emulating realistic nation-state cyber threats during exercises, explained that despite improvements, the department’s cyber defenses continue to fall behind the growing offensive capabilities of adversaries.
The report notes that the most effective way to reduce the risk of cyber defense is to increase emphasis on training in contested environments, especially in major exercises.
“A cyber ‘fight-through objective’ should be established for every major exercise to provide warfighters and cyber defenders the opportunity to experience the full spectrum of cyber threats and effects, and allow them to improve their defenses, detections, and resilience,” DOT&E said.
In fiscal 2022, the Institute for Defense Analyses along with DOT&E’s cyber assessment program piloted a tabletop cyber warfare exercise, which garnered “promising” initial results and will be incorporated in future DOT&E cyber readiness campaigns.
Those readiness events are a series of assessments designed to help combatant commands and the services assess and improve cyber defense.
DOT&E had to scale back much of its work in this sphere last year due to Covid and Russia’s invasion of Ukraine, however, they did include unconventional cyber threats such as combined cyber and electronic warfare attacks as well.
In a sign of progress, the report pointed out that combatant command staffs have hardened headquarters networks. In fact, red teams were unable to penetrate or maneuver when given network access to at least two commands, which were not specifically named in the report.
Network defenses have improved against low- and mid-level cyber threats, the report also noted.