Pentagon weapons tester evolving assessment of radio frequency-enabled cyberattacks

The Pentagon’s chief weapons tester is increasing its ability to assess threats from radio frequency-enabled cyberattacks.

An emerging vector, these attacks and operations primarily involve gaining access to targets through the RF spectrum by exploiting wireless or “over-the-air” systems.

While the U.S. military is looking to increase its ability to use these types of operations, adversaries are as well.

The Department of Defense’s “cyber posture remains at risk from attacks by unconventional threats, such as those posed by radio frequency (RF)-enabled cyberattacks where cyber payloads in radio emissions disrupt systems, or direct attacks on weapon systems’ data busses and control systems that are essential to aircraft, ships, and vehicles,” the fiscal 2023 annual report of the Office of the Director, Operational Test and Evaluation, stated. “During FY23, relatively simple RF-enabled cyberattacks caused critical mission disruptions. Future DoD cyber strategies, resource allocation, development, and testing must consider such cyber threats.”

Over the last year, DOT&E’s cyber assessment program, a congressionally mandated effort to assess the cyber survivability of combatant command and service missions in contested environments, has worked with other DOD programs with expertise in this area to improve assessments, according to Jeff Jurgensen, a Pentagon spokesperson.

“As the Department of Defense (DoD) makes progress to improve the cyber survivability of its ground-based networks, radio-frequency (RF) enabled cyber-attacks become more attractive to a potential adversary, despite the added difficulty of such attacks,” he said.

DOT&E’s cyber assessment program (CAP) has built a partnership specifically with the Air Force’s Cyber Resiliency Office for Weapon Systems, or CROWS, working together to show potential mission effects of RF-enabled cyberattacks, Jurgensen said.

They helped develop procedures to mitigate effects in a small number of major Defense Department exercises in fiscal 2023.

“As we look to expand both the capabilities of DoD’s cyber red teams to conduct such attacks, as well as the number of exercises involved, additional personnel with expertise in how DoD combat systems use RF technologies to accomplish critical missions will be critical,” he added. “People that understand vulnerabilities associated with RF technologies, and how those technologies work with DoD’s internet protocol-based systems and networks will also be essential.”

The fiscal 2022 annual report made little mention of this vector. It stated that RF and other unconventional cyber threats pose new and serious challenges, noting that the focus of the Pentagon’s current cyber strategies and defense are primarily aimed at internet protocol-based networks.

DOT&E is trying to expand the focus to pay attention to new vectors.

“In close partnership with the Air Force Cyber Resiliency Office for Weapon Systems (CROWS), CAP is expanding its assessments to include RF-enabled cyberattacks to facilitate an enhanced OPFOR that is not solely focused on traditional cyber and Internet Protocol (IP) networks but includes spectrum and apertures to the spectrum,” the fiscal 2023 report stated. “CAP has taken action on the assertion made in last year’s Annual Report by integrating effects based on potential RF-enabled cyberattacks (cyber payloads contained in radio emissions). These effects include system degradation due to direct attacks on weapon systems’ data buses and other control systems essential to many DoD aircraft, ships, and vehicles.”

The office in fiscal 2023 consolidated two years worth of data that showed potential mission effects for transponder–combat identification systems and developed tools and methods to replicate and insert them into aircraft flying during operational exercises.

“DOT&E is working with operators and solution providers to assess remedial actions and updates to tactics, techniques, and procedures to mitigate risks posed by these threats. Additionally, these results will be included in planning for future [combatant command] and Service exercise assessments,” the report said.