US cyber vulnerability increases as staff lured by private sector

By on 12/02/2019 | Updated on 04/02/2022
Pentagon: cyber defence staff “overwhelmed by workload” (Image courtesy: PBS NewsHour/Flickr).

The US government’s capacity to fend off advanced cyber attacks is coming under pressure as it loses specialised staff to the private sector, a report has warned.

In its 2019 annual report, released this week, the Pentagon’s Office of the Director of Operational Test and Evaluation (DOT&E) said that “red teams” employed to simulate attacks are “overscheduled and overwhelmed by workload”.

Red teams have been commonly employed by the US government after a 2003 Defense Science Review Board carried out in the wake of the September 11 attacks two years earlier.

The Pentagon report said that DOT&E’s ability to carry out assessments of advanced threats in the coming year is at risk, and called for more resources for the teams.

The report said: “As demand for cyber red teams continues to increase, DOT&E observed numerous losses of master-level red tamers in FY18 to commercial jobs that were higher paying or which required less travel.”

Currently red teams lack the time and funding to develop new tools and capabilities, the report continued, and staffing models vary widely “and are not uniformly successful”, it said.
Red team capacity and retention options should be increased to meet the demands of testing, training and other assessment activities, the report recommended.

Department of Defence (DOD) systems remain at risk from hostile cyber operations, the report continued, with training exercises identifying a number of previously undetected vulnerabilities.

DOT&E reported a growing number of instances where red teams employed during its assessments experienced greater difficulty in penetrating the government’s network defences.

“These improvements are both noteworthy and encouraging,” the report said, “but we estimate that the rate of these improvements is not outpacing the growing capabilities of potential adversaries, who continue to find new vulnerabilities and techniques to counter the fixes and countermeasures by DOD defenders.”

The US Army’s Threat Systems Management Office red team met or exceeded objectives in more than 200 exercises it carried out in 2018, the report said.

However, DOT&E said it had noticed a growing number of instances where the office’s red team needed more time to achieve its objectives.

Although partly due to improved network defences, insufficient time to prepare the array of representative cyber-attacks was also a factor, the report concluded.

“There remains a gap between DOD cyber red team capabilities and the advanced persistent threat, and assessments that do not include a fully representative threat portrayal may leave warfighters and network owners with a false sense of confidence about the magnitude and scope of cyber-attacks facing the department.”

DOT&E said that it was working with the DOD red teams to close the gap by helping them recruit extra staff, more advanced capabilities, and training.

However, it warned that more resources were urgently needed in this area.

“Recent advances in cyber technologies indicate that automation – and even artificial intelligence – are beginning to make profound changes to the cyber domain,” the report warned.

About Colin Marrs

Colin is a journalist and editor with long experience in the government and built environment sectors. He cut his teeth in local newspaper journalism before moving to Inside Housing in 1999. He has worked in a variety of roles for built environment titles including Planning, Regeneration & Renewal and Property Week. After a spell at advertising industry bible Campaign magazine, he became a freelancer in 2010. Since then he has edited PublicTechnology.net, local government finance publication Room151.co.uk and contributed news and features to Civil Service World, Architects’ Journal, Social Housing, management titles and written white papers for major corporate and public sector clients.

Leave a Reply

Your email address will not be published. Required fields are marked *