Pentagon chastised for inability to ward off cyber-attacks

WASHINGTON – A new report for the Pentagon concludes that the nation's military is unprepared for a full-scale cyber-conflict with a top-tier adversary and must ramp up its prowess.

The unclassified version of the study by the Defense Science Board also urges the intelligence community to boost its collection on leading nations' cyber-capabilities and to maintain the threat of a nuclear strike as a deterrent to a major cyberattack.

The 138-page report by the civilian and government experts bluntly states that, despite numerous Pentagon actions to parry sophisticated attacks by other countries, efforts are "fragmented" and that the Defense Department "is not prepared to defend against this threat."

The report lays out a scenario in which cyberattacks in conjunction with conventional warfare would damage the ability of U.S. forces to respond, creating confusion on the battlefield and weakening traditional defenses.

In one of the more critical comments, the report notes that Pentagon teams established to test the military's cyberdefense abilities have "relative ease … in disrupting, or completely beating, our forces in exercises using exploits software available on the Internet."

The 33-member task force recommends a strategy combining deterrence, refocused intelligence priorities and a stronger offense and defense. "Defense can take you part of the way, but it needs to be balanced with cyber-offense and conventional capabilities," said Lewis Von Thaer, task force co-chairman and president of General Dynamics Advanced Information Systems.

The Pentagon cannot be confident that its military computer systems are not compromised because some contain components made in countries with high-end cyber-capabilities, the report says. It says only a few countries, including China and Russia, have the skills to create vulnerabilities in protected systems by interfering with components.

The task force concluded that protecting every military system from cyberthreats is not feasible. Instead, the report recommends isolating critical systems and weapons, and equipping small numbers with advanced defensive measures to ensure they survive an attack.

Some experts tempered such scenarios. "These things are really harder to do than they look," said Martin Libicki, a cyber expert at the RAND Corp. "It's very difficult to get something to malfunction at a time and a place of your own choosing."