Overworked trainers and penetration testers can’t properly simulate the worst real-world threats, leaving operators “overconfident.”
A lack of tough cyber operators to play the role of adversary is leaving U.S. cyber defenders unprepared for today’s real-world threats, according to the Pentagon’s Office of the Director of Operational Test & Evaluation.
The service branches have too few red teams, the groups of U.S. troops, employees, and contractors who play the bad guys and test Defense Department networks for cyber vulnerabilities.
“Currently Red Teams lack the time and funding to develop new tools and capabilities. The manning models for the Service Red Teams vary widely and are not uniformly successful,” said the FY 2018 Annual Report, which came out last week. “Reviews of the capabilities of several Red Teams in FY18 showed that the best teams were overscheduled and overwhelmed by workload.”
For example, the Army’s Threat Systems Management Office Red Team worked more than 200 evaluation events last year, leaving them insufficient time “to prepare the array of representative cyber-attacks attributed to the portrayed adversary,” the report said. In other words, the testing wasn’t realistic enough to be useful or to inform network managers how their system would stack up against a real threat.
Bottom line, the Defense Department isn’t testing networks hard enough. The result is what the office describes as “a gap” between Defense Department cyber red team capabilities and “persistent threats,” meaning the toughest cyber threat groups, some backed by China, Russia, and others. “Assessments that do not include a fully representative threat portrayal may leave warfighters and network owners with a false sense of confidence about the magnitude and scope of cyber-attacks facing the Department,” it said.
The report isn’t all bad. For instance, it found that the Army’s red teams met or exceeded “threat-portrayal objectives” in most cases. It also observes that red teams often failed to defeat network defenders, a testament to the military’s improving ability to protect its networks.
“However, more resources are urgently needed in this area,” it says. The testing office is working with the teams to help them staff up and acquire more capabilities.