- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Erica D. Borghard is a senior director and Task Force One lead on the U.S. Cyberspace Solarium Commission. She is also an assistant professor in the Army Cyber Institute at West Point. The views expressed in this article are personal.
As Congress returns from August recess and prepares to finalize the Fiscal Year 2021 National Defense Authorization Act (NDAA), legislators should address a major cybersecurity and national security priority: ensuring the resilience of essential deterrent and warfighting capabilities to adversary cyber action. U.S. strategy [PDF] documents have emphasized that the United States is in a new strategic environment, one defined by great power, long-term strategic competition in which China [PDF] and Russia are the most consequential challengers. In this context, the United States should not take for granted its ability to maintain strategic deterrence or conventional overmatch. These capabilities are becoming increasingly vulnerable to malicious adversary cyber campaigns. Therefore, Congress should adopt the recommendation of the Cyberspace Solarium Commission to pass legislation requiring the Department of Defense (DOD) to institutionalize a comprehensive cybersecurity vulnerability assessment of nuclear and conventional weapon systems.
In this strategic environment—characterized by complex, interdependent military technologies—cybersecurity and national security are intrinsically linked. The United States’ advanced military capabilities form the bedrock of its strategic advantage. However, they also contain cyber vulnerabilities that adversaries can—and will—exploit for their strategic ends. China has engaged in widespread cyber-enabled intellectual property theft to gain intelligence about U.S. weapon systems, enabling Beijing to replicate U.S. military capabilities or develop offset ones. Adversaries could also develop cyber tools to hold weapon systems at risk or manipulate their intended uses, undermining confidence in their efficacy and reliability. For deterrence to be credible, and to ensure the United States can prevail in crises and conflicts, the United States needs to know that its weapons will work—as intended, when intended.
Recent government reports have uncovered concerning gaps in conventional weapon systems’ cybersecurity. In response to the FY2016 NDAA [PDF], the DOD was supposed to conduct an evaluation of the cybersecurity vulnerabilities of major weapon systems. These requirements were further emphasized in the FY2020 NDAA [PDF]. However, a June 2020 [PDF] Government Accountability Office (GAO) report found significant delays in DOD’s compliance with these congressionally-mandated cybersecurity vulnerability assessments. This echoed a 2018 GAO report [PDF] that found persistent gaps in DOD’s efforts to incorporate cybersecurity into the acquisitions lifecycle. With respect to nuclear capabilities, in the FY2018 NDAA [PDF] Congress mandated the DOD to conduct an annual assessment of the resilience of all segments of the nuclear command and control system.
However, even if the DOD meets these requirements, there are concerns that the United States will remain vulnerable. While cyber threats and vulnerabilities are dynamic, the DOD lacks a permanent process to routinely assess the cybersecurity of conventional weapon systems. Additionally, there is no process to identify systemic vulnerabilities: those that arise from the interaction of different weapons platforms. In terms of nuclear capabilities, current requirements do not address the active identification of cyber vulnerabilities and mitigation requirements for nuclear command and control systems.
Deficiencies such as these motivated Congress to create the Cyberspace Solarium Commission in the FY2019 NDAA [PDF] and charge it with developing a comprehensive strategy and set of policy recommendations to defend the United States in cyberspace. Now that the commission has presented its findings, Congress should consider them.
Specifically, in the upcoming NDAA, Congress should create a requirement for the DOD to annually assess major weapon systems vulnerabilities. In addition, the DOD should specifically report to Congress on the details of current and planned efforts to address cyber vulnerabilities of interdependent and networked weapon systems in broader mission areas, with an intent to provide mission assurance. The process of identifying interdependent vulnerabilities should take a risk-management approach to drive the prioritization of these efforts, given the scope and scale of networked systems. These assessments should aim to improve the overall resilience of weapon systems, identify secondary and tertiary dependencies, and institute a process to rapidly remediate identified vulnerabilities.
Furthermore, in light of the potentially devastating consequences posed by cyber threats to nuclear deterrence, Congress should tighten existing requirement to assess the cyber resilience of nuclear systems. This is particularly urgent given the results of the 2018 Nuclear Posture Review and ensuing nuclear modernization efforts that could create unintended cyber risks. Congress should ensure that the DOD routinely assesses every segment of the nuclear command, control, and communications enterprise for adherence to cybersecurity best practices, vulnerabilities, and evidence of compromise.
Put simply, Congress should create the conditions for the DOD to develop a more complete picture of the scope, scale, and implications of cyber threats and vulnerabilities to critical weapon systems and functions and improve their resilience. This is a fundamental issue that has implications for the success of any broader military strategy. Regardless of political disagreements about how to define grand strategic objectives in the contemporary environment, failure to proactively and systematically address these gaps will have deleterious implications for the United States’ ability to deter war or fight and win if deterrence fails.