For at least the whole of the current century, militaries have understood the critical role cyberdefense plays in every aspect of operations. Yet most military organizations appear reluctant to train for network defense outside of specialist cyber units.
Unlike with land, sea, air and space, cyberwarfare cannot be conducted only by specialists. Mistakes in configuration or operation of any device connected to a military network could allow an adversary to gain access. The whole force has to be trained in cyberdefense—yet this wider training, for the most part, does not take place. The result is widespread vulnerability in military systems.
In the 2017 edition of his annual report, J. Michael Gilmore, the Pentagon’s then director of operational test and evaluation (&E), painted a bleak picture of the U.S. military’s cyber-readiness. “Red Teams emulating a moderate-level adversary—or below—routinely demonstrate the ability to intrude [ ] networks and operate undetected within [them] for extended periods of time,” he wrote.
These problems derive, in part, from a reluctance to allow a cyberelement to be included in major exercises. “Exercise and network authorities seldom allow fully representative cyberattacks and complete assessments of protection, detection and response capabilities,” the DOT&E noted. This reluctance stems from a fear that a successful cyberattack on the first day will bring a two-week exercise to a halt.
Militaries are beginning to develop ways of integrating cyber into joint exercises, but initial results have succeeded mainly in highlighting the scale of the security-skills problem.
Source: Aviation Week