This post is also available in: heעברית (Hebrew)

The US Department of Defense warns that cybersecurity tests are not tough enough. A lack of operationally-realistic threat testing and inadequately resourced program offices are the root causes of many cybersecurity problems that put the Defense Department’s critical missions at risk.

These are the conclusions of the latest report from the Pentagon’s test and evaluation body – the Director of Operational Test and Evaluation (DOT&E). According to the report,  the DoD should refocus its cybersecurity efforts on its cyber defender personnel instead of focusing primarily on the technology associated with cyber tools, networks and systems, and train them to face off against more real threats earlier in the process, as reported by dote.osd.mil.

“Cybersecurity must be built into system design, and the human defender should be included early on in cyber defense engineering and programmatic priorities for both system usability and training,” the report notes.

For now, cybersecurity “Red Teams” are stretched too thin and the ones that do test military systems are limited compared to what actual adversaries would do.

According to the report, “the quality of test and evaluation – and ultimately warfighting capability – depends on the quality of the T&E tools, infrastructure, and processes we use. T&E must be able to handle whatever technologies are presented and it must mirror real-world environments and scenarios, to include accurate threat and countermeasure replication, in order to be thorough, operationally representative, and credible.” 

The report adds: “The T&E enterprise is not as prepared as it needs to be for the types of systems currently, or soon to be, in the development pipeline. The majority of the Department’s open-air test and training ranges and laboratories are outdated and must be modernized to capture the complexities and capabilities of today’s and future operational environments.“