tv The Communicators Cristina Chaplain GAO report CSPAN December 10, 2018 8:30pm-9:01pm EST
we examine a study that found mission-critical cybervulnerabilities in the us weapon systems then teresa made announces a delay in the house of commons on the racks that vote leon panetta former cia director join former trumper administration national security advisor mcmaster to discuss the role of the us military around the world and global hotspots.
>>host: this week on "the communicators" we want to introduce you to author of the government accountability office report on weapon system cybersecurity, christina chaplain. what is the overarching find in your report dealing with weapons and cybersecurity? >> we look at weapons in the development process and what we found is many are vulnerable to be hacked there very vulnerable to cyberattacks in general as they try to penetrate it was relatively easy to do so. a lot of the time it was physical like password management with patch updating and things like that. it is a grim situation they are taking a lot of action recognizing there is a problem but there is a long road ahead
of them but the cyberhygiene to take it seriously. >>host: the senate armed services committee requested this report. >>host: both senator reid and the chairman of the committee as well? >> mccain was the chairman at the time. >>host: christina chaplain is our guest this week to talk about this report and we are joined our guest reporter. >> thanks for having me i am curious talking about the systems that they are secure but what are we doing to deter adversaries? >> in the meantime there's a lot that could be done to shore up the culture of dod to pay attention to cyberhygiene
these basic things with the controls you already have in place but then they still have the problem on the legacy systems that have other vulnerabilities and with the new system that's coming online that will probably be more secure but then dealing with what you already have that will be a challenge to them. >> you describe a 27 year timeline from cybersecurity became a point of concern from 2014. so i'm curious if you can elaborate on that timeline to talk about the specific challenges that poses with the security of armed forces?
>> there could be issues with the other systems but going through operation testing and they had discovered they could be fixed so as not to say every weapon system is vulnerable we are looking during the acquisition process. but with that timeframe from 1996 that emphasis was on networking working together to eliminate they did pay attention to cyberbut mostly for the business systems and things of that nature not so much the weapon systems they fell outside of the framework. so to have a better situation but you still have the weapon system for a long period of time and working more
connections with the cybernot to be a priority so that could be a whole generation of weapon systems to hold out in this scenario. >>host: christina chaplain walk us through one particular weapon system and what you found? >> we really cannot do that because of the sensitive nature but i can tell you what the test found a. operational testers could be looking at a satellite program or an aircraft program as they come to the end of the development cycle and then in a realistic environment and then to just work on testing the system to found it was relatively easy to get in very quickly to get the password
sometimes it was submitted with the package with the software system and maybe they didn't change it and that actually happened in one case. so it's easily able to gain control but a lot of times that all goes back it is just passwords or maybe patches not implemented quickly. but with that test report most recently to make progress in recent years because there is more done on the acquisition side to make them more protective than they still have this issue so they have a
long way to go. >> do you have a sense how long specifically it will take us to get to the next step in cybersecurity to feel more confident? christina chaplain it depends on the framework they put on this. they could improve their posture within a couple years if they are really making sure they are paying attention to the basic things they need to do. but then to get to that more advanced tear of protection that could take an awful long time. >> can you describe the way of the vulnerabilities through peace time how does this play out if an adversary was interested in exploring our vulnerabilities? >> whether peace or war time you will find ways system can
be penetrated they will look for weaknesses they are only scanning for weaknesses we already know we are in some systems and networks now that are just waiting for the time they will have to do something. with a wartime scenario you may see what you have in your system and get some disruption. there has been a lot of concern just on a portfolio that i review for the programs what would happen in a wartime scenario? you have everything from systems being built actually destroying satellites with cyberwar so there is a big spectrum of things to worry about. but your typical wartime scenario where systems are jammed and electronic warfare
that then you have a whole set of cyberworries and that's what they would have to worry about. >>host: you talked about this to be part of the acquisition process so these are companies that are building these prior to the pentagon receiving them? >> correct. >>host: is that where this bega began? >> we looked at the programs in the context of government management and what is government doing to assure cybersecurity. it is quite a story to be told on the contractor side what steps they are taking to protect their own networks and the programs with cyberitself but general contractors are doing what dod requires of them so the first thing we looked at is the requirements
for cybersecurity and how strong is that? and a long time up until 14 or 15, cyberwas not a high priority requirement. but for government to demand that then it is the responsibility of the contractors to implement the government's demand. >> so with those weapon system can they be patched adequately? >> they are when they are discovered during these tests the only problem is if it is more difficult to do you don't have that opportunity we really need to think of the architecture for cyberin the layers of control. there are
firewalls, protection systems and all kinds of things that need to be in place seamlessly you don't want that happening at the end of acquisition when it is already being manufactured when it is already being manufactured interested in solution sharing crack so a lot of information is important to keep the networks privatize but on the other hand sometimes that means the creators don't necessarily know what form of vulnerabilities they are dealing with. >> we already see that problem with the programs themselves learning about its own system or may not with another system so even with dod there's a lot of problem and information
sharing. some of those are related and is a big challenge. >> and what those vulnerabilities. >> we don't have the exact number across the board to see those vulnerabilities that were previously identified were not always corrected and those when i have seen that happen to that degree. >>host: does the pentagon
appreciate your work? do they have arguments? >> i actually expected pushback but actually they were very appreciative. a lot of people in cybercommunity reached out to us and even to be connected to other players. so i have been very surprised and it tells me they are holding themselves accountable they did not disagree with the findings they know what they have to work on and it seems they are taking this seriously. >>host: so how many people at the pentagon or the branches are working in cybersecurity issues? any idea?
>> i don't know the exact number but the whole test community portion dedicated to cyberevery branch has a cyberteam but it doesn't seem like they have enough qualified people to do this work and they are in need to bring in more people with cyberskills. that is difficult to do for the government and with the private sector companies that is one of the biggest challenges they fac face. >>host: you talk about the red team? >> normally that's someone that could be from army or air force or the broader operational test and evaluation. so you mentioned that
cybercommand is involved. >> in the sense they probably should and then looking to be connected they are also under an incredible set of demands so to put more resources. >>host: so to follow up on these questions, did you make recommendations to the pentagon about cybersecurity? >> we did not in this report. we wrestled with considerably that gal we like to recommend and there is a lot that needs to be done. there was a lot already recommended including the
report where we focused more broadly on cyber. so we have tens of recommendations on that front and the dod ig has had recommendations and now focusing on those areas that were big weaknesses or issues of concern and accountability so we would like to see how this is implemented and then to take other actions with those vulnerabilities and then to see how that is implemented.
>> and with the nature of that work to have the clearance to do what you do? >> right. >> and with the issue along with that exponential system. and with that person out. but then given no security concerns? >> that is a great question over the past decade and then when they met together and there needs to be back up that we should look like how'd you do that? that is something they should be considering.
that is a whole other backup system. and not thinking about and how do you be resilient? they cannot be totally cyberproof but how can you be resilient in a wartime scenario? >> in addition to patching different systems and backups but that whole host that needs to be secured? said with those weapon systems that then there are command and control and industrial control and all those different kind of situations that require cybersecurity. where is that prioritized and where to have that different
system? >> when you are updating patches you have to go where they are connected. but in another area dod is still in the discovery mode is what is going on right now. but then what do we really need to worry about and then prioritize if you need to? >> is the gao online for people to read for themselves? >> yes in the way as an unclassified report.
>>. >> we had a classified briefing for congress but our goal was for the first review. to get the message out to lay the baseline to go and do more detailed work. >>host: you reported it to congress. why? >> because they asked us to do the work. >>host: who is the cybercommand and how does that play a role? >> cybercommand is an agency with the strategic command and also the national security they protect dod's networks
and also other infrastructure. they don't necessarily have direct management their role is to help advise on that issue. >> with that cybersecurity strategy and those adversaries with a special emphasis on china and russia what was specific? >> that would we get to a place to worry about these more advanced threats and for those kinds you may see from russia and china and north korea? and then to disrupt the system
but these people have lots of time to get into the system extremely sophisticated so it is a great worry to get the first level of security. >> you have a sense in terms of cybersecurity compared to other countries? >> i do not know that. >>host: you alluded there could be a problem already baked in that they don't test for that. did you take some samples to say let's test this to see if there is a bug already in the cyber? >> we needed to do the testing actually dod's own operational testers. we did the report but there
was some activity with regard to that. even dod is reigniting their program and having people try to break in from the systems that they have. >>host: explain the pentagon program. >> they go out there to do their best to try to break in to help them learn and in this instance it is run by a small group comprised of those have come in from the outside light google in places like that but bringing their practices to be on par with the commercial side. >>host: actually try to break in? >> yes. >> see you mentioned to interview people can you tell us about that process and also
given this was the first on the weapon system positions what are the next steps? >> this being the first report we talk to all of the major players and all the guidance that was already out there. and with those officials to deal with the cyberprocess and then to look at those test reports we did the testing ourselves that is a misconception we could have but because dod has a pretty robust system for doing that we relied on their report. and as far as the next steps
so now we will drill down on certain areas maybe that's the first area we drill down on with those contractors working with dod to protect their own system of how vulnerabilities are fixed and to try to get percentages. >>host: how did you get your masters and jeweler journalism at columbia to testing weapons systems that the pentagon park. >> that's a good question i was a journalist for a few years but then gao asked me to do their reports so i became interested in working with them then i ended up with my whole career i just gravitated toward that and eventually went online as an evaluator
and ended up directing that team. if you look at the space of missile-defense with nuclear issues and then the cyberissue that was pretty important and with those concerns cropping up on the weapon system but that became important for us to do our own work on that. >>host: so with the last question of the different processes there seems to be a lot of doors into the budget control act. >> one of those illustrations we have upfront with the weapon system because people think of that to be impenetrable but it is all the little places that they connect to other networks even
the internet or a port that could be accessed. think when a ship comes to sure to visit could people come on and plug things in? so there are ways to access of creative. >>host: we have time for one more question. >> specializing in acquisition systems as the us moves forward with usb source how do we think of security? >> with the new space systems what are they looking at in the department of defense that they are creating a space force giving a lot of attention needs to be there. countries not only think about cyberattacks for space but physical attacks look at your whole architecture. do you want these huge systems
that are out there today that are pretty easy targets to shoot down? or the architecture with a lot of little satellites or the commercial sector or the payloads to be in a resilient position? >>host: christina chaplain did this report scare you personally? >> yes it did. as many reports do. but i am confident dod took this seriously and hopefully can turn the culture around to focus. >>host: contracting and national security acquisitions director at the gao, christina chaplain. and also covering cybersecurity and the way house from bloomber bloomberg, the report is
delivered a statement to the house of commons announcing a delay on the chambers vote on the deal for the uk to leave the european union. the prime minister said she would continue working on the deal that would ensure an open border between northern ireland, part of the uk and the republic of ireland. following her statement, she aner