Pentagon wraps up new acquisition rules to protect weapons from cyberattacks

WASHINGTON - The US Defence Department is taking aggressive action to bolster the security of US weapons systems against cyberattacks, including issuing new rules for acquisitions that will be finalized in coming months, officials told Reuters.

In addition to the acquisition policy, the department is producing a guidebook to help programme managers assess the cost and risk tradeoffs in structuring new weapons programs and making them more secure, said Assistant Secretary of Defence Katrina McFarland.

Both documents should be completed in the fourth quarter of this fiscal year, which ends Sept. 30, McFarland told Reuters in an interview this week. She said officials were reviewing the documents to avoid inadvertently pointing would-be attackers to possible vulnerabilities.

Chief US arms buyer Frank Kendall said this month cyberattacks on US weapons and manufacturers are a "pervasive" problem that requires greater attention.

In January, the department's chief weapons tester told Congress that nearly every US arms programme showed "significant vulnerabilities" to cyberattacks, including misconfigured, unpatched and outdated software.

Increased focus on cybersecurity could create opportunities for Lockheed Martin Corp, General Dynamics Corp and other suppliers that do cybersecurity work for the Pentagon.

"The threat is very, very serious," Terry Halvorsen, the Pentagon's chief information officer, told Reuters. "We are taking very aggressive action to counter those threats."

Halvorsen cited what he called constant, growing and increasingly sophisticated threats from criminals, extremist groups and foreign governments. He said cyber warfare offered attackers the possibility of doing great harm for little cost.

He said the Pentagon was also evaluating the risk of so-called insiders sabotaging weapons systems and had taken some "preemptive actions" to guard against that.

McFarland said all major US weapons programs had been reviewed for cyber vulnerabilities. New programs like the Air Force long-range bomber - to be awarded this summer - would benefit from getting the best protections from the start.

The new measures follow a change in federal defence acquisition rules announced last November that require Pentagon contractors to incorporate established security standards on the unclassified networks that they use to communicate with suppliers, and to report any cyberattacks that result in the loss of technical data from those networks.

Those standards had already been in place for classified networks.

Halvorsen said some weapons systems and sectors were particularly targeted by hackers, but gave no details.

He and McFarland declined to say if US government networks or those of private companies had suffered any attacks similar to the attack that damaged some 30,000 computers at Saudi Arabia's national oil company in 2012.

Admiral Mike Rogers, director of the National Security Agency and head of US Cyber Command, told lawmakers this week the United States was at a tipping point and needed to step up its offensive cyber capabilities.

McFarland said the guidebook would ensure that programme managers and acquisition officials did a better job sharing data about potential threats to avoid falling prey to the same malicious software twice.