Acquisition System Design Analysis for Improved Cyber Security Performance

Abstract

There is ample evidence that cyber-attacks and cyber warfare are a growing concern for the United States. Our warfighting systems and networks have inherent vulnerabilities and so are targets for cyber adversaries. By nature, cyber warfare is an asynchronous strategy, so the danger posed by a cyber threat is not proportional to the size of the entity initiating the attack. The United States traditional adversaries, state and non-state actors, domestic terrorists, and even individuals can pose an equally dangerous threat. The various types and astonishing number of cyber-attacks on the DoD has focused efforts to limit exposure to cyber-attacks and mitigate unavoidable vulnerabilities. The most effective way to harden systems against potential cyber-attacks is to develop the system with a cyber warfare mindset. To do this, program managers must have an in-depth understanding of their system's cyber vulnerabilities and exercise control over the design and configuration of those vulnerable subsystems. There are several challenges in both understanding and controlling a system's cyber vulnerabilities, including that the Defense Acquisition System (DAS) is designed to cede most of the design decisions to the contractor. All known and potential cyber vulnerabilities need to be treated as system Configuration Item, so that design and configuration is under government control. Fortunately, there are tools, techniques, and analyses that can augment the DAS to gain a better understanding and provide more control over the design and configuration of those subsystems presenting cyber vulnerabilities. This research analyzes the integration of these tools and the expected improvement in cyber performance resulting from the implementation. The tools include the integration of the Maintainability, Upgradeability, Interoperability, Reliability, and Safety/Security (MUIRS) analyses; Software Engineering Institute's Quality Attribute Workshop (QAW); Software Engineering Institute's Architecture Trade-off Analysis Methodologysm; and the Failure Modes and Effects Criticality Analysis (FMECA).