[Voice of the Observer Network]
The U.S. Army’s battlefield communications network is in urgent need of modernization and upgrades, most of which are currently undertaken by companies from Silicon Valley.
On October 3, local time, a Reuters disclosed internal memo of the U.S. Army wrote that the military drone and software manufacturer Anduril, led by the research and development and data analysis company Palantir, as the main partner to provide support for the battlefield communication system, there are a lot of "basic security" problems and vulnerabilities, should be classified as "extremely high risk".
Anduril recently announced that the prototype of its next-generation Command and Control Communications Platform (NGC2) has been used in battlefield testing just eight weeks after winning the contract.The government contract isly worth about $100 million and partners include Palantir, Microsoft and several smaller contractors.
However, Gabriel Chiulli, the U.S. Army’s chief technical officer in charge of NGC2 prototype licensing, noted in an internal memo written on September 5 that his safety assessment of NGC2’s initial products was extremely pessimistic.
The core function of NGC2 is to enable real-time data connectivity between soldiers, sensors, vehicles and commanders, but the memo focused on system security states, “We can’t control who can see what information, can’t control what users are doing, and can’t verify the security of the software itself.”
Kiuli wrote,"Given the current security situation of the platform and the third-party applications it carries, it is highly likely that an enemy will gain continuous and undetectable access to the platform, so the system must be treated as a very high-risk object."
The memo also states that the system allows any authorized user access to all applications and data, regardless of the user’s security license level or actual operational needs. Therefore, the memo emphasizes that “any user has the potential to access and abuse sensitive” confidential information, and that the system does not have logging capabilities to track user behavior.
The memorandum also highlighted other flaws, such as that none of the third-party applications on the system passed the U.S. Army's security assessment. One of the applications was detected with 25 high-severity code vulnerabilities. There are three other applications under review, each containing more than 200 vulnerabilities that need to be evaluated.
According to US media reports, Kiuli also wrote sternly in the document,"The (U.S.) Army lacks the visibility and control capabilities needed to ensure platform safety and integrity. There seems to be a tendency to rush to introduce functions into the system without actual supervision mechanisms or execution processes, which further exacerbates the risks of the system."
According to Reuters, this memo was first disclosed by the US military media "Breaking Defense", and immediately once again triggered criticism that Silicon Valley's concept of "acting quickly and breaking the routine" is not applicable to the development of key military equipment. On Friday, Palantir's shares closed down 7.5%. Anduril is not currently available.
In response, Anduril responded that the issues raised in the memorandum had been resolved during the "normal development process." "This report reflects the previous situation and not the current actual status of the project," the company said in a statement sent to Reuters.
A spokesman for Palantir said there were “no vulnerabilities found” on the company’s platform.
In an interview with Reuters on Friday, Chiuli's superior, U.S. Army Chief Information Officer Leonel Garciga, explained that many of the issues had been resolved within weeks or days.
“As far as I know, only one application remains partially vulnerable and the team is working to fix it,” he added, adding that it is crucial to communicate honestly with suppliers.
Garcia also revealed that next week, the Palantir federal cloud service on which the NGC2 system relies is expected to be approved by the U.S. Army for a key license called “continuous authority to operate” to deploy software updates faster.
Breaking Defense previously that NGC2 is a top priority for the modernization of the U.S. Army and is expected to enter full division deployment in 2026. The U.S. 4th Infantry has launched a series of so-called "sprint events" aimed at gradually adding capabilities to the system.
Keuli’s memo was released 10 days before the first “spy event” was held, he said directly that the defect “cumulative effect” made NGC2 look more like a “black box” and the army could not control which users in the network can perform specific operations and what information can be viewed.
However, U.S. Army officials did not specify how and when the defects mentioned in the memo were perfected. Gasiga only said that NGC2 performed well at the event held on September 15th.
Jeth Rey, deputy chief of staff in charge of U.S. Army cybersecurity and cybersecurity, also defended this shortly after saying that early detection of defects in the system was part of the force's expected process.
“This is a brand new capacity-building project, and we have identified the risks and immediately taken mitigation measures. This is a positive signal for our future work. If we can continue to work in this way and the existing processes are effective, I am pleased.”