Report: Pentagon Weapons Systems Vulnerable to Cyberattacks
(Source: Voice of America News; issued Oct 09, 2018)
Today's weapon systems are heavily computerized, which opens more attack opportunities for adversaries; these are represented here in a fictitious weapon system for classification reasons. (GAO image)
Defense Department weapons programs are vulnerable to cyberattacks, and the Pentagon has been slow to protect the systems which are increasingly reliant on computer networks and software, a federal report said Tuesday.
The U.S. Government Accountability Office said the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security. The audit, conducted between September 2017 and October 2018, found that there are "mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats."
Pentagon officials have acknowledged for years that the department, the military services and defense contractors are under persistent cyber probes and attacks, including from state actors seeking to steal data to gain an economic or technological advantage. The report doesn't name potential attackers, but it noted that some "advanced threat actors" are aware of the vulnerabilities and "have well-funded units that focus on positioning themselves to potentially undermine U.S. capabilities."
U.S. officials have repeatedly accused Russia and China of using cyberattacks to breach government and commercial networks and systems.
The GAO, which is Congress' investigative arm, provides no details about what the specific military systems are or how they are vulnerable, due to their classified nature. The report said that nine major defense acquisition programs from various military services were reviewed.
In one case, it said, "it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing."
In other cases, the report said that testers — using simple tools and techniques — were able to take control of computer terminals and see what the operators were seeing in real time. Another team was able to send a pop-up message to the computer terminals "instructing them to insert two quarters to continue operating." The teams were also able to copy, change and delete data.
Vulnerabilities found within the systems included being able to turn a weapon on or off, affect missile targeting, adjust oxygen levels or manipulate what controllers see on their computer screens.
The report cited problems with poor passwords, insecure lines of communication and the Defense Department's ongoing struggle to get qualified cybersecurity staff.
Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
(Source: Government Accountability Office; issued Oct 09, 2018)
The Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats. This state is due to the computerized nature of weapon systems; DOD's late start in prioritizing weapon systems cybersecurity; and DOD's nascent understanding of how to develop more secure weapon systems. DOD weapon systems are more software dependent and more networked than ever before (see figure at top).
Automation and connectivity are fundamental enablers of DOD's modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity.
In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. (Emphasis added—Ed.)
Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected
, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.
DOD has recently taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations. DOD, as directed by Congress, has also begun initiatives to better understand and address cyber vulnerabilities.
However, DOD faces barriers that could limit the effectiveness of these steps, such as cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities. To address these challenges and improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DOD's weapon systems cybersecurity efforts.
Why GAO Did This Study
DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Cybersecurity—the process of protecting information and information systems—can reduce the likelihood that attackers are able to access our systems and limit the damage if they do.
GAO was asked to review the state of DOD weapon systems cybersecurity. This report addresses (1) factors that contribute to the current state of DOD weapon systems' cybersecurity, (2) vulnerabilities in weapons that are under development, and (3) steps DOD is taking to develop more cyber resilient weapon systems.
To do this work, GAO analyzed weapon systems cybersecurity test reports, policies, and guidance. GAO interviewed officials from key defense organizations with weapon systems cybersecurity responsibilities as well as program officials from a non-generalizable sample of nine major defense acquisition program offices.
Click here for the full report (50 PDF pages) on the GAO website.