Futurists have long predicted that the opening salvo of the next major war will more likely come in the form of a massive cyberattack than in waves of aircraft. That makes a string of recent government reports detailing America’s vulnerabilities to such attacks that much more disturbing. The first, an October 2018 Government Accountability Office (GAO) report, stated that every software-enabled weapon system that was tested from 2012 to 2017—which encompasses every system built during the last ten years—can be hacked.
Now, a January 2019 Department of Defense (DoD) Inspector General report, summarizing several recent oversight reports, says Department components, including the services, collectively have 266 cyber vulnerabilities, mostly related to their ability to even identify potential threats.
In spite of all of this, many people involved with the acquisitions process think we should increase our dependence on cyber capabilities, with few questioning the wisdom of having every weapon beyond a pistol attached to the Internet.
All Americans should be concerned that we are actually paying extra for weapons that provide the enemy an opportunity to disrupt them.
The GAO examined cybersecurity assessment reports from certain programs tested between 2012 and 2017, and found that programs across every service regularly identified “mission-critical cyber vulnerabilities.” For legitimate national security concerns, the GAO report does not specify the programs under review, but it does say auditors investigated a variety of weapons, including ships and aircraft, as well as communications systems. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.”
This echoes a warning from former Pentagon testing director Dr. J. Michael Gilmore, who wrote in 2014 that “the cyber threat has become as real a threat to U.S. military forces as the missile, artillery, aviation, and electronic warfare threats.”
In spite of the danger posed by hackers, the services have not always been diligent in ensuring the security of their systems—like in 2015, when the F-35 Joint Program Office canceled a cyber test, citing concerns that the test could damage the troubled fighter jet’s computer system, and in so doing actually confirmed the need for such a test in the first place. Attitudes like this appear to be part of the new normal: the evaluators for this report found “program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.”
The GAO report represents a significant step forward. It is the office’s first report on weapon systems acquisition security, in contrast to previous reports on information technology systems like computer networks and databases. Here, the aperture widens to include what the DoD refers to as “cyber-physical systems.” These are weapons and vehicles, like missiles and ships, which derive a significant portion of their functionality from embedded software and networked connectivity with other systems. Rather than infiltrating a network and stealing Social Security numbers and performance ratings, as the Chinese government accomplished with the 2015 Office of Personnel Management hack, a cyberattacker could gain full or partial control of one of these physical systems remotely.
Presenting Attack Surfaces
Every time an object touches the network, an opportunity for exploitation is created for a potential adversary. The Pentagon’s current approach of creating an ever-increasing number of networked systems is akin to going to the considerable effort of building a stone castle and then constantly knocking new gates through the outer walls. Some of these vulnerabilities are simple. Many military systems rely on commercial or open-source software. Evaluators found that in numerous instances, engineers failed to reset default passwords when installing software. The evaluators merely had to look up the passwords online to gain administrator privileges, allowing them to seize control of the system.
Hackers have already worked out ways to remotely disrupt networked vehicles. A pair of them demonstrated this in 2015 when they used a Jeep Cherokee’s Uconnect cellular connection to essentially carjack the vehicle with a laptop, while it was being driven. The duo turned up the air conditioning, changed radio stations, and activated the windshield wipers. They proceeded to cut the transmission and disable the vehicle’s brakes. The driver, who had agreed to take part in the hackers’ experiment, helplessly, but harmlessly, rode the Jeep into a ditch. It is easy to imagine what a hacker could do with an aircraft.
The Complexity Vortex
There’s no doubt the Military-Industrial-Congressional Complex has an obsession with whiz-bang gadgetry. Hardly a day passes without someone from the defense “intelligentsia” braying about the need for increased taxpayer investments so the United States can maintain its technological overmatch or create stronger partnerships with Silicon Valley to achieve a third offset strategy. These often sound like weighty concepts, worthy of the taxpayers’ money. In the end, however, they are little more than slick sales pitches.
This is a real concern with a program like the F-35. The Pentagon has hyped it as a “computer that happens to fly.” And contractor Lockheed Martin brags on its website about the 8 million lines of software code embedded within the aircraft that control most of its functions, including flight controls, radar, communications, and weapons deployment. As we have reported, the F-35 was designed to operate as part of a network of aircraft and ground-based systems. Any one of the connections that makes this complex arrangement possible could be the one that enemy cyber-warriors use to infiltrate and disrupt or disable the aircraft expected to be the centerpiece of the U.S. military for decades.
The more troubling thing about the GAO report is not so much what it did report, but what it didn’t. Auditors did not look into “Internet of Things” devices, such as fitness devices, portable electronics, and smartphones. In 2018, the services received an object lesson in some of the dangers these devices pose: the locations of several previously secret overseas military bases were exposed when a global heat map plotted out popular running paths using data uploaded from service members’ fitness trackers.
Most notably, the GAO did not look into the security of contractor facilities, although the authors hinted that future reports would explore this issue. Security of contractor facilities is a vital issue because of the role they play in long-term support of a weapon after the Pentagon buys it.
While many people focus on procurement costs, what really makes the F-35 program the most expensive in history is the money necessary to sustain it. The entire F-35 enterprise relies on the problematic Autonomic Logistics Information System (ALIS), which is owned and operated by Lockheed Martin, accounting for a significant portion of the program’s $1.4 billion annual sustainment costs.
Described as the “IT backbone” of the program, ALIS is the complex computer network that integrates combat mission planning, threat analysis, maintenance diagnosis, the supply chain, maintenance scheduling, and training. The Pentagon’s top testing official, a specialist in software engineering, reported in January 2018 that his office has identified cyber vulnerabilities in the ALIS network that threaten its operation.
This is particularly significant because of the near-universality of contractor support for every vehicle, weapon, and communications gadget moving forward. In order to ensure lucrative sustainment contracts throughout the life of a weapons program, defense contractors seem to refuse to engineer themselves out of their wares. Most now designate the technology in these systems—all of it developed at government expense—as proprietary.
They then negotiate contracts with the government allowing them to retain the intellectual property rights for the weapons purchased by the government. Especially in the case of cyber-physical systems, the Pentagon must work through the contractor for any upgrades to ensure compatibility. (end of excerpt)
Click here for the full story, with links, on the POGO website.