‘Cyber vulnerabilities’ hurt weapons systems
GAO says its findings represent ‘a fraction’ of weaknesses.
Almost all of WASHINGTON — the U.S. military’s newly-developed weapons systems suffer from “mission-critical cyber vulnerabilities,” a review of government security audits conducted from 2012 to 2017 found, suggesting that military agencies have rushed to computerize new weapons systems without prioritizing cybersecurity.
The findings were released Tuesday in a report from the Government Accountability Office. The report drew on years of security audits conducted by skilled “testers,” essentially friendly hackers employed to probe Pentagon networks for holes, replicating the process of a hack in order to find security weaknesses.
While the report did not identify specific military programs, its authors describe easily-exploitable cybersecurity vulnerabilities that often arose from carelessness or negligence by those using the systems.
“From 2012 to 2017, DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapons systems that were under development,” GAO researchers wrote. “Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected.”
The vulnerabilities were in many cases caused by poor attention to basic cybersecurity practices, such as leaving default passwords in place. In one case, a test team was able to guess an administrator’s password in nine seconds, the report states.
The agency warned that the problems described in the report likely represent “a fraction” of the total vulnerabilities affecting Defense Department systems, which are too extensive to evaluate in full.
The report is the latest in a long list of such admonishments that date back decades. The GAO warned in 1996 that hackers had taken control of entire defense systems, and in 2004 warned that the Pentagon’s focus on connecting systems together through the Internet would create new opportunities for hackers.
Still, the report released Tuesday drew attention to a newer trend that has security experts worried. As more physical objects are controlled and operated through the Internet, the possibility that hackers could hurt people or sabotage equipment — as opposed to simply stealing information — may be poised to increase.
As the Pentagon plans to spend some $1.6 trillion developing new systems, as calculated by GAO, it has jumped at the chance to connect weapons systems together. That connectivity has allowed the Pentagon to achieve military capabilities once thought impossible, GAO researchers wrote in Tuesday’s report, but have also left more military systems open to attack.
In a letter addressed to Senate Armed Services Committee Chairman James M. Inhofe, R-Okla., GAO researchers said the Pentagon’s increasing reliance on software to manage certain critical functions like powering a weapon on or off, maintaining a pilot’s oxygen levels, guiding a missile to its target, or simply flying an aircraft are vulnerable to manipulation from state-sponsored hackers.
“Cyber attacks can target any weapon subsystem that is dependent on software, potentially leading to an inability to complete military missions or even loss of life,” GAO researchers wrote.
While the report noted that the Pentagon is improving in its adherence to cybersecurity standards, it cited instances where program officials failed to correct vulnerabilities discovered in previous audits.