New weapons systems easily hacked in test
Pentagon gets sobering review of its cy ber vulnerabilities
WASHINGTON — Authorized hackers were quickly able to seize control of weapons systems being acquired by the U.S. military in a test of the Pentagon’s cy ber vulnerabilities, according to a new and blistering government review.
The report by the Government Accountability Office concluded that the weapons could be neutralized within hours and, in many cases, that the military was oblivious to the hacking.
A public version of the study deleted all names and descriptions of the failed systems among $1.6 trillion in weapons that the Pentagon is acquiring from defense contractors, so that it could be published without tipping off U.S. adversaries. Congress is receiving the classified version of the report, which specifies the affected systems.
But even the declassified review painted a terrifying picture of the vulnerability of a range of emerging weapons, from new generations of missiles and aircraft to prototypes of new delivery systems for nuclear weapons.
“In one case, the test team took control of the operators’ terminals,” the report concluded. “They could see, in real time, what the operators were seeing on their screens and could manipulate the system” — a technique reminiscent of what Russian hackers did to a Ukrainian power grid two years ago.
The GAO, the investigative arm of Congress, described “red team” hackers who were pitted against cyberdefenders at the Pentagon. The tested weapons were among 86 under development; many were penetrated either through easytocrack passwords, or because they had few protections against “insiders” working on elements of the programs.
Sometimes the testing team toyed with their Pentagon targets. One team “reported that they caused a popup message to appear on users’ terminals instructing them to insert two quar ters to continue operating.”
The searing assessment comes after years of warnings about the vulnerabilities of the military systems — some of which the GAO says were ignored — and just as President Donald Trump gives U.S. commanders more flexibility to deploy cyberweapons without first obtaining presidential approval.
It also suggests that the United States is vulnerable to cyberattacks when it seeks to disable enemy systems.
The New York Times reported last year that former President Barack Obama had ordered accelerated cyberattacks on North Korea’s missile systems starting in 2014 — around the time, the report said, that the Pentagon belatedly began waking up to the holes in its own systems.
In recent years, the Pentagon has begun to install “intrusion alarms” to warn weapons operators of signs of attacks. But the GAO suggested those alarms were about as effective as car alarms going off on the streets of New York: an event so common that everyone assumed it was a false alarm.
The report estimated the entire cost of the acquired systems at $1.66 trillion. They include submarines, missiles, cargo rockets, radars, fighter jets, refueling tankers, aircraft carriers, destroyers, satellites, helicopters and electronic jammers.
In interviews, GAO officials said the acquisition programs under review included two of the three major classes of nuclear weapons delivery systems: the Columbiaclass submarine and the replacement for the nation’s aging Minuteman missiles, known as the Ground Based Strategic Deterrent.
Not part of the $1.6 trillion total was the B21 bomber, a new generation of stealth jet that would be able to drop nuclear weapons.
In a test of the Pentagon’s cybervulnerabilities, hackers toyed with their Pentagon targets. One team “reported that they caused a popup message to appear on users’ terminals instructing them to insert two quarters to continue operating.”