New weapons sys­tems eas­ily hacked in test

Pen­tagon gets sober­ing re­view of its cy ber vul­ner­a­bil­i­ties

The Dallas Morning News - - Nation - David E. Sanger and Wil­liam J. Broad, The New York Times

WASHINGTON — Au­tho­rized hack­ers were quickly able to seize con­trol of weapons sys­tems be­ing ac­quired by the U.S. mil­i­tary in a test of the Pen­tagon’s cy ber vul­ner­a­bil­i­ties, ac­cord­ing to a new and blis­ter­ing gov­ern­ment re­view.

The re­port by the Gov­ern­ment Ac­count­abil­ity Of­fice con­cluded that the weapons could be neu­tral­ized within hours and, in many cases, that the mil­i­tary was obliv­i­ous to the hack­ing.

A pub­lic ver­sion of the study deleted all names and de­scrip­tions of the failed sys­tems among $1.6 tril­lion in weapons that the Pen­tagon is ac­quir­ing from de­fense con­trac­tors, so that it could be pub­lished with­out tip­ping off U.S. ad­ver­saries. Congress is re­ceiv­ing the classified ver­sion of the re­port, which spec­i­fies the af­fected sys­tems.

But even the de­clas­si­fied re­view painted a ter­ri­fy­ing pic­ture of the vul­ner­a­bil­ity of a range of emerg­ing weapons, from new gen­er­a­tions of mis­siles and air­craft to pro­to­types of new de­liv­ery sys­tems for nu­clear weapons.

“In one case, the test team took con­trol of the op­er­a­tors’ ter­mi­nals,” the re­port con­cluded. “They could see, in real time, what the op­er­a­tors were see­ing on their screens and could ma­nip­u­late the sys­tem” — a tech­nique rem­i­nis­cent of what Rus­sian hack­ers did to a Ukrainian power grid two years ago.

The GAO, the in­ves­tiga­tive arm of Congress, de­scribed “red team” hack­ers who were pit­ted against cy­berde­fend­ers at the Pen­tagon. The tested weapons were among 86 un­der de­vel­op­ment; many were pen­e­trated ei­ther through easyto­crack pass­words, or be­cause they had few pro­tec­tions against “in­sid­ers” work­ing on el­e­ments of the pro­grams.

Some­times the test­ing team toyed with their Pen­tagon tar­gets. One team “re­ported that they caused a pop­up mes­sage to ap­pear on users’ ter­mi­nals in­struct­ing them to in­sert two quar­ ters to con­tinue op­er­at­ing.”

The sear­ing as­sess­ment comes af­ter years of warn­ings about the vul­ner­a­bil­i­ties of the mil­i­tary sys­tems — some of which the GAO says were ig­nored — and just as Pres­i­dent Don­ald Trump gives U.S. com­man­ders more flex­i­bil­ity to de­ploy cy­ber­weapons with­out first ob­tain­ing pres­i­den­tial ap­proval.

It also sug­gests that the United States is vul­ner­a­ble to cy­ber­at­tacks when it seeks to dis­able en­emy sys­tems.

The New York Times re­ported last year that for­mer Pres­i­dent Barack Obama had or­dered ac­cel­er­ated cy­ber­at­tacks on North Korea’s mis­sile sys­tems start­ing in 2014 — around the time, the re­port said, that the Pen­tagon be­lat­edly be­gan wak­ing up to the holes in its own sys­tems.

In re­cent years, the Pen­tagon has be­gun to in­stall “in­tru­sion alarms” to warn weapons op­er­a­tors of signs of at­tacks. But the GAO sug­gested those alarms were about as ef­fec­tive as car alarms go­ing off on the streets of New York: an event so com­mon that everyone as­sumed it was a false alarm.

The re­port es­ti­mated the en­tire cost of the ac­quired sys­tems at $1.66 tril­lion. They in­clude sub­marines, mis­siles, cargo rock­ets, radars, fighter jets, re­fu­el­ing tankers, air­craft car­ri­ers, de­stroy­ers, satel­lites, he­li­copters and elec­tronic jam­mers.

In in­ter­views, GAO of­fi­cials said the ac­qui­si­tion pro­grams un­der re­view in­cluded two of the three ma­jor classes of nu­clear weapons de­liv­ery sys­tems: the Columbia­class sub­ma­rine and the re­place­ment for the na­tion’s ag­ing Min­ute­man mis­siles, known as the Ground Based Strate­gic Deter­rent.

Not part of the $1.6 tril­lion to­tal was the B­21 bomber, a new gen­er­a­tion of stealth jet that would be able to drop nu­clear weapons.

File Photo/ The Associated Press

In a test of the Pen­tagon’s cy­bervul­ner­a­bil­i­ties, hack­ers toyed with their Pen­tagon tar­gets. One team “re­ported that they caused a pop­up mes­sage to ap­pear on users’ ter­mi­nals in­struct­ing them to in­sert two quar­ters to con­tinue op­er­at­ing.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.