The U.S. Department of Defense (DoD) has dragged its feet to protect its current weapons from cyber attacks, and despite a $1.7 trillion budget is just beginning to prioritize cybersecurity for systems in development, a new federal government report said.
The U.S. Government Accountability Office (GAO), a Congressional watchdog, said in a 50-page report that even when presented with proof of the cyber vulnerabilities in its weapons systems, DoD program officials have often disputed the data.
“Although GAO and others have warned of cyber risks for decades, until recently DoD did not prioritize weapon systems cybersecurity,” the report said. “In operational testing, DoD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.”
GAO testers were able to take command of systems and maneuver inside the DoD’s combat systems using “relatively simple tools and techniques,” the report said. Basic issues such as poor password management and unencrypted communications were left unattended. And, that was likely only a fraction of what the GAO said its testers could have found. Not all programs have been tested and tests do not reflect the full range of threats, the report said.
Data underlying the audit was drawn from tests conducted on DoD weapons systems from 2012 to 2017. The results aren’t good:
- A two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.
- Multiple test teams reported that they were able to copy, change, or delete system data
- A test team was able to guess an administrator password in nine seconds.
- Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed.
While program officials have been aware of some of the weapons systems flaws, only one in 20 identified in a previous assessment had been corrected, the report said. At this point, the DoD is still grappling with how best to proceed to secure its weapons systems. Two challenges the DoD must tackle are similar to what besets private industry trying to shore up and maintain network integrity -- hiring and retaining cybersecurity pros and information sharing.
For the DoD, there’s a wrinkle, however, to both challenges making each a bit more pronounced:
- general cybersecurity expertise is not the same as weapons systems cybersecurity expertise, and
- information sharing vulnerabilities usually carry at least top secret classification, which makes it difficult for the DoD to share information with cybersecurity personnel across the agency.
Perhaps most alarming is that some program officials don’t seem to know what they don’t know. In other words, many insisted that their systems were secure even without a review or tests. “Systems that have not been tested are not necessarily more or less secure than systems that have been assessed,” the report said. “DoD does not know the extent to which these systems have cyber vulnerabilities.”