The Pentagon’s next-gen weapons systems currently under development by the Department of Defense (DoD) are woefully vulnerable to cyberattacks, according to a Tuesday report by the US Government Accountability Office (GAO).
GAO testers “playing the role of adversary” discovered “mission critical cyber vulnerabilities in nearly all weapon systems that were under development.”
Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” said GAO officials.
In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.
Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.
In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.
Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.
Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.
Despite years of repeated warnings, cybersecurity surrounding weapons systems has been surprisingly ignored. In 1991, the National Research Council reported “as computer systems become more prevalent, sophisticated, embedded in physical processes, and interconnected, society becomes more vulnerable to poor system design, accidents that disable systems, and attacks on computer systems. Without more responsible design and use, system disruptions will increase, with harmful consequences for society. ”
The warnings by the GAO began in 1996, when the auditing agency warned that the internet could provide enemies with a cheap and easy method to cause catastrophic damage to connected systems. In 2013, the Defense Science Board warned that “in today’s world of hyper-connectivity and automation, any device with electronic processing, storage, or software is a potential attack point and every system is a potential victim – including our own weapons systems.”
Perhaps worst of all; the GAO claims that despite documented instances of “mission-critical cyber vulnerabilities,” Pentagon officials who met with the GAO testers brushed off their concerns – insisting that their systems were secure, and “discounted some test results as unrealistic.”
The GAO acknowledge that the tests were performed on computerized weapons systems that are still under development – and that hackers are unable to infiltrate current weapons systems in the field. If and when the next-gen weapons are deployed, however, the threat becomes real according to the GAO.
“It looks grim unless they see this as a wake-up call and they start taking action in a serious manner,” said GAO employee and co-author of the report, Christina Chaplin.
Answering questions in a podcast, Chaplin said that one of the reasons these new computerized weapons systems are so vulnerable to hacks is because, until recently, the DOD didn’t prioritize “cyber” as part of the development process, “but it has begun to grasp the magnitude of the problem and taken a way of action.”
One way was by instituting better testing procedures, and the second was by setting “cyber” as a focus during the acquisition process of the many components part of these new systems.
But despite this, the GAO report warns that if the DOD doesn’t act on its own findings to patch the vulnerabilities its employees discover in their own software, then all their internal testing procedures are useless. –ZDNet