Systems failure: new US weapons are vulnerable to cyberattacks, government watchdog finds
Embarrassing report details how easily test teams guessed passwords, took over weapon systems and downloaded masses of data
The Pentagon’s multibillion-dollar weapon systems are riddled with cybersecurity vulnerabilities. Yet military leaders ignored the problem for years, turning a blind eye to security weaknesses in newly developed systems that could potentially thwart military missions.
That’s the takeaway from a new Government Accountability Office (GAO) report released on Tuesday and sent to the Senate Armed Services Committee.
The watchdog agency found that military leaders did not take seriously the reports by Department of Defence (DOD) teams that “routinely found mission-critical cyber vulnerabilities in nearly all weapons systems that were under development” for five years until 2017.
“Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected.”
Though some systems were so fragile that merely scanning them caused them to shut down, military officials who were interviewed for the report “believed their systems were secure and discounted some test results as unrealistic”.
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the GAO warned.
The military’s inaction – even when faced with warnings and its own teams of bug testers – is already bringing scrutiny from lawmakers who oversee the Pentagon.
The GAO report “highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” said Senator James Inhofe, Armed Services Committee chairman. “I am pleased that this report helps identify vulnerabilities and supports this year’s [National Defence Authorisation Act], which increased investment in cyber infrastructure.”
The report covered aircraft, ships, combat vehicles, satellites and other equipment, but did not disclose which specific vulnerabilities or military programmes it reviewed because that information is classified.
But the GAO said that cyberattacks on weapon systems could “limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life”. A range of different systems could be at risk, the GAO said – including, for example, software-based tools that regulate pilots’ oxygen levels or help intercept incoming missiles. The report noted that some adversaries have “well-funded units” that could target such systems.
“If a DOD network is compromised by a state adversary like Russia or China, our own weapons systems could theoretically be used against us. That’s a scary proposition,” said Jay Kaplan, a former National Security Agency cybersecurity analyst and security researcher for the Pentagon. “It might be a little far-fetched, and would probably require physical access and some very focused expertise. But when you are funded at the nation-state level to do this type of stuff, anything is in the realm of possibility, and that’s what’s most frightening about this report.”
Pentagon testing teams found critical vulnerabilities in “nearly all” weapons systems that were under development or being tested between 2012 and 2017, according to the report. In one case, a test team broke into a weapon system in less than an hour and gained “full control” within a day. Another team took control of an operator’s terminals.
“They could see, in real time, what the operators were seeing on their screens and could manipulate the system,” the GAO said. Multiple teams reported being able to manipulate or delete system data, and in one case downloaded 100 gigabytes of information.
And they did not need sophisticated tools to do so, according to the report. Some weapons systems used software with passwords that testers guessed easily. The report also said some systems did not encrypt their communications, meaning an attacker could read an administrator’s username and password and use those credentials to gain greater access to the system.
The Pentagon has taken steps to improve weapons system cybersecurity over the past few years, but officials still probably do not know the full extent of the problems because testing has been limited, the GAO said.
It could be especially difficult for the Pentagon to bring its weapons systems up to par because the problems are rooted in the supply chain. Adding safeguards after a system has been deployed is costly and complicated, the GAO noted. And even if the Defence Department makes its new systems more secure, they could still be at risk if they’re connected to older, less-secure systems.