Almost all of the U.S. military’s newly developed weapons systems suffer from “mission-critical cyber vulnerabilities,” a review of government security audits conducted from 2012 to 2017 found, suggesting military agencies have rushed to computerize new weapons systems without prioritizing cybersecurity.
The findings were released Tuesday in a report from the Government Accountability Office. The report drew on years of security audits conducted by skilled “testers,” essentially friendly hackers employed to probe Pentagon networks for holes, replicating the process of a hack to find security weaknesses.
Although the report did not identify specific military programs, its authors describe easily exploitable cybersecurity vulnerabilities that often arose from carelessness or negligence on the part of those using the systems.
“From 2012 to 2017, DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapons systems that were under development,” GAO researchers wrote. “Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected.”
Among the report’s findings, security testers reported they were able to covertly take control of an unspecified weapons system, view its operators’ computer screens and manipulate the system itself. In one case, a test team flashed pop-up messages in front of the computer screen used to operate a weapons system, instructing users to insert quarters before continuing. In other cases, testers found they could copy or delete troves of data.
The vulnerabilities were in many cases caused by poor attention to basic cybersecurity practices, such as leaving default passwords in place. In one case, a test team was able to guess an administrator’s password in nine seconds, the report states.
The agency warned that the problems described in the report probably represent a “fraction” of the total vulnerabilities affecting Defense Department systems, which are too extensive to evaluate in full.
The report is the latest in a long list of such admonishments that date back decades. The GAO warned in 1996 that hackers had taken control of entire defense systems, and in 2004 it warned that the Pentagon’s focus on connecting systems together through the Internet would create new opportunities for hackers.
Still, the report released Tuesday drew attention to a newer trend that has security experts worried. As more physical objects are controlled and operated through the Internet, the possibility that hackers could hurt people or sabotage equipment — as opposed to simply stealing information — may be poised to increase.
As the Pentagon plans to spend about $1.6 trillion developing new systems, as calculated by the GAO, it has jumped at the chance to connect weapons systems together. That connectivity has allowed the Pentagon to achieve military capabilities once thought impossible, GAO researchers wrote in Tuesday’s report, but has also left more military systems open to attack.
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the report’s authors wrote. “Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning.”
In a letter addressed to Senate Armed Services Committee Chairman James M. Inhofe (R-Okla.), GAO researchers said the Pentagon’s increasing reliance on software to manage certain critical functions like powering a weapon on or off, maintaining a pilot’s oxygen levels, guiding a missile to its target, or simply flying an aircraft makes it vulnerable to manipulation from state-sponsored hackers.
“Cyber attacks can target any weapon subsystem that is dependent on software, potentially leading to an inability to complete military missions or even loss of life,” GAO researchers wrote.
While the report noted that the Pentagon is improving in its adherence to cybersecurity standards, it also noted instances in which program officials failed to correct vulnerabilities identified in previous audits. In one case, only 1 out of 20 cyber-vulnerabilities identified in a previous assessment were found to have been corrected, a problem that officials reportedly attributed to error on the part of contractors.
The report comes as the Pentagon is reevaluating its relationship with defense contractors, considering whether to more closely consider security assessments when it buys major weapons systems.