Although the report did not identify specific military programs, its authors describe easily exploitable cybersecurity vulnerabilities arising from carelessness or negligence on the part of those using the systems.
“From 2012 to 2017, DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapons systems that were under development,” GAO researchers wrote. “Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected.”
Security testers showed they could covertly take control of an unspecified weapons system, manipulate it and remotely view its operators’ computer screens. In one case, a test team flashed pop-up messages in front of the computer screen used to operate a weapons system, instructing users to insert quarters before continuing. In other cases, testers found they could copy or delete troves of data.
The findings were unsurprising to those who have been following highly public hacks of commercial products. Things as varied as video cameras and pacemakers have been found to be hackable, leading many to assume essentially anything connected to the Internet is at risk.
Still, the ease with which testers were able to access some of the Pentagon’s classified weapons systems raised alarms: In one case, those operating the systems left default passwords in place, making it possible to find them online. One test team was able to guess an administrator’s password in nine seconds.
The GAO warned that the problems described in the report probably represent “a fraction” of the holes in Defense Department networks, which are too extensive to fully evaluate.
As the Pentagon plans to spend about $1.6 trillion developing new systems, as calculated by the GAO, it has jumped at the chance to connect weapons systems. The F-35 Joint Strike Fighter, for example, depends on millions of lines of code to process sensor data and zero in on targets. That connectivity has allowed the Pentagon to achieve military capabilities once thought impossible, but it has also created opportunities for hackers.
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the report’s authors wrote. “Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning.”
The report is the latest in a long list of such admonishments that date back decades.
The GAO warned in 1996 that hackers had taken control of entire defense systems, and in 2004 it warned that the Pentagon’s focus on connecting systems together through the Internet would create additional opportunities for hackers.
The report released Tuesday drew attention to a newer, more worrying trend. As more physical objects are controlled and operated through the Internet, the possibility that hackers could hurt people or sabotage equipment — as opposed to simply stealing information — may be poised to increase.
In a letter addressed to Senate Armed Services Committee Chairman James M. Inhofe (R-Okla.), GAO researchers said functions such as powering a weapon on or off, maintaining a pilot’s oxygen levels, guiding a missile to its target or simply flying an aircraft may now be vulnerable to manipulation from state-sponsored hackers.
“Cyber attacks can target any weapon subsystem that is dependent on software, potentially leading to an inability to complete military missions or even loss of life,” GAO researchers wrote.
So who’s at fault, and what to do next?
The report noted instances in which program officials failed to correct problems that were identified in earlier audits. In one case, only one of 20 cyber-vulnerabilities identified in a previous assessment were found to have been corrected, a problem that officials reportedly attributed to error on the part of contractors.
Frank Kendall, who was a top official at the Defense Department overseeing acquisitions during the period covered by the GAO’s report, said the first step is for military agencies to be better about basic things such as protecting passwords and clicking away from fake emails.
He also suggested a need to “accept human imperfection,” noting such mistakes will always exist in large organizations. He said the Pentagon should consider replacing password log-ins with biometric identifiers, something Apple has pioneered with the iPhone’s fingerprint log-in.
“The threat is pervasive and dynamic — it isn’t going away and will never be fully defeated,” Kendall said recently in an email. “I hope with the improved DOD budget environment that more resources will be allocated to addressing this problem.”
Major defense contractors contacted by The Washington Post said they were aware of the cybersecurity issues raised by the GAO and are working to address them.
Todd Probert, vice president of mission support and modernization at Raytheon, said it shouldn’t come as a shock that a lot of weapons systems are vulnerable to cyberattack. His company is responsible for maintaining the Patriot missile defense system designed to thwart nuclear missile launches, a pre-Internet system that now has to be protected from hackers.
“Whether you’re talking about your phone or a fighter jet, it is simply impossible for any computerized system to be completely immune from cyberthreats,” he said. “Instead, we need to focus on making our systems resilient enough to repel or fight through attacks.”
He said Raytheon holds contracts to update old military aircraft with modern cybersecurity guards, looking to protect not just computer systems but also connected parts such as diagnostic machines, avionics and electronic flight bags — “basically anything connected that could introduce a cyberthreat,” Probert said.
A Lockheed Martin spokeswoman said the company has for years been working to consider cybersecurity in the earliest phases of system design, a key issue highlighted in the GAO report. The company has undertaken “cyber-tabletop” exercises designed to simulate how it would respond to a hack, much like a fire drill for cybersecurity.
A Boeing spokesman declined to comment on the report. Northrop Grumman and General Dynamics did not respond to requests for comment.
The findings come as the Pentagon is weighing whether it needs to look more closely at cybersecurity when it decides which weapons to buy — something that would put protecting classified data on par with minimizing costs and meeting deadlines, requiring a major shift in focus for defense contractors.
The three major industry associations serving defense contractors — the Professional Services Council, the National Defense Industrial Association and the Aerospace Industries Association — are scheduled to meet with Pentagon officials Monday to offer their feedback on the issue.
In a phone interview, NDIA President Hawk Carlisle said cybersecurity should be a primary consideration for those buying or making weapons, but adding new cybersecurity requirements might become too onerous for some.
“I don’t know that it needs to be at the same level as cost, performance and schedule, and I don’t know that it needs to be a primary fourth pillar in every system that you procure,” Carlisle said. “But there are some systems where it needs to be a primary consideration.”