The Pentagon's multibillion-dollar weapons systems are riddled with cybersecurity vulnerabilities. And yet military leaders ignored the problem for years, turning a blind eye to security weaknesses in newly developed systems that could potentially thwart military missions.
That's the takeaway from a new Government Accountability Office report released Tuesday and sent to the Senate Armed Services Committee.
The watchdog found that the military leaders did not take seriously the findings of Defense Department teams who "routinely found mission critical cyber vulnerabilities in nearly all weapons systems that were under development" for five years until 2017. “Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected.” But even though some systems were so fragile that merely scanning them caused them to shut down, military officials who met with the watchdog “believed their systems were secure and discounted some test results as unrealistic."
And here's the real zinger: “Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”
Agencies across the federal government have struggled to take even basic steps to safeguard their networks against digital threats — and this report, which is the first by the GAO to examine the cybersecurity of weapons systems, shows the Pentagon is no exception. But the military is facing the additional challenge of securing not just its traditional IT infrastructure but an array of widely varying weapons that are more connected than ever. And the military's inaction -- even when faced with warnings and their own teams of bug-testers -- is already bringing scrutiny from lawmakers who oversee the Pentagon.
“The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” Sen. James M. Inhofe (R-Okla.), the Armed Services Committee chairman, told me in an email. “I am pleased that this report helps identify vulnerabilities and supports this year’s [National Defense Authorization Act], which increased investment in cyber infrastructure.”
The report covered aircraft, ships, combat vehicles, satellites and other equipment, but didn’t disclose which specific vulnerabilities or military programs it reviewed because such information is classified. But the GAO said cyberattacks on weapons systems could “limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life.” A range of different systems could be at risk, the GAO said — including, for example, software-based tools that regulate pilots' oxygen levels or help intercept incoming missiles. The report noted that some adversaries have “well-funded units” that could target such systems.
“If a DOD network is compromised by a state adversary like Russia or China, our own weapons systems could theoretically be used against us. That’s a scary proposition,” said Jay Kaplan, a former National Security Agency cybersecurity analyst and security researcher for the Pentagon. “It might be a little far-fetched, and would probably require physical access and some very focused expertise. But when you are funded at the nation-state level to do this type of stuff, anything is in the realm of possibility, and that’s what’s most frightening about this report.”
Pentagon testing teams found critical vulnerabilities in “nearly all” weapons systems that were under development or being tested between 2012 and 2017, according to the report. In one case, a test team broke into a weapon system in less than an hour and gained “full control” of it within a day. Another team took control of an operator’s terminals. “They could see, in real-time, what the operators were seeing on their screens and could manipulate the system,” the GAO said. Multiple teams reported being able to manipulate or delete system data, and in one case they downloaded 100 gigabytes of information.
And they didn’t need sophisticated tools to do so, according to the report. Some weapons systems used software with passwords that testers guessed easily. The report also said some systems didn’t encrypt their communications, meaning an attacker could read an administrator’s username and password and use those credentials to gain greater access to the system.
The Pentagon has taken steps to improve weapons system cybersecurity over the past few years, but officials still likely don't know the full extent of the problems because testing has been limited, the GAO said.
It could be especially difficult for the Pentagon to bring its weapons systems up to par because the problems are rooted in the supply chain. Adding safeguards after a system has been deployed is costly and complicated, the GAO noted. And even if the Defense Department makes its new systems more secure, they could still be at risk if they’re connected to older, less-secure systems.
Policymakers could start to tackle these issues by mandating vulnerability assessments early on, Kaplan said. “Until we see not only the manufacturers of these types of systems but the integrators in the military that are responsible for IT infrastructure begin to build security in as part of the development process, we’re going to have a tough time catching up,” he told me. “Doing these things after the fact is a lot harder than baking it in from the beginning.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Keeping up with the news in President Trump’s Washington is exhausting — whether you live here, work in the nation’s capital, or are just watching from afar. That’s why next Tuesday, we’re launching Power Up by Jacqueline Alemany. It's a new newsletter from The Washington Post that will land in your inbox before you reach for that first cup of coffee. It will bring you Washington, fast.
Click here to sign up.
PINGED: The views of Democrats and Republicans about election security have shifted since 2016, according to a survey to be released today. Democrats are now more likely to be concerned that America's “voting system might be vulnerable to hackers” than Republicans, according to a press release announcing the results of the poll. The study was conducted jointly by the University of Chicago Harris School of Public Policy and the Associated Press-NORC Center for Public Affairs Research from Sept. 13 to Sept. 16.
The poll found that 58 percent of Democrats, 39 percent of Republicans and 29 percent of independents are extremely or very concerned about election hacking. By contrast, before the 2016 election, 35 percent of Democrats, 52 percent of Republicans and 33 percent of independents were extremely or very concerned that the U.S. voting system might be vulnerable to hackers. However, the overall proportion of Americans who worry about election hacking — about eight in 10 — is similar to what it was before the 2016 election, according to the poll. The poll released today also found that more “than 40 percent are very concerned about the potential hacking of each of the following: voting registration information, voting equipment, and final election results,” according to the press release.
PATCHED: Romeo Vasile Chita, a Romanian citizen, was extradited to the United States last week and faces accusations that he ran a cybercrime group that stole more than $4 million, according to a press release issued Tuesday by the U.S. attorney's office for the Northern District of Ohio. The indictment alleges that Chita led a cyber fraud ring that operated in the United States, Romania, Canada, China, Jordan and other countries.
“Romeo Vasile Chita allegedly led a multinational criminal enterprise that stole sensitive personal data through deceptive phishing emails and organized fraudulent online auctions, causing millions of dollars in losses to innocent victims,” Brian A. Benczkowski, assistant attorney general for the Justice Department's Criminal Division, said in a statement. “The Criminal Division will continue to work with our law enforcement partners, both domestic and international, to aggressively disrupt and dismantle international cyber criminal organizations that victimize our citizens and businesses.”
The group used phishing emails pretending to originate from organizations such as the Internal Revenue Service and the United States Tax Court to hack into victims' computers and steal personal and financial information, according to the press release. Chita faces charges of racketeering, wire fraud conspiracy, conspiracy to launder money and conspiracy to traffic in counterfeit services. The indictment was unsealed Tuesday in federal court in Cleveland.
PWNED: Sens. Robert Menendez (D-N.J.) and John Neely Kennedy (R-La.) are seeking answers from Facebook after the Wall Street Journal reported this summer that the social network “has asked large U.S. banks to share detailed financial information about their customers” with the goal of providing its users with new services. In a letter dated Oct. 4, Menendez and Kennedy, who both sit on the Senate Banking Committee, asked Facebook chief executive Mark Zuckerberg to provide information about any data-sharing deal that the company may have struck with financial institutions.
“Data privacy and cybersecurity are more important than ever, and we believe that you owe it to the American people to properly secure the data you currently possess, before you obtain data from a third party,” Menendez and Kennedy said in the letter. “Less than a year after Americans learned that Cambridge Analytica gained access to private information on more than 50 million Facebook users, we have concerns that you have not properly secured user data.” Menendez and Kennedy requested a reply to their letter by Oct. 19.
Citing sources familiar with the matter, the Journal's Emily Glazer, Deepa Seetharaman and AnnaMaria Andriotis reported on Aug. 6 that Facebook “over the past year asked JPMorgan Chase & Co., Wells Fargo & Co., Citigroup Inc. and U.S. Bancorp to discuss potential offerings it could host for bank customers on Facebook Messenger.”
— “The only thing stopping the vast majority of government IT specialists from stealing sensitive government data is their moral compass, not security protocols, a recent survey found,” Nextgov's Jack Corrigan reported Tuesday. “More than 80 percent of federal tech workers said it would be ‘easy’ to steal data from their agencies, and 39 percent said they’d potentially make off with sensitive information if they were angry enough at their employer, according to a report published Tuesday by One Identity. Only 16 percent of feds told researchers they wouldn’t be able to get their hands on critical data.”
— More cybersecurity news from the public sector:
— “An independent auditing firm signed off on Google's privacy practices earlier this year after the Internet giant had discovered a software bug that exposed private information on potentially hundreds of thousands of users,” the Hill's Harper Neidig reported Tuesday. “The Hill obtained a redacted copy of the assessment conducted by the accounting firm Ernst and Young through a Freedom of Information Act request. The report concluded that Google had comprehensive privacy protections in place and that it was in compliance with a 2011 privacy settlement with the Federal Trade Commission (FTC).”
— “Global payment companies held their first joint cybersecurity war games to test their systems’ readiness for simultaneous attacks, uncovering differences in their defenses including even how to define a crisis,” Bloomberg News's Yalman Onaran reported Tuesday. “JPMorgan Chase & Co., Mastercard Inc., American Express Co., WorldPay Inc. and Fidelity National Information Services Inc. were among the 18 payment processors from the U.S. and the U.K. that took part in the exercises, which were held Friday at IBM’s test center in Cambridge, Massachusetts.”
— Bloomberg News's Jordan Robertson and Michael Riley reported Tuesday that a “major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.”
A previous report by the two journalists published last week in Bloomberg Businessweek about a Chinese operation to implant malicious chips in Supermicro hardware used by American firms including Amazon.com and Apple has met forceful denials from both companies. Moreover, the Department of Homeland Security said in a statement that it has “no reason to doubt” the denials from Amazon and Apple. (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)
In the story published Tuesday, Robertson and Riley wrote that a “security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery” after the publication of the Bloomberg Businessweek article. The reporters did not name the telecom company and wrote that Appleboum has a nondisclosure agreement with this company.
— More cybersecurity news about the private sector:
- Senate Homeland Security and Governmental Affairs Committee hearing on “threats to the homeland.”
- Senate Commerce Committee hearing on consumer data privacy.
- The Bipartisan Policy Center hosts a panel discussion titled “Are we ready to run our elections?” tomorrow.
- New York Times reporter David E. Sanger speaks at the Heritage Foundation about his book, titled “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” on Friday.
Florida residents brace for Hurricane Michael:
“I am a voter, are you?”: AMAs get political.
Google's Pixel 3 screens your calls and judges your photos: