Print Issue: February 2019
The U.S. Department of Defense (DOD) is planning to spend more than $1.5 trillion to develop its portfolio of major weapon systems. Although the investment may result in a state-of-the-art deterrence program in the future, the weapons currently have a glaring vulnerability–they are relatively easy to hack.
Officials from the U.S. Government Accountability Office (GAO), which was asked to review the state of DOD weapon systems cybersecurity, recently ran some tests to see if they could hack any of the Pentagon’s weapons.
They could, without much difficulty.
“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the GAO explains in its report, Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities.
It’s likely that the testing revealed only a small number of the actual existing weaknesses. “In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats,” the report says.
It’s a disconcerting finding, considering that adversaries of the United States are developing increasingly sophisticated cyberespionage and cyberattack capabilities to target DOD weapons. The GAO found several reasons for these vulnerabilities.
One is that the Pentagon’s weapons systems are increasingly dependent on IT. The amount of software in today’s weapons systems is growing exponentially and is embedded in numerous subsystems. But this dependence on software increases the weapons’ attack surface.
Similarly, DOD weapons systems are more networked and interconnected than ever before, and they are also connected to some external systems, such as GPS. These factors further increase vulnerability.
In addition, DOD has only recently made weapon systems cybersecurity a priority. Instead, for many years, DOD focused its cybersecurity efforts on protecting traditional networks, such as accounting systems. “Until around 2014, there was a general lack of emphasis on cybersecurity throughout the weapon systems acquisition process,” the report says.
This late-to-the-game approach will have long-term consequences, the GAO found. “Numerous officials we met with said that this failure to address weapon systems cybersecurity sooner will have long-lasting effects on the department,” the report explains. “Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”
In the last few years, however, DOD has made progress on some new weapon cybersecurity initiatives and policies. Given this, GAO urged the DOD to press forward with these efforts. “To improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives,” the report says. Finally, GAO pledged to continue to evaluate the issue.