A recent report has revealed that there are many US weapons systems that are susceptible to hackers. This news is disturbing on many levels, including the attitude exhibited by Department of Defense officials. What does the report reveal, and how serious is the threat?

GAO Cyber Security Report

GAO Report

The US Government Accountability Office (GAO) just released a report that reveals that almost all weapons that were tested by the Department of Defense (DoD) between 2012 and 2017 have serious vulnerabilities that make them very open to cyber attack. These vulnerabilities have been labeled mission critical, which makes this news all the more serious. The report had been requested by the Senate Armed Services Committee in connection with expected DoD spending in excess of $1 trillion in order to develop weapons systems.

Examples of Weaknesses Detected

The vulnerabilities were discovered by penetration tests performed by employees of the DoD. In one example, a penetration tester was able to partially shut down a weapons systems by merely scanning it. In another test, it only took nine seconds for DoD testers to guess the admin level password on a weapons system. Failure to make changes to default passwords connected with open source third-party software installed on systems resulted in several instances of vulnerability.

Those performing these tests were not making any efforts to hide their presence, but the systems they tested had a difficult time detecting their presence. These systems should have been able to detect the presence of intruders and alert those in charge. A few of the automated systems did detect the presence of the penetration testers and alerted those monitoring the systems. However, in an even more disturbing turn, the individuals monitoring the systems didn’t seem to understand what the intrusion alert meant and thus did not take any action.

Failure to Take Basic Cybersecurity Precautions

What makes this report distressing is that many of these potential open doors exist in part because of a failure to follow basic cybersecurity rules. Guidelines such as the use of encryption, robust passwords, and basic employee training are foundational to a security system. Because such guidelines have been neglected, hackers equipped with even simple techniques and tools would be able to not only take control of key systems associated with these weapons but do so almost undetected. What could a skilled hacker with the latest tools accomplish inside such a poorly secured system?

Is There a Valid Reason for the Lack of Concern?

The subtitle of this GAO report was “DoD Just Beginning to Grapple with Scale of Vulnerabilities.” Surprisingly, those in charge of such systems do not seem very concerned about these susceptibilities, perhaps because they feel the GAO is exaggerating the seriousness of the problems discovered. For example, the report does remind readers that some of the findings may no longer be a problem once a system is deployed in the field.

In addition, these officials have indicated that in the past they believe the systems were well-secured. The authors of the report, however, strongly imply that there’s a disconnect between what these officials may believe and what the reality is.

Another possible cause of the DoD’s lack of concern is the belief that the types of tests that were run would be practically impossible for any system to pass. The GAO, however, insists that the tests were not extreme and represented realistic threats to these critical systems.

The DoD may also be resting on its laurels: it received praise last year for a bug-bounty program that led to many different bugs being patched. On the other hand, the GAO report points out that only one of 20 vulnerabilities discovered in previous risk assessments had been fixed by the time the report was written.

Implications of the Report

One of the implications of the report is that a number of US weapons systems could be susceptible to a disabling cyber attack. Considering that so many adversaries of the United States have established reputations for extremely talented hackers, this is all the more disconcerting. And hackers are not subject to the same constraints as DoD penetration testers. Malicious actors may well have access to funding, state-of-the-art equipment, and would intentionally keep their activities hidden.

Another implication of the GAO report is that their testing merely revealed the proverbial “tip of the iceberg” when it comes to vulnerabilities that exist in US weapons systems. The penetration tests performed were far from exhaustive. For example, categories that were not tested included potential weaknesses related to counterfeit parts or industrial control systems.

Conclusion

The incidence of cyber attacks are on the rise, and the techniques and tools available to malicious actors are continuously evolving. It makes sense that the security of a nation’s existing weapons systems should be a very high priority. The revelations of the GAO’s report are disturbing, yet there is hope that the DoD will respond to the vulnerabilities discovered.