WASHINGTON – Almost all of the U.S. military’s newly developed weapons systems suffer from “mission-critical cybervulnerabilities,” a review of government security audits conducted from 2012 to 2017 found, suggesting that military agencies have rushed to computerize new weapons systems without prioritizing cybersecurity.
The findings were released Tuesday in a report from the Government Accountability Office. The report drew on years of security audits conducted by skilled “testers,” essentially friendly hackers employed to probe Pentagon networks for holes, replicating the process of a hack in order to find security weaknesses.
While the report did not identify specific military programs, its authors describe easily exploitable cybersecurity vulnerabilities that often arose from carelessness or negligence on the part of those using the systems.
“From 2012 to 2017, DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapons systems that were under development,” GAO researchers wrote. “Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected.”
Among the report’s findings, security testers reported that they were able to covertly take control of an unspecified weapons system, view its operators’ computer screens and manipulate the system itself. In one case a test team flashed pop-up messages in front of the computer screen used to operate a weapons system, instructing users to insert quarters before continuing. In other cases testers found they could copy or delete troves of data.
The vulnerabilities were in many cases caused by poor attention to basic cybersecurity practices, such as leaving default passwords in place. In one case, a test team was able to guess an administrator’s password in nine seconds, the report states.
The agency warned that the problems described in the report likely represent “a fraction” of the total vulnerabilities affecting Defense Department systems, which are too extensive to evaluate in full.
The report is the latest in a long list of such admonishments that date back decades. The GAO warned in 1996 that hackers had taken control of entire defense systems, and in 2004 warned that the Pentagon’s focus on connecting systems together through the internet would create new opportunities for hackers.
Still, the new report drew attention to a more recent trend that has security experts worried. As more physical objects are controlled and operated through the internet, the possibility that hackers could hurt people or sabotage equipment — as opposed to simply stealing information — may be poised to increase.
As the Pentagon plans to spend some $1.6 trillion developing new systems, as calculated by GAO, it has jumped at the chance to connect weapons systems together. That connectivity has allowed the Pentagon to achieve military capabilities once thought impossible, GAO researchers wrote, but it has also left more military systems open to attack.
In a letter addressed to Senate Armed Services Committee Chairman James Inhofe, R-Okla., GAO researchers said the Pentagon’s increasing reliance on software to manage certain critical functions like powering a weapon on or off, maintaining a pilot’s oxygen levels, guiding a missile to its target, or simply flying an aircraft are vulnerable to manipulation from state-sponsored hackers.
“Cyberattacks can target any weapon subsystem that is dependent on software, potentially leading to an inability to complete military missions or even loss of life,” GAO researchers wrote.
While the report noted that the Pentagon is improving in its adherence to cybersecurity standards, it also noted instances where program officials failed to correct vulnerabilities identified in previous audits. In one case, only 1 out of 20 cyber vulnerabilities identified in a previous assessment were found to have been corrected, a problem that officials reportedly attributed to error on the part of contractors.
The report comes as the Pentagon is re-evaluating its relationship with defense contractors and weighing whether to more closely consider security assessments when it buys major weapons systems.