By Sean Lygaas
In cybersecurity probes of Department of Defense weapon systems in recent years, penetration testers were able to gain control of systems with relative ease and generally operate undetected, according to a Government Accountability Office report.
“We found that from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report states.
In one test, a two-person team gained initial access to a system in an hour, then gained full control of the system in a day, the watchdog said. In another, the pen-testers seized control of the operators’ terminals, could see what the operators saw on their screens, and “could manipulate the system,” GAO found. Many of the testers said they could change or delete data. In one case they downloaded 100 gigabytes of it.
The scathing report chalks up the insecurities in the Pentagon’s weapon systems to defense officials’ “nascent understanding of how to develop more secure weapon systems” and the fact that those systems are more networked than ever. Until recently, according to GAO, the Pentagon did not prioritize weapon-system cybersecurity. Furthermore, DOD program officials the watchdog met with “believed their systems were secure and discounted some test results as unrealistic,” the report says.
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” GAO researchers added.
DOD’s evaluators did not pull out top-drawer tools to breach the weapon systems, but instead used simple techniques that were sufficient in the face of a “poor password management and unencrypted communications,” according to GAO.
The report, which focuses mainly on under-development weapon systems, is the product of a 15-month audit that included interviews with officials from the National Security Agency, military testing organizations, and DOD acquisition offices, among other agencies. GAO said its researchers will give Congress a classified briefing on their findings.
Not all of GAO’s findings were negative. The Pentagon has recently moved to improve weapon-system cybersecurity through policy guidance and initiatives to better understand vulnerabilities, according to the watchdog. And one penetration test reviewed by GAO “found that the weapon system satisfactorily prevented unauthorized access by remote users,” albeit not from insiders.
But the report makes clear that DOD’s work to date is far from sufficient in tackling the problem.
“Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon-systems cybersecurity,” the report says.
Due to testing limitations, “the vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities” in systems, according to GAO.
Defense officials provided technical comments in response to a draft of the GAO report. CyberScoop has requested further comment from the Pentagon.
“The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” said Sen. Jim Inhofe, R-Okla., chairman of the Senate Armed Services Committee.
Rep. Jim Langevin, D-R.I., a member of the House Armed Services Committee, said he wasn’t surprised by GAO’s findings. “While DOD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” Langevin said. That is why, he added, Congress has mandated that the Pentagon carry out cyber vulnerability assessments.