- Joined
- Apr 18, 2013
- Messages
- 94,313
- Reaction score
- 82,704
- Location
- Barsoom
- Gender
- Male
- Political Leaning
- Independent
Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says
Not good at all. Connected weapon systems are only as good as their cyber-security defenses.
Related: GAO | Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
10/9/18
Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense's newest weapons systems, according to the Government Accountability Office. The flaws are highlighted in a new GAO report, which found the Pentagon is "just beginning to grapple" with the scale of vulnerabilities in its weapons systems. Drawing data from cybersecurity tests conducted on Department of Defense weapons systems from 2012 to 2017, the report says that by using "relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected" because of basic security vulnerabilities. The GAO says the problems were widespread: "DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development." When weapons program officials were asked about the weaknesses, the GAO says, they "believed their systems were secure and discounted some test results as unrealistic." The stakes are high. As the GAO notes, "DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems." That outlay also comes as the military has increased its use of computerized systems, automation and connectivity.
In several instances, simply scanning the weapons' computer systems caused parts of them to shut down. "One test had to be stopped due to safety concerns after the test team scanned the system," the GAO says. "This is a basic technique that most attackers would use and requires little knowledge or expertise." When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says. One issue facing the Pentagon, the GAO says, is the loss of key personnel who are lured by lucrative offers to work in the private sector after they've gained cybersecurity experience. In a recent hearing on the U.S. military's cyber readiness held by the Senate Armed Services Committee, officials acknowledged intense competition for engineers.
Not good at all. Connected weapon systems are only as good as their cyber-security defenses.
Related: GAO | Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities