"Nearly All" The Pentagon's Expensive New Toys Are Embarrassingly Easy To Hack, GAO Audit Finds

The Pentagon's next-gen weapons systems currently under development by the Department of Defense (DoD) are woefully vulnerable to cyberattacks, according to a Tuesday report by the US Government Accountability Office (GAO). 

GAO testers "playing the role of adversary" discovered "mission critical cyber vulnerabilities in nearly all weapon systems that were under development."

"Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," said GAO officials. 

In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.

Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.

In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating.

Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data. 

Warnings ignored

Despite years of repeated warnings, cybersecurity surrounding weapons systems has been surprisingly ignored. In 1991, the National Research Council reported "as computer systems become more prevalent, sophisticated, embedded in physical processes, and interconnected, society becomes more vulnerable to poor system design, accidents that disable systems, and attacks on computer systems. Without more responsible design and use, system disruptions will increase, with harmful consequences for society. "

The warnings by the GAO began in 1996, when the auditing agency warned that the internet could provide enemies with a cheap and easy method to cause catastrophic damage to connected systems. In 2013, the Defense Science Board warned that "in today's world of hyper-connectivity and automation, any device with electronic processing, storage, or software is a potential attack point and every system is a potential victim - including our own weapons systems." 

Perhaps worst of all; the GAO claims that despite documented instances of "mission-critical cyber vulnerabilities," Pentagon officials who met with the GAO testers brushed off their concerns - insisting that their systems were secure, and "discounted some test results as unrealistic." 

The GAO acknowledge that the tests were performed on computerized weapons systems that are still under development - and that hackers are unable to infiltrate current weapons systems in the field. If and when the next-gen weapons are deployed, however, the threat becomes real according to the GAO. 

"It looks grim unless they see this as a wake-up call and they start taking action in a serious manner," said GAO employee and co-author of the report, Christina Chaplin. 

Answering questions in a podcast, Chaplin said that one of the reasons these new computerized weapons systems are so vulnerable to hacks is because, until recently, the DOD didn't prioritize "cyber" as part of the development process, "but it has begun to grasp the magnitude of the problem and taken a way of action."

One way was by instituting better testing procedures, and the second was by setting "cyber" as a focus during the acquisition process of the many components part of these new systems.

But despite this, the GAO report warns that if the DOD doesn't act on its own findings to patch the vulnerabilities its employees discover in their own software, then all their internal testing procedures are useless. -ZDNet

The GAO report goes on to call out the DoD for their shoddy response to the vulnerabilities. 

For example, one test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected. The test team exploited the same vulnerabilities to gain control of the system. When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error.

"There's also a culture right now at the DOD were we feel like the extent of the problem isn't really appreciated at the program level," Chaplin said. "The DOD has a lot of work ahead of it to overcome some cultural issues."

While the GAO doesn't specify the weapons systems involved out of national security concerns, they did say that the systems are heavily computerized and many of them networked together - making them attractive targets for enemies of the United States after they are deployed in the field. 

"Nearly every conceivable component in DOD is networked," the report reads. "Weapon systems connect to DOD's extensive set of networks--called the DOD Information Network--and sometimes to external networks, such as those of defense contractors. Technology systems, logistics, personnel, and other business-related systems sometimes connect to the same networks as weapon systems. Furthermore, some weapon systems may not connect directly to a network, but connect to other systems, such as electrical systems, that may connect directly to the public Internet."

We wonder how vulnerable China or Russia's next-gen weapons systems are?