President Barack Obama is set to sign a defense bill ordering the Pentagon to probe every major weapon system for hacker entryways. Among many passages dedicated to cybersecurity in the 2016 National Defense Authorization Act is a section on evaluating cyber vulnerabilities in weaponry.
The Defense Department must update lawmakers on progress during quarterly cyber operations briefings, according to the bill, which cleared the Senate on Tuesday. A full assessment of the military’s artillery systems is due by the end of 2019.
An inspection last year of almost the entire Pentagon weapons program revealed "significant vulnerabilities" in cybersecurity throughout in every system, according to Defense's annual operational test and evaluation report released in January. For the most part, the U.S. military never fathomed its weapons would be considered "connected devices" one day, right along with refrigerators, cars and other data-driven machines in the Internet of Things.
Within six months after the bill is enacted, Defense must draw up a list with the names of each system and the project cost of conducting the probe.
The machines will go under the microscope in an order based on “criticality,” as determined by the chairman of the Joint Chiefs of Staff, factoring in “an assessment of employment of forces and threats,” the legislation states.
Exceptions will be made if the Pentagon can certify all known weaknesses have “minimal consequences for the capability of the weapon system” to operate, the measure states.
Lawmakers specified the broad sweep should not duplicate tests for information security weaknesses already underway, such as those conducted by the Navy's Task Force Cyber Awakening and the Air Force's Task Force Cyber Secure, the lawmakers specified.
As weaknesses surface during the course of the investigation, the Pentagon is expected to create strategies for minimizing their risks.
The authorized spending cap on the initiative is $200 million for 2016.
The raft of cyber vulnerabilities pinpointed in 2014 centered on unnecessary network functions; misconfigured, unpatched, or outdated software; and weak passwords, head weapons tester Michael Gilmore said in the January report.
While the military has been working to close holes identified in previous years, new weaknesses were discovered, he added.
Penetration testers were able to find the threats with merely "novice- and intermediate-level" techniques, Gilmore said. No advanced hacking skills were needed to find system vulnerabilities.
Assessments performed on the Littoral Combat Ship 3 uncovered significant vulnerabilities in the vessel's ability "to protect the security of information and prevent malicious intrusion,” he said.
In May, the Navy launched its own analysis of the cyber threats confronting its drones, sensors and missiles, among other arms systems. A key goal of the project will be shrinking the branch’s attack surface, partly by designing security controls before systems are manufactured.