Defense officials were often unaware of vulnerabilities and didn’t notice they were being exploited.
Pentagon weapons systems are riddled with cybersecurity vulnerabilities that could allow U.S. adversaries to gain control of them in a short amount of time, according to a Government Accountability Office report released Tuesday.
In one case, a two-person team of ethical hackers gained access to a weapon system in just one hour and had wrested full control of the system within one day, the report found.
In another case, a government hacking team had to stop testing a system out of fear the team would damage it. The hackers were using “a basic technique that most attackers would use and requires little knowledge or expertise,” the report states.
In yet another case, a team of attackers simulated a denial-of-service digital attack by forcing a weapon system to reboot and, therefore, temporarily disabling it. The system owner, however, failed to notice the attack “because unexplained crashes were normal for the system.”
“From 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report found. In many cases, Pentagon officials were unaware of the scope or severity of the vulnerabilities affecting their systems and believed the systems were secure, auditors said.
The GAO report is based primarily on existing cybersecurity evaluations of weapons systems, rather than new reviews. Those evaluations were mostly conducted by the Pentagon’s Operational Testing and Evaluation division.
Throughout the report, GAO does not name specific systems and illustrates vulnerabilities using diagrams of fictional systems.
The overarching problem, auditors said, is that the military spent many years ignoring cybersecurity concerns related to weapons systems and focused instead on other vulnerabilities.
“Due to this lack of focus on weapon systems cybersecurity, DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the auditors found.
Once officials did begin focusing on cybersecurity, they largely tacked cyber protections on at the end of a building cycle. That turned out to be both more expensive and less effective than designing systems with cybersecurity in mind, the report states.
Defense officials also frequently erred by using processes and protocols designed for securing computer networks rather than developing unique processes for weapons systems, the report states.
“Because weapon systems can be very large, complex, systems of systems with many interdependencies, updating one component of a system can impact other components,” the report states.
Those interdependencies make it exceedingly difficult to patch a single component when a new vulnerability is discovered. In one case, program officials told auditors they were supposed to install software patches for publicly disclosed vulnerabilities within 21 days but it often took months of testing to ensure that each software patch wouldn’t create problems elsewhere in the system.
Weapons systems that are deployed throughout the world also must often return to specific locations to receive patches and updates.
“Although there are valid reasons for delaying or forgoing weapon systems patches,” the report states, “this means some weapon systems are operating, possibly for extended periods, with known vulnerabilities.”