Lapses in cyber hygiene that could have real-world consequences.
As military and defense industry leaders came together in October for the AUSA Annual Meeting & Expo, they learned about the new and innovative systems available to the nation’s military. Many of these systems will be smart, connected weapons, which give our fighters a greater advantage on the battlefield. But they also pose serious cybersecurity risks that must be addressed.
Indeed, in a report released by the Government Accountability Office nearly two years ago, it was revealed that DOD security researchers gained access to nearly all major weapons systems currently in use and under development. Once, because the system was still using the default password visible through an open-source search. In another instance, researchers were able to disable an entire weapons system without detection, later to learn the system crashed so often on its own that it was difficult for officials to detect a breach. Perhaps most concerning is that one test team found that only one of 20 previously identified vulnerabilities had been fixed.
These are shocking lapses in cyber hygiene that could have real-world consequences. These weaknesses should not be difficult to address; changing the default password, responding to system crashes with urgency and patching known vulnerabilities are common-sense solutions.
The results of the report were alarming and appeared to be an important wakeup call for both the Pentagon and the private sector. DOD officials pledged to push ahead with new and better approaches to cybersecurity and risk management. In a recent survey of senior DOD cyber leaders by Federal News Network, commissioned by Tenable, respondents overwhelmingly signaled that cybersecurity has been and continues to be a priority.
With much of the Pentagon working from home, cybersecurity is perhaps more important than ever and it’s reassuring to hear from leadership that this issue continues to be top of mind. And there has been important progress. For example, the Defense Information Systems Agency’s Assured Compliance Assessment Solution program has been instrumental in helping federal agencies address their cyber vulnerabilities in recent years. Powered by a suite of integrated software, ACAS provides automated network vulnerability scanning, alerting DOD to potential issues as they arise.
And yet today, toward the end of 2020, when Pentagon cyber leaders had expected to have a handle on many of the issues the GAO called out in 2018, we continue to see critical gaps. In a report released this summer, GAO called out the Pentagon’s inconsistent implementation of cybersecurity measures, even as the number of connected weapons continues to rise.
While DOD has made important progress in rethinking its approach to cybersecurity, there is still much to be done. Our modern defense system serves as the backbone of our society. It keeps us safe from bad actors and adversaries and keeps the economy moving every day. Technological advances that make these systems more efficient are not enough. We must also ensure that our cybersecurity approach keeps up with these advancements in every way. The battlespace of the future is digital, and we must be prepared.
Bob Huber is chief security officer for Tenable.