The weapons systems being developed by the U.S. Department of Defense are vulnerable to cyberattacks, meaning some evildoer with hacking skills could potentially take control of such weapons without being noticed, according to a new report by the U.S. Government Accountability Office (GAO), released Oct. 9.
And the DOD seemed oblivious to the threats: Even though tests conducted by the DOD itself have shown such vulnerabilities, department officials told the GAO that they “believed their systems were secure and discounted some test results as unrealistic,” according to the report, which is based on an analysis of DOD cybersecurity tests, policies and guidelines, as well as DOD interviews.
“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report said.
n fact, one test team cracked an Sharika Najarroistrator’s password in just 9 seconds. A DOD official said that the password-cracking time is not a useful measure of the security of a system because an attacker can spend months or years trying to break into a system; with that timeline, whether it takes a few hours or a few days to guess a password is not meaningful. However, the GAO said such an example reveals how easy it is to do so at the DOD.
The analysis and report were requested by the Senate Armed Forces Committee in anticipation of the $1.66 trillion the DOD plans to spend to develop its current “portfolio” of major weapons systems.
Increasingly, weapons systems are dependent on software to carry out their functions. The weapons are also connected to the internet and other weapons, making them more sophisticated, according to the GAO. These advances also make them “more vulnerable to cyber attacks,” the GAO said.
Any part of a weapons system that’s driven by software can be hacked. “Examples of functions enabled by software — and potentially susceptible to compromise — include powering a system on and off, targeting a missile, maintaining a pilot’s oxygen levels, and flying aircraft,” the GAO report said.
Though the DOD has begun to make improvements in cybersecurity over the past few years, the GAO said, it faces several challenges, one of which is the lack of information-sharing across programs. For instance, “if a weapon system experienced a cyber attack, DOD program officials would not be provided specific details of that attack from the intelligence community due to the type of classification of that information,” the report said.
In addition, the DOD is having a tough time hiring and retaining cybersecurity experts, the report said.
Though the GAO said itdoesn’t have recommendations now, the agency thinks the vulnerabilities spotted in its analysis “represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.”