The new generation of weapon systems developed by the Pentagon is heavily computerized and for this reason more exposed to cyber attacks.
According to a new 50-page report published by the GAO revealed that the presence of several vulnerabilities in the weapon systems that were never fixed.
“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.” reads the report published by the GAO.
“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.“
The report was committed by the Senate Armed Services Committee that requested to review the way the Pentagon was securing its weapons systems.
GAO experts found several major security issued in the Pentagon arsenal, including easy-to-guess passwords, or weapon system still using factory settings.
In order to identify flaws in weapon systems under development, experts at GAO reviewed cybersecurity assessment reports from selected weapon systems that were tested between 2012 and 2017.
Despite the DOD plans to spend about $1.66 trillion to develop its cyber arsenal, it is continuing to lack cyber security for weapon systems.
“In some cases, system operators were unable to effectively respond to the hacks.” continues the report.
“Furthermore, DOD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication.”
The situation is embarrassing if we consider that a persistent attacker like an APT group can employ much more of simple tools in a long interval of time.
“Cybersecurity test reports that we reviewed showed that test teams were able to gain unauthorized access and take full or partial control of these weapon systems in a short amount of time using relatively simple tools and techniques.” continues the report.
“We saw widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover.”
In one case the GAO testers were able to guess an administrator password in only 9 seconds
“Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.” continues the GAO.
“Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.”
Experts also reported that in some cases simply scanning the weapon systems caused the shut down of their components.
“For example, one test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected.” continues the report.
GAO reported that the majority of the vulnerabilities identified in the past were often left unresolved. The GAO cites a test report in which only 1 of 20 vulnerabilities that were previously found had been addressed.
The DoD replied to aware of the flaws but blamed the contractor for the failure in fixing them.
GAO also wars of the loss of key personnel who leave the Government to work in the private sector once they’ve gained cybersecurity experience.
The salary offered by private organizations greatly exceeds DOD’s pay scale.
“To address these challenges and improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DOD’s weapon systems cybersecurity efforts. ” concludes the report.
(Security Affairs – weapon system, hacking)