A new report from the U.S. Government Accountability Office brings both good and bad news. For governments around the world that might like to sabotage America’s military technology, the good news is that this would be all too easy to do: Testers at the Department of Defense “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development” over a five-year period, the report said. For Americans, the bad news is that up until very recently, no one seemed to care enough to fix these security holes.
In 1991, the report noted, the U.S. National Research Council warned that “system disruptions will increase” as the use of computers and networks grows and as adversaries attack them. The Pentagon more or less ignored this and at least five subsequent warnings on the subject, according to the GAO, and hasn’t made a serious effort to safeguard the vast patchwork of software that controls planes, ships, missiles, and other advanced ordnance against hackers.
The sweeping report drew on nearly 30 years of published research, including recent assessments of the cybersecurity of specific weapon systems, as well as interviews with personnel from the Department of Defense, the National Security Agency, and weapons-testing bodies. It covered a broad span of American weapons, examining systems at all of the service branches and in space.
The report found that “mission-critical cyber vulnerabilities” cropped up routinely during weapons development and that test teams “easily” took over real systems without detection “using relatively simple tools and techniques,” exploiting “basic issues such as poor password management and unencrypted communications.” Testers could also download and delete data, in one cases exfiltrating 100 gigabytes of material, and could tap into operators’ terminals, in one instance popping up computer dialogs asking the operators “to insert two quarters to continue.” But a malicious attacker could pull off much worse than jokes about quarters, warns the GAO: “In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system.”
Posing as surrogates for, say, Russian or Chinese military hackers, testers sometimes found easy victories. “In some cases,” the GAO found, “simply scanning a system caused parts of the system to shut down,” while one “test team was able to guess an administrator password in nine seconds.” The testers found embarrassing, elementary screw-ups of the sort that would get a middle school computer lab administrator in trouble, to say nothing of someone safeguarding lethal weapon systems. For example, “multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet.”
“In some cases, simply scanning a system caused parts of the system to shut down.”
Asked how she thought a culture of cyber-insecurity could flourish at an institution as guarded as the military, Cristina Chaplain, a director at the GAO, explained that the problem may be that the armed services overestimated the value of secrecy. “For the past 20 years, their focus has been on [networking] systems together,” at the expense of connecting them securely, because it was simply assumed that “security by obscurity” would be all that was needed — that, say, a classified bomb designed and built in secret is impervious to outside threats by virtue of being kept hidden. The whole culture of military secrecy, the belief that “they’re so standalone and so stovepiped that they’re almost secure just by virtue of that,” as Chaplain put it, is much to blame.
The findings are all the more disturbing given that the GAO said they “likely represent a fraction of total vulnerabilities” due to limitations in how the Defense Department tests for cybersecurity.
Although the GAO analyzed real weapon systems used by the Pentagon, the report is light on specifics for security and classification purposes. It lacks findings about, say, a particular missile or a particular ship, and Chaplain would not comment on whether vulnerabilities were found in nuclear weapon systems, citing classification issues.But the document nonetheless reveals colossal negligence in the broader process of building and buying weapons. For years, the Department of Defense did not prioritize cybersecurity when acquiring weapon systems, even as it sought to further automate such systems, the GAO said. Up until about three years ago, some in the department avoided cybersecurity assessments, saying requirements were not clearly spelled out, asserting that they “did not believe cybersecurity applied to weapon systems,” according to the report, complaining that “cybersecurity tests would interfere with operations,” or rejecting the tests as “unrealistic” because the simulated attackers had an unfair amount of insider information — an objection the NSA itself dismissed as unrealistic.
Even when weapons program officials were aware of problems, the issues were often ignored. In one case, an assessment found 19 of 20 vulnerabilities unearthed in a previous assessment had not been fixed. When asked why, “program officials said they had identified a solution, but for some reason it had not been implemented,” the GAO said. In other cases, weapons operators were so used to a broken product that warnings of a simulated breach didn’t even register. “Warnings were so common that operators were desensitized to them,” the report found.
Today, cybersecurity audits of weapons are of increasing importance to the Pentagon, according to the report. But it’s incredibly hard to fix security holes after the fact. “Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning,” the GAO noted. One weapons program needed months to apply patches that were supposed to be applied within three weeks, the report said, because of all the testing required. Other programs are deployed around the world, further slowing the spread of fixes. “Some weapon systems are operating, possibly for extended periods, with known vulnerabilities,” the report stated.
This, then, is the crisis: The U.S. has created a computerized global military using complex, interconnected, and highly vulnerable tools — “an entire generation of systems that were designed and built without adequately considering cybersecurity,” as the GAO put it. And now it must fix it. This is nothing less than an engineering nightmare — but far preferable to what will happen if one of these software flaws is exploited by someone other than a friendly government tester.