The first step in solving any problem is admitting there is one. But a new report from the US Government Accountability Office finds that the Department of Defense remains in denial about cybersecurity threats to its weapons systems.
Specifically, the report concludes that almost all weapons that the DoD tested between 2012 and 2017 have “mission critical” cyber vulnerabilities. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.
The GAO released its report Tuesday, in response to a request from the Senate Armed Services Committee ahead of a planned $1.66 trillion in spending by the Defense Department to develop its current weapons systems. Subtitled “DoD Just Beginning to Grapple with Scale of Vulnerabilities,” the report finds that the department “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” Neither Armed Services Committee chairman James Inhofe nor ranking member Jack Reed responded to requests for comment.
The GAO based its report on penetration tests the DoD itself undertook, as well as interviews with officials at various DoD offices. Its findings should be a wakeup call for the Defense Department, which the GAO describes as only now beginning to grapple with the importance of cybersecurity, and the scale of vulnerabilities in its weapons systems.
“I will say that the GAO can be prone to cyber hyperbole, but unless their sampling or methodology were way off or deliberately misleading, DoD has a very grave problem on its hands,” says R. David Edelman, who served as special assistant to former President Barack Obama on cybersecurity and tech policy. “In the private sector, this is the sort of report that would put the CEO on death watch.”
DoD testers found significant vulnerabilities in the department’s weapon systems, some of which began with poor basic password security or lack of encryption. As previous hacks of government systems, like the breach at the Office of Personnel Management or the breach of the DoD’s unclassified email server, have taught us, poor basic security hygiene can be the downfall of otherwise complex systems.
The GAO report says that one tester was able to guess an admin password on a weapons system in nine seconds. Other weapons used commercial or open-source software but administers failed to change the default passwords. Yet another tester managed to partially shut down a weapons system by merely scanning it—a technique so basic, the GAO says, it “requires little knowledge or expertise.”
Testers were sometimes able to take full control of these weapons. “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing,” the report states.
The DoD also had a hard time detecting when testers were probing the weapons. In one case, testers were in the weapons system for weeks, according to the GAO, but the administrators never found them. This, despite the testers being intentionally “noisy.” In other cases, the report states that automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.
Like most unclassified reports about classified subjects, the GAO report is rich in scope but poor in specifics, mentioning various officials and systems without identifying them. The report also cautions that “cybersecurity assessment findings are as of a specific date so vulnerabilities identified during system development may no longer exist when the system is fielded.” Even so, it paints a picture of a Defense Department playing catch-up to the realities of cyberwarfare, even in 2018.
Edelman says the report reminded him of the opening scene of Battlestar Galactica, in which a cybernetic enemy called the Cylons wipes out humanity’s entire fleet of advanced fighter jets by infecting their computers. (The titular ship is spared, thanks to its outdated systems.) “A trillion dollars of hardware is worthless if you can’t get the first shot off,” Edelman says. That kind of asymmetrical cyberattack has long worried cybersecurity experts, and has been an operational doctrine of some of the United States’ biggest adversaries, including, Edelman says, China, Russia, and North Korea. Yet the report underscores a troubling disconnect between how vulnerable DoD weapons systems are, and how secure DoD officials believe them to be.
“In operational testing, DoD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic,” the report reads. DoD officials noted, for instance, that testers had access that real-world hackers might not. But the GAO also interviewed NSA officials who dismissed those concerns, saying in the report that “adversaries are not subject to the types of limitations imposed on test teams, such as time constraints and limited funding—and this information and access are granted to testers to more closely simulate moderate to advanced threats.”
It’s important to be clear that when the DoD dismisses these results, they are dismissing the testing from their own department. The GAO didn’t conduct any tests itself; rather, it audited the assessments of Defense Department testing teams. But arguments over what constitutes a realistic testing condition are a staple of the defense community, says Caolionn O’Connell, a military acquisition and technology expert at RAND Corporation, which has contracts with the DoD.
“This is one of those religious discussions about what a realistic condition means,” O’Connell says, speaking broadly, as she hadn’t read the report before WIRED contacted her. Negotiating the terms of testing is often an arduous process between testers and acquisition specialists, she says, because the DoD wants the tests to be hard enough to matter but not so hard that weapons can’t pass. The Department of Defense could not be reached for comment by the time of writing.
However, the vulnerabilities outlined in the GAO report aren’t far-fetched, nor was the DoD’s testing overly intense. Far from it. “Because test teams have a limited amount of time with a system, they look for the easiest or most effective way to gain access, according to DoD officials we met with and test reports we reviewed. They do not identify all of the vulnerabilities that an adversary could exploit,” the report states. In addition, not all weapons have been tested.
“Many program officials we met with indicated that their systems were secure, including some with programs that had not had a cybersecurity assessment,” the report states.
For that reason, the GAO estimates that the vulnerabilities the DoD knows about likely comprise a small proportion of the actual risks in their systems. The tests leave out whole categories of potential problem areas, such as industrial control systems, devices that don’t connect to the internet, and counterfeit parts.
Though the DoD last year received accolades for actively patching bugs found through a new bug-bounty program, the GAO report says that the department’s track record for fixing vulnerabilities identified in-house is no nowhere near as good. In fact, the report found that only one out of 20 cyber vulnerabilities that the DoD had been alerted to in previous risk assessments had been fixed during the time period of the new report.
“The key conclusion is that the DoD needs a new weapons security paradigm,” says Edelman. “In a world where our most sophisticated fighter jets are effectively supercomputers with very hot engines, that’s a risk we have to take very seriously.” Over a trillion dollars of advanced military weapon systems is worth nothing, if all it takes to compromise them is a default admin password.