GAO: DoD has a pervasive weapon systems cybersecurity problem

Weapon systems operated by the U.S. Department of Defense (DoD) are more software-dependent and networked than ever before, which a new General Accounting Office (GAO) report says opens the door to mission-critical cyber vulnerabilities. The DoD intends to spend $1.66 trillion to develop its current portfolio of major weapons systems, so Congress asked the GAO to assess DoD weapon systems security in terms of its current state, vulnerabilities, and steps being taken to develop more cyberresilient weapon systems. To do this evaluation, GAO analyzed weapons systems cybersecurity test reports, policies, and guidance; what they found is disturbing: In recent cybersecurity tests of major weapons systems the DoD is developing, testers playing the role of the adversary were able to take control of systems relatively easily, cause damage quickly, and operate largely undetected.

The DoD’s weapons are more computerized and networked than ever before – with embedded software and IT systems – so it should come as no surprise that there are plenty of attack surfaces for adversaries to exploit. But until relatively recently, weapons cybersecurity wasn’t a priority for the DoD. It’s only during the past few years that the DoD initiated improvements such as updating policies and increasing testing.

Cyberattacks can target any weapon subsystem that is dependent on software, and potentially result in the inability to complete military missions or even loss of life, according to the GAO in its report, Weapon System Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities. “Examples of functions enabled by software – and potentially susceptible to compromise – include powering a system on and off, targeting a missile, maintaining a pilot’s oxygen levels, and flying aircraft. An attacker could potentially manipulate data in these systems, prevent components or systems from operating, or cause them to function in undesirable ways,” the report says.

Automation and connectivity are other key enablers of the DoD’s modern military capabilities that tend to make weapons systems more vulnerable to cyberattacks.

“Weapon systems share many of the same cyber vulnerabilities as other types of automated information systems,” the GAO report says. “Weapon systems are large, complex systems of systems that have a wide variety of shapes and sizes, with varying functionality. Despite obvious differences in form, function, and complexity, weapon systems and other types of systems are similar in some important – if not obvious – ways. For example, DoD reports state that many weapon systems rely on commercial and open source software and are subject to any cyber vulnerabilities that come with them. Weapon systems also rely on firewalls and other common security controls to prevent cyberattacks. Weapon system security controls can also be exploited or bypassed if the system isn’t properly configured. Finally, weapon systems are operated by people – a significant source of cybersecurity vulnerability for any system.”

The GAO discovered that from 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems under development. “Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected. In some cases, system operators were unable to effectively respond to the hacks. Furthermore, DoD doesn’t know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication,” according to the report.

In one case, the GAO found that it took a two-person test team only an hour to gain initial access to a weapon system and then just a day to gain full control of it.

In another case, the test team was able to take control of operators’ terminals. “They could see, in real time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded. Another test team reported that they caused a pop-up message to appear on the users’ terminals telling them to insert two quarters to continue operating,” the GAO report says.

By using free, publicly available information or software downloaded from the internet, multiple test teams were able to avoid or defeat weapon system security controls.

The DoD is now working to determine to the best way to address weapon system cybersecurity, since the systems can have extremely different needs. While there are similarities between weapon systems and traditional IT systems, the DoD acknowledges “that it may not be appropriate to apply the same cybersecurity approach to weapon systems as traditional IT systems.” The GAO plans to continue evaluating key aspects of the DoD’s efforts to address this problem.

The GAO report is available online: https://www.gao.gov/assets/700/694913.pdf.