Federal government security audits carried out between fiscal years 2012-2017 have uncovered significant cyber vulnerabilities in the U.S. Department of Defense’s top weapons systems. In fact, just about every new weapons system developed in recent years may include these cyber vulnerabilities, according to a recent audit report from the U.S. Government Accountability Office (GAO). As the GAO audit points out, weak passwords, incomplete software patches and lax security procedures reflect a misguided approach to designing new state-of-the-art weapons systems that does not take into consideration basic cyber security protocols.
Findings of the GAO audit
As part of the GAO audit, “white hat” hackers helped to probe the weapons systems for potential weaknesses. What they found was downright alarming – in many cases, these security researchers could guess passwords in 10 seconds or less, and could immediately begin to gain access to the inner workings of these weapons systems. In some cases, the GAO audit points out, password management was so lax they were able to gain total control of the defense systems, viewing on their computer screens exactly what military personnel in the U.S. Defense Department would be able to see on their own screens.
In the hands of the enemy, of course, these vulnerabilities could become a matter of life and death. In one scenario outlined by the GAO audit, an enemy combatant could take control of a U.S. military drone and use it to carry out attacks on U.S. soldiers. In other cases, they could cause weapons guidance systems to malfunction, internal controls of fighter jets to stop working, or information control systems to transmit the wrong information.
Reasons for the cyber vulnerabilities
The problem, says the GAO audit, is that these cyber vulnerabilities and information security weaknesses stem from the desire to connect modern weapons systems to the Internet. On the surface, of course, connecting all major weapons systems into a coordinated network makes sense – it ensures that tactical commanders have a full view of what is happening on the battlefield and in the skies above them. But, the GAO audit points out, creating a connected system, in which weapons systems can talk to each other, also opens the door for hackers to take advantage of cyber vulnerabilities.
Perhaps most distressingly, the GAO has been warning about these cyber vulnerabilities since the mid-1990s. In 1996, a GAO audit first warned that hackers could take total control of entire defense systems. Then, in 2004, another GAO audit warned that using the Internet as a connectivity tool would create vast new opportunities for hackers. And, of course, for the past decade, the Pentagon has been aware of data breaches by cyber spies in nations like China as part of efforts to steal valuable intellectual property related to new defense projects.
If anything, the new GAO report on cyber vulnerabilities in weapons systems is ratcheting up the warning even more, noting foreign adversaries may move beyond just stealing secret designs from the U.S. Department of Defense, and move into the active sabotage of weapons systems, and the creation of software glitches and web application bugs that only become active when these weapons systems are being used in combat.
For example, the team of “white hat” hackers deployed by the GAO was able to transform command-and-control screens used for weapons systems into a video-game-like experience, in which new flashing messages and pop-up screens would ask users to deposit quarters to continue, much as if they were at the local video arcade. But what if hackers decide to up the ante, and ask operators for ransom amounts in the millions of dollars in order to keep airplanes from dropping out of the sky? Obviously, this poses a very important national security risk.