Federal government security audits carried out between fiscal years 2012-2017 have uncovered significant cyber vulnerabilities in the U.S. Department of Defense’s top weapons systems. In fact, just about every new weapons system developed in recent years may include these cyber vulnerabilities, according to a recent audit report from the U.S. Government Accountability Office (GAO). As the GAO audit points out, weak passwords, incomplete software patches and lax security procedures reflect a misguided approach to designing new state-of-the-art weapons systems that does not take into consideration basic cyber security protocols.
Findings of the GAO audit
As part of the GAO audit, “white hat” hackers helped to probe the weapons systems for potential weaknesses. What they found was downright alarming – in many cases, these security researchers could guess passwords in 10 seconds or less, and could immediately begin to gain access to the inner workings of these weapons systems. In some cases, the GAO audit points out, password management was so lax they were able to gain total control of the defense systems, viewing on their computer screens exactly what military personnel in the U.S. Defense Department would be able to see on their own screens.
In the hands of the enemy, of course, these vulnerabilities could become a matter of life and death. In one scenario outlined by the GAO audit, an enemy combatant could take control of a U.S. military drone and use it to carry out attacks on U.S. soldiers. In other cases, they could cause weapons guidance systems to malfunction, internal controls of fighter jets to stop working, or information control systems to transmit the wrong information.
Reasons for the cyber vulnerabilities
The problem, says the GAO audit, is that these cyber vulnerabilities and information security weaknesses stem from the desire to connect modern weapons systems to the Internet. On the surface, of course, connecting all major weapons systems into a coordinated network makes sense – it ensures that tactical commanders have a full view of what is happening on the battlefield and in the skies above them. But, the GAO audit points out, creating a connected system, in which weapons systems can talk to each other, also opens the door for hackers to take advantage of cyber vulnerabilities.
Perhaps most distressingly, the GAO has been warning about these cyber vulnerabilities since the mid-1990s. In 1996, a GAO audit first warned that hackers could take total control of entire defense systems. Then, in 2004, another GAO audit warned that using the Internet as a connectivity tool would create vast new opportunities for hackers. And, of course, for the past decade, the Pentagon has been aware of data breaches by cyber spies in nations like China as part of efforts to steal valuable intellectual property related to new defense projects.
If anything, the new GAO report on cyber vulnerabilities in weapons systems is ratcheting up the warning even more, noting foreign adversaries may move beyond just stealing secret designs from the U.S. Department of Defense, and move into the active sabotage of weapons systems, and the creation of software glitches and web application bugs that only become active when these weapons systems are being used in combat.
For example, the team of “white hat” hackers deployed by the GAO was able to transform command-and-control screens used for weapons systems into a video-game-like experience, in which new flashing messages and pop-up screens would ask users to deposit quarters to continue, much as if they were at the local video arcade. But what if hackers decide to up the ante, and ask operators for ransom amounts in the millions of dollars in order to keep airplanes from dropping out of the sky? Obviously, this poses a very important national security risk.
But are these unrealistic fears? According to Pravin Kothari, CEO of cloud security vendor CipherCloud, the media might be over-hyping the findings of the GAO report. “Let’s keep this GAO report in perspective. First – many of these weapons systems are absolutely not online to external networks. This is intentional,” says Kothari.
“Second – many of the network protocols used in these specialized weapons systems do not use a standard TCP/IP protocol, but instead may use proprietary, highly specialized network communications protocols and encryption techniques specifically designed for that weapons system program,” Kothari continues. “Third, and the most important to your health – if you do try to get in close proximity to a classified weapons system it won’t be more than a few seconds before a highly motivated marine interrupts your activities.”
Yet, as the GAO audit report makes clear, the Department of Defense suffers from a deep, ingrained lack of appreciation for cyber security. In the report, the GAO refers to these problems as “cultural issues” – the government has known about these issues for nearly 20 years, but has done nothing substantial to address these issues. By one measure, the GAO says that only 1 in 20 prior vulnerabilities have been adequately addressed. Quite simply, the Pentagon (and the federal agencies it works with) has not prioritized cyber security. Weak passwords are the norm, default passwords are never changed, policies and procedures do not get followed, and software patches are not nearly thorough enough.
Implications of these cyber vulnerabilities
The reality is that an entire generation of weapons were built and designed without cyber vulnerabilities in mind. And, as any software developer knows, it’s a lot harder to make any changes or fixes once a system has been deployed. The focus appears to have been on rushing these weapons systems into use, even when officials knew that deeper problems might be lurking. Instead of making cyber security a key feature of the design, testing and prototyping stages, the Department of Defense simply grafted on a few security features at the very end. But as the GAO audit found, it was almost laughably easy to bypass what security measures did exist.
In one exhibit provided by the audit organization, the GAO showed how a modern stealth fighter – the type of aircraft that would almost undoubtedly be used as part of any “hot” war in the world – is exposed to massive cyber vulnerabilities. That’s because every aspect of this state-of-the-art weapon has been computerized: the flight software system, the life support systems for the pilot, the tool to identify friend/foe in the air, the collision avoidance system, the communication systems, the information systems controls, the weapons targeting system, the internal controls systems, and the maintenance systems. As can be seen from just this one example, it’s easy to see how all of these cyber vulnerabilities are “mission-critical.” The failure of just one of these systems could be a matter of life-and-death during combat.
So what can be done at this point? Embarrassed by the GAO audit reports, the Pentagon now says that it will review policies and procedures, assess audit statements, re-think intrusion detection, and take greater steps to build cyber security measures into future defense systems. According to Kothari, the Pentagon is working overtime on this issue: “If there were real actionable deficiencies to classified weapons systems, they’re getting worked on furiously right now. Rest assured, the vulnerabilities would not be detailed as a ‘how to’ manual for hostile nation states in a GAO non-classified report.”
For the United States Department of Defense, the GAO report should come as a loud wakeup call. Top defense leaders need to do more to protect sensitive information, top-secret government programs and state-of-the-art weapons systems from the threat of external cyber attack.