By Wes O’Donnell
Contributor, In Military and InCyberDefense
A new report from the U.S. Government Accountability Office recently found that U.S. weapon systems developed between 2012 and 2017 have “mission critical” cyber vulnerabilities. The GAO released its report last Tuesday after a Senate Armed Services Committee request, which occurred prior to approval of $1.66 trillion in spending by the armed forces to develop current weapon systems.
According to the report, DOD routinely found in operational testing that there were mission-critical cyber vulnerabilities in weapons systems under development. However, program officials that GAO met believed their systems were secure and discounted some test results as unrealistic.
Using relatively simple tools and techniques, testers were able to take control of systems and largely operate them undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, cyber vulnerabilities that DOD is aware of likely represent a fraction of the total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of cyber threats.
Despite GAO Report, DOD Denies Extensive Cyber Vulnerabilities Exist in Its Weapon Systems
In the private sector, a report like the one created by the GAO would put the CEO and other leadership at risk of being fired. But the DOD denies that such cyber vulnerabilities exist to the extent that the GAO stated in its report.
Congress recently directed the DOD to better understand and address cybersecurity. However, significant challenges could limit the effectiveness of these steps.
For instance, there is a severe shortage of trained cybersecurity professionals. Also, there are workforce issues that the DOD must contend with prior to making real strides toward improving security around high-tech weapon systems.
In addition, today’s weapon systems are heavily computerized. That creates more attack opportunities for adversaries (represented below in a fictitious onboard weapon system for classification reasons).
Meanwhile, America’s adversaries are busy developing and perfecting their cyberattack capabilities that target not just DOD systems, but many other aspects of the U.S. infrastructure.
GAO Report Also Finds Fault with Lack of Information Sharing about Cyber Threats
The GAO’s report also found severe inefficiencies in the way information about cyber threats is shared across programs within the Pentagon. For instance, officials on a program with a heavily connected weapon system stated that their system is only as secure as its weakest link, but they do not have information on the vulnerabilities of systems that their weapon connects to because of classification issues.
In addition, if a weapon system experienced a cyberattack, the intelligence community would not provide the DOD program officials with specific details of that attack. Again, this is due to the type of classification of that information.
Classification levels and sharing of information are at the root of the DOD’s failure to acknowledge that it has a problem at all.
What Can Be Done to Improve Weapon Systems Cybersecurity?
Standing from the outside, it seems clear that the DOD could take a number of steps to remedy this situation.
First, the DOD needs an Apollo program to recruit and retain top cybersecurity talent for its workforce. This recruitment could be accomplished through incentives and internships, as well as strategic partnerships with schools and universities.
Next, the DOD needs to address the barriers to information sharing for classified or compartmentalized systems. A new policy could certainly be developed that would improve the flow of information without compromising national security.
Finally, the DOD needs to take cyber threats more seriously than its current programs suggest. For instance, the DOD does not have a permanent process in place to periodically access the cybersecurity of systems already in the field.
Section 1647 of the National Defense Authorization Act for Fiscal Year 2016 requires the Secretary of Defense to evaluate the cyber vulnerabilities of each DOD weapon system by the end of 2019. The Secretary of Defense must also develop strategies to mitigate risks stemming from those vulnerabilities.
It is likely that Defense Secretary Mattis is taking these claims by the GAO seriously and is tasking appropriate sections within the Pentagon to work on a long-term solution. Until then, let’s hope that valuable lessons have been learned about critical cyber vulnerabilities in future weapon systems.