New Report Says Pentagon Cyber Security Is A Huge Dumpster Fire

news

It only took an hour for Defense Department hackers to gain access to a weapons system, and just a day to gain full control over it, according to a new Government Accountability Office report warning the Pentagon that it's "just beginning to grapple with the scale of vulnerabilities" in its arsenal.


As DoD systems become increasingly more high-tech and interconnected, the problem of adversaries being able to defeat the military's weapons systems without firing a shot has only gotten worse over the years.

The unclassified report didn't mention vulnerabilities in specific weapons systems, for obvious reasons, but it did make clear that DoD isn't doing enough to address the problem. Indeed, the GAO included a table showing a number of warnings it has offered on the issue going back to the 1990s.

GAO

Cybersecurity wasn't considered much of a priority for weapons until about 2014, according to the report. With the exception of small arms, that means anything featuring components like industrial control systems, communications and targeting systems, radar, or wireless links may offer up vectors that potential adversaries can exploit.

Between 2012 and 2017, penetration testers "routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development," the report said. Also noteworthy was the fact that testers weren't taking nearly as much time or using sophisticated methods as a nation-state adversary would.

Instead, most used "relatively simple tools and techniques" to take control, and largely operated undetected as a result.

Page 22 of the report is worth reading in full (emphasis added):

Test Teams Easily Took Control

Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders.

Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

Test Teams Needed Only Basic Tools

The test reports indicated that test teams used nascent to moderate tools and techniques to disrupt or access and take control of weapon systems. For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise. Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.

Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.

Although the report is fairly alarming in what it reveals, it does commend DoD for taking "several major steps" to address weapons cybersecurity, to include policy improvements and bringing cyber considerations into the acquisition cycle. But the delay in heeding past warnings means there will be "long-lasting effects on the department," numerous officials told researchers.

"DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity," the report says.

GAO

"Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning. Not only is the security of those systems and their missions at risk, the older systems may put newer systems in jeopardy.

Specifically, if DOD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk. Furthermore, even if they are not connected, if the newer systems depend on the older systems to help fulfill their missions, those missions may be at risk."

You can read the full report here.

(DoD photo by Claudett Roulo.)

Former Navy SEAL Eric Greitens, who resigned in disgrace as governor of Missouri last year, is putting his uniform back on — just not as a Navy SEAL.

Greitens, who stepped down in May 2018 amid criminal charges related to an alleged extramarital affair, has become a reserve naval officer with Navy Operational Support Center — St. Louis, a spokeswoman for Navy Recruiting Command confirmed to Task & Purpose. The Kansas City Star first reported the news.

Read More Show Less

NAVAL BASE SAN DIEGO — Three members of the defense team for Navy SEAL Chief Edward "Eddie" Gallagher were revealed on Wednesday to have close ties to the Trump administration amid reports the president is considering the veteran Navy SEAL for a pardon on Memorial Day.

President Donald Trump's personal attorney, Marc Mukasey, 51, and longtime Trump associate Bernard Kerik, 63, a former New York City police commissioner, have joined Gallagher's defense team in recent months, both men told Task & Purpose on Wednesday.

Meanwhile, in response to a question from a reporter after a motions hearing, lead defense attorney Tim Parlatore confirmed that he had previously represented Pete Hegseth, the conservative Fox News personality who has been privately lobbying Trump since January to pardon Gallagher, according to The Daily Beast.

Read More Show Less
(Associated Press photo)

(Reuters) - John Walker Lindh, the American captured in Afghanistan in 2001 fighting for the Taliban, was released early from federal prison on Thursday, the Washington Post reported, citing Lindh's lawyer.

Lindh, who was 20 years old when he was captured, left prison in Terre Haute, Indiana, on probation after serving 17 years of a 20-year sentence, the newspaper said.

Now 38, Lindh is among dozens of prisoners to be released over the next few years after being captured in Iraq and Afghanistan and convicted of terrorism-related crimes following the attacks on the United States by al Qaeda on Sept. 11, 2001.

Read More Show Less
(U.S. Navy photo by Mass Communication Specialist 1st Class Brian M. Wilbur.)

Defense officials will brief President Donald Trump's national security team on a plan that involves sending 5,000 more troops to the Middle East to deter Iran, Task & Purpose has learned.

So far, no decisions have been made about whether to send the reinforcements to the region, unnamed U.S. officials told CNN's Barbara Starr.

"The military capabilities being discussed include sending additional ballistic missile defense systems, Tomahawk cruise missiles on submarines, and surface ships with land attack capabilities for striking at a long range," CNN reports. "Specific weapons systems and units have not been identified."

Read More Show Less

Dashcam footage from a freeway commuter shows the moment a pilot ejected from an F-16 military jet last week, releasing a parachute before the aircraft slammed into a Riverside County, California warehouse.

Read More Show Less