New Report Says Pentagon Cyber Security Is A Huge Dumpster Fire

news

It only took an hour for Defense Department hackers to gain access to a weapons system, and just a day to gain full control over it, according to a new Government Accountability Office report warning the Pentagon that it's "just beginning to grapple with the scale of vulnerabilities" in its arsenal.


As DoD systems become increasingly more high-tech and interconnected, the problem of adversaries being able to defeat the military's weapons systems without firing a shot has only gotten worse over the years.

The unclassified report didn't mention vulnerabilities in specific weapons systems, for obvious reasons, but it did make clear that DoD isn't doing enough to address the problem. Indeed, the GAO included a table showing a number of warnings it has offered on the issue going back to the 1990s.

GAO

Cybersecurity wasn't considered much of a priority for weapons until about 2014, according to the report. With the exception of small arms, that means anything featuring components like industrial control systems, communications and targeting systems, radar, or wireless links may offer up vectors that potential adversaries can exploit.

Between 2012 and 2017, penetration testers "routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development," the report said. Also noteworthy was the fact that testers weren't taking nearly as much time or using sophisticated methods as a nation-state adversary would.

Instead, most used "relatively simple tools and techniques" to take control, and largely operated undetected as a result.

Page 22 of the report is worth reading in full (emphasis added):

Test Teams Easily Took Control

Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders.

Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

Test Teams Needed Only Basic Tools

The test reports indicated that test teams used nascent to moderate tools and techniques to disrupt or access and take control of weapon systems. For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise. Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.

Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.

Although the report is fairly alarming in what it reveals, it does commend DoD for taking "several major steps" to address weapons cybersecurity, to include policy improvements and bringing cyber considerations into the acquisition cycle. But the delay in heeding past warnings means there will be "long-lasting effects on the department," numerous officials told researchers.

"DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity," the report says.

GAO

"Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning. Not only is the security of those systems and their missions at risk, the older systems may put newer systems in jeopardy.

Specifically, if DOD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk. Furthermore, even if they are not connected, if the newer systems depend on the older systems to help fulfill their missions, those missions may be at risk."

You can read the full report here.

(U.S. Attorney's Office in Maryland)

GREENBELT, Md. (Reuters) - A U.S. Coast Guard lieutenant accused of amassing a cache of weapons and plotting to attack Democratic politicians and journalists was ordered held for two weeks on Thursday while federal prosecutors consider charging him with more crimes.

Read More Show Less
An undated image of Hoda Muthana provided by her attorney, Hassan Shibly. (Associated Press)

Attorneys for the Constitutional Law Center for Muslims in America have filed a lawsuit against Secretary of State Mike Pompeo, Attorney General William Barr and President Donald Trump asking the court to recognize the citizenship of an Alabama woman who left the U.S. to join ISIS and allow she and her young son to return to the United States.

Read More Show Less
U.S. soldiers surveil the area during a combined joint patrol in Manbij, Syria, November 1, 2018. Picture taken November 1, 2018. (U.S. Army/Zoe Garbarino/Handout via Reuters)

WASHINGTON (Reuters) - The United States will leave "a small peacekeeping group" of 200 American troops in Syria for a period of time after a U.S. pullout, the White House said on Thursday, as President Donald Trump pulled back from a complete withdrawal.

Read More Show Less
Construction crews staged material needed for the Santa Teresa Border Wall Replacement project near the Santa Teresa Port of Entry. (U.S. Customs and Border Patrol/Mani Albrecht)

With a legal fight challenge mounting from state governments over the Trump administration's use of a national emergency to construct at the U.S.-Mexico border, the president has kicked his push for the barrier into high gear.

On Wednesday, President Trump tweeted a time-lapse video of wall construction in New Mexico; the next day, he proclaimed that "THE WALL IS UNDER CONSTRUCTION RIGHT NOW"

But there's a big problem: The footage, which was filmed more than five months ago on Sep. 18, 2018, isn't really new wall construction at all, and certainly not part of the ongoing construction of "the wall" that Trump has been haggling with Congress over.

Read More Show Less
(From left to right) Chris Osman, Chris McKinley, Kent Kroeker, and Talon Burton

A group comprised of former U.S. military veterans and security contractors who were detained in Haiti on weapons charges has been brought back to the United States and arrested upon landing, The Miami-Herald reported.

The men — five Americans, two Serbs, and one Haitian — were stopped at a Port-au-Prince police checkpoint on Sunday while riding in two vehicles without license plates, according to police. When questioned, the heavily-armed men allegedly told police they were on a "government mission" before being taken into custody.

Read More Show Less