New Report Says Pentagon Cyber Security Is A Huge Dumpster Fire

news

It only took an hour for Defense Department hackers to gain access to a weapons system, and just a day to gain full control over it, according to a new Government Accountability Office report warning the Pentagon that it's "just beginning to grapple with the scale of vulnerabilities" in its arsenal.


As DoD systems become increasingly more high-tech and interconnected, the problem of adversaries being able to defeat the military's weapons systems without firing a shot has only gotten worse over the years.

The unclassified report didn't mention vulnerabilities in specific weapons systems, for obvious reasons, but it did make clear that DoD isn't doing enough to address the problem. Indeed, the GAO included a table showing a number of warnings it has offered on the issue going back to the 1990s.

GAO

Cybersecurity wasn't considered much of a priority for weapons until about 2014, according to the report. With the exception of small arms, that means anything featuring components like industrial control systems, communications and targeting systems, radar, or wireless links may offer up vectors that potential adversaries can exploit.

Between 2012 and 2017, penetration testers "routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development," the report said. Also noteworthy was the fact that testers weren't taking nearly as much time or using sophisticated methods as a nation-state adversary would.

Instead, most used "relatively simple tools and techniques" to take control, and largely operated undetected as a result.

Page 22 of the report is worth reading in full (emphasis added):

Test Teams Easily Took Control

Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders.

Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.

Test Teams Needed Only Basic Tools

The test reports indicated that test teams used nascent to moderate tools and techniques to disrupt or access and take control of weapon systems. For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise. Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.

Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.

Although the report is fairly alarming in what it reveals, it does commend DoD for taking "several major steps" to address weapons cybersecurity, to include policy improvements and bringing cyber considerations into the acquisition cycle. But the delay in heeding past warnings means there will be "long-lasting effects on the department," numerous officials told researchers.

"DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity," the report says.

GAO

"Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning. Not only is the security of those systems and their missions at risk, the older systems may put newer systems in jeopardy.

Specifically, if DOD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk. Furthermore, even if they are not connected, if the newer systems depend on the older systems to help fulfill their missions, those missions may be at risk."

You can read the full report here.

Jeff Schogol

Navy Secretary Richard Spencer took the reins at the Pentagon on Monday, becoming the third acting defense secretary since January.

Spencer is expected to temporarily lead the Pentagon while the Senate considers Army Secretary Mark Esper's nomination to succeed James Mattis as defense secretary. The Senate officially received Esper's nomination on Monday.

Read More Show Less

U.S. Special Operations Command may be on the verge of making the dream of flying infantry soldiers a reality, but the French may very well beat them to it.

On Sunday, French President Emmanuel Macron shared an unusual video showing a man on a flying platform — widely characterized as a "hoverboard" — maneuvering through the skies above the Bastille Day celebrations in Paris armed with what appears to be a dummy firearm.

The video was accompanied with a simple message of "Fier de notre armée, moderne et innovante," which translates to "proud of our army, modern and innovative," suggesting that the French Armed Forces may be eyeing the unusual vehicle for potential military applications.

Read More Show Less
(New Jersey National Guard photo by Mark C. Olsen)

If you've ever wondered if the Pentagon has ever exposed the American public to ticks infected with biological weapons, you're not alone.

Rep. Christopher Smith (R-N.J.) authored an amendment to the House version of the Fiscal 2020 National Defense Authorization Act would require the Defense Department Inspector General's Office to find out if the U.S. military experimented with using ticks and other insects as biological weapons between 1950 and 1975.

If such experiments took place, the amendment would require the inspector general's office to tell lawmakers if any of the ticks or other bugs "were released outside of any laboratory by accident or experiment design."

Read More Show Less

There's no one path to military service. For some, it's a lifelong goal, for others, it's a choice made in an instant.

For 27-year-old Marine Pvt. Atiqullah Assadi, who graduated from Marine Corps bootcamp on July 12, the decision to enlist was the culmination of a journey that began when he and his family were forced to flee their home in Afghanistan.

Read More Show Less
(Facebook photo)

The Air Force has administratively separated the Nellis Air Force Base sergeant who was investigated for making racist comments about her subordinates in a video that went viral last year, Task & Purpose has learned.

Read More Show Less