It only took an hour for Defense Department hackers to gain access to a weapons system, and just a day to gain full control over it, according to a new Government Accountability Office report warning the Pentagon that it’s “just beginning to grapple with the scale of vulnerabilities” in its arsenal.
As DoD systems become increasingly more high-tech and interconnected, the problem of adversaries being able to defeat the military’s weapons systems without firing a shot has only gotten worse over the years.
The unclassified report didn’t mention vulnerabilities in specific weapons systems, for obvious reasons, but it did make clear that DoD isn’t doing enough to address the problem. Indeed, the GAO included a table showing a number of warnings it has offered on the issue going back to the 1990s.
GAO
Cybersecurity wasn’t considered much of a priority for weapons until about 2014, according to the report. With the exception of small arms, that means anything featuring components like industrial control systems, communications and targeting systems, radar, or wireless links may offer up vectors that potential adversaries can exploit.
Between 2012 and 2017, penetration testers “routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report said. Also noteworthy was the fact that testers weren’t taking nearly as much time or using sophisticated methods as a nation-state adversary would.
Instead, most used “relatively simple tools and techniques” to take control, and largely operated undetected as a result.
Page 22 of the report is worth reading in full (emphasis added):
Test Teams Easily Took Control
Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders.
Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.
Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.
Test Teams Needed Only Basic Tools
The test reports indicated that test teams used nascent to moderate tools and techniques to disrupt or access and take control of weapon systems. For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise. Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.
Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.
Although the report is fairly alarming in what it reveals, it does commend DoD for taking “several major steps” to address weapons cybersecurity, to include policy improvements and bringing cyber considerations into the acquisition cycle. But the delay in heeding past warnings means there will be “long-lasting effects on the department,” numerous officials told researchers.
“DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the report says.
GAO
“Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning. Not only is the security of those systems and their missions at risk, the older systems may put newer systems in jeopardy.
Specifically, if DOD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk. Furthermore, even if they are not connected, if the newer systems depend on the older systems to help fulfill their missions, those missions may be at risk.”
You can read the full report here.