U.S. weapon systems cybersecurity failing, GAO report says
A U.S. Government Accountability Office report gave failing grades to military weapon systems cybersecurity, but some experts say the report should be a source of encouragement.
The U.S. Government Accountability Office released a new report detailing military weapon systems cybersecurity and the news is not good.
Congress ordered the GAO to test military weapon systems cybersecurity and submit a report before the Department of Defense (DoD) began acting on its $1.66 trillion plan to develop its new weapons systems. GAO reported that although the DoD "routinely found mission-critical cyber vulnerabilities in systems that were under development," some defense program officials the GAO met with believed systems were secure and "discounted some test results as unrealistic."
"Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," GAO wrote in its report. "In addition, vulnerabilities that DoD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats."
The GAO report -- titled "Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities" -- detailed numerous issues, including system administrators not given enough time to test security or patch systems and systems still using the default admin password. In addition, the report cited a lack of procedures for reviewing system logs and intrusion detection systems that would either send so many alerts that operators began to ignore them or alerts would be generated properly but never sent to operators.
GAO noted that all of these weapon systems cybersecurity issues in existing systems could negatively impact any new systems developed by the DoD.
"Due to this lack of focus on weapon systems cybersecurity, DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity. Bolting on cybersecurity late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning," GAO wrote. "Not only is the security of those systems and their missions at risk, the older systems may put newer systems in jeopardy. Specifically, if DoD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk."
During testing, the GAO red team apparently took advantage of how easy it was to crack DoD weapons systems.
"In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded," GAO wrote. "Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data."
Experts such as Edgard Capdevielle, CEO of industrial cybersecurity vendor Nozomi Networks, were disturbed by the ease with which GAO testers were able to hack DoD weapons systems.
"The recent report from the government watchdog shows that attackers could have exploited these weaknesses quite easily -- and wouldn't have needed sophisticated tools to do so. This is a reality that we're seeing more and more of -- that attackers nowadays no longer need the resources or skill of a nation-state in order to pull off a successful attack," Capdevielle wrote via email. "The current threat landscape is quickly expanding as attackers with various levels of sophistication are more easily finding the tools and tactics needed to be successful and government organizations need to sit up and take action."
Mike Riemer, chief security architect at Pulse Secure, said the military has a more complicated challenge with weapon systems cybersecurity because it has the "added wrinkle of protecting access to assets on the battlefield."
"We see similar issues in other industries, such as utilities and transportation, which are also critical to our nation and now vulnerable as the internet of things becomes pervasive. But unlike commercial network environments, military systems operate in fluid environments where security must protect the weapons system, but also adapt to changing groups, roles, geography, command relationships and other access determinants," Riemer wrote via email. "That goes beyond commercial multifactor authentication, requiring additional authentication and protected connection mechanisms where testing the management and scale of conditional access policy under a zero-trust model is required."
Pravin Kothari, CEO of CipherCloud, noted that the military setting of these systems may actually mean basic cybersecurity is better in some ways compared to enterprise settings.
"Many of these weapons systems are absolutely not online to external networks. This is intentional. Many of these specialized weapons systems do not use a standard TCP/IP protocol, but instead may use proprietary, highly specialized network communications protocols and encryption techniques specifically designed for that weapons system program," Kothari wrote via email. "And the most important to your health -- if you do try to get in close proximity to a classified weapons system, it won't be more than a few seconds before a highly motivated marine interrupts your activities. Let's get real here. If there were real actionable deficiencies to classified weapons systems, they're getting worked on furiously right now. Rest assured the vulnerabilities would not be detailed as a how-to manual for hostile nation-states in a GAO non-classified report."
Experts also said that although the findings of the GAO report painted a bad picture of weapon systems cybersecurity, there is reason to be optimistic simply because this report was created.
Bob Taylor, former principal deputy general counsel for the DoD and current senior counsel at Hogan Lovells, based in Washington, D.C., said it was "heartening to see such a frank and brutal assessment of shortcomings because being aware of and facing those shortcomings create the conditions necessary for their correction."
"Fixing the problems revealed in the report will require personnel up and down the chain of command to be aware of the current failings, and to be committed, really committed, to addressing them," Taylor wrote via email. "It is, first and foremost, a matter of leadership and commitment."
Jason Haward-Grau, CISO at PAS in Houston, agreed that it was good news that "these issues have been identified now, so they can be addressed."
"Knowing where you are and where your vulnerabilities lie is the first step to being able to address it. Cybersecurity is now very much front and center in most organizations and the concepts of getting and keeping your house in order are gaining traction," Haward-Grau wrote via email. "It is also now recognized that the exploitation of any system will happen and there is a significant focus on ensuring that when it happens the detection is fast, the response is effective, and ultimately, the risk to operations is minimized. This is even more critical in an industry where kinetic weapon platforms are in play."
However, not all experts were so optimistic. Sherban Naum, senior vice president of corporate strategy and technology at Bromium, noted that a DoD weapon systems cybersecurity vulnerability being exposed "is so much costlier than at the enterprise level."
"We can replace credit card records or restore customer loyalty. We can't undo a rival nation-state potentially roaming undetected inside weapons systems because there were insufficient security investments in modular, run-time security," Naum wrote via email. "It's time for the federal government to make cybersecurity a national priority, and ensure it is treated as such during the development of systems outlined in the GAO report."