Well this is terrifying and something you don’t ever want to hear, but according to a report by the U.S. Government Accountability Office, “From 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.”
The DoD has embraced automation and connectivity in military capabilities, but they also make weapon systems more vulnerable to cyber attacks. As the GAO pointed out, “DoD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems.” Despite that mind-boggling amount to dump into weapon systems, test teams, acting as adversaries, found it easy to take control of weapon systems. They found “widespread examples of weakness in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond and recover.”
I did not have enough faces or palms for the facepalm-worthy tidbits in this full report (pdf), but here are some of the highlights:
Sometimes, running a simple port scan caused parts of the weapon system to fail. “One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise.”
Default password usage for weapon systems? Unfortunately, the GAO said poor password management was a common problem. “Multiple weapon systems used commercial or open source software, but did not change the default password.” Multiple times, the red team used free info or software downloaded from the internet to defeat weapon system security controls.
In another test, the red team guessed an admin’s password in nine seconds.
A two-person red team needed “just one hour to gain initial access to a weapon system and one day to gain full control of the system.”
After gaining a foothold, the red teams escalated privileges and moved throughout a system until they managed to take full or partial control.
One test team operated for several weeks without being detected.
A red team wasn’t even detected when it was “deliberately noisy” and didn’t hide it activities.
Attack activity was in the system logs, but operators couldn’t be bothered to check them.
Another test team “emulated a denial of service attack by rebooting the system, ensuring the system could not carry out its mission for a short period of time. Operators reported that they did not suspect a cyber attack because unexplained crashes were normal for the system.”
In another case, the red team took control of the operators’ terminals and watched them, in real-time, as the “attackers” manipulated the system.
A different test team made a message pop-up on users’ terminals “instructing them to insert two quarters to continue operating.”
Several different red test teams were able “to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.”
The report may be unsettling, but at least it sounds like the red team had some fun.
The GAO didn’t mention specific weapon systems or vulnerabilities, but it did say that the Pentagon is “just beginning to grapple” with the scale of vulnerabilities.
So … happy National Cyber Security Awareness Month?