Pentagon’s new weapons systems are easy to hack, GAO report

Well this is terrifying and something you don’t ever want to hear, but according to a report by the U.S. Government Accountability Office, “From 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.”

The DoD has embraced automation and connectivity in military capabilities, but they also make weapon systems more vulnerable to cyber attacks. As the GAO pointed out, “DoD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems.” Despite that mind-boggling amount to dump into weapon systems, test teams, acting as adversaries, found it easy to take control of weapon systems. They found “widespread examples of weakness in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond and recover.”

I did not have enough faces or palms for the facepalm-worthy tidbits in this full report (pdf), but here are some of the highlights:

Sometimes, running a simple port scan caused parts of the weapon system to fail. “One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise.”

Default password usage for weapon systems? Unfortunately, the GAO said poor password management was a common problem. “Multiple weapon systems used commercial or open source software, but did not change the default password.” Multiple times, the red team used free info or software downloaded from the internet to defeat weapon system security controls.

In another test, the red team guessed an admin’s password in nine seconds.