DOD Weapon Systems Have Vulnerabilities, According To New GAO Report

The Washington Post reported today that the Department of Defense’s (DOD) weapon systems feature cyber vulnerabilities that leave them susceptible to attack, according to a GAO government report released Tuesday. IT security experts commented below.

Pravin Kothari, CEO at CipherCloud:

Pravin Kothari

Pravin Kothari

“Yes, cyber vulnerabilities remain a major challenge especially in areas such as the move to cloud computing. The GAO is keeping everyone’s eye on the ball. That said, let’s keep this GAO report in perspective. First – many of these weapons systems are absolutely not online to external networks. This is intentional. Second – many of the network protocols used in these specialized weapons systems do not use a standard TCP/IP protocol, but instead may use proprietary, highly specialized network communications protocols and encryption techniques specifically designed for that weapons system program. Third, and the most important to your health – if you do try to get in close proximity to a classified weapons system it won’t be more than a few seconds before a highly motivated marine interrupts your activities. Let’s get real here. If there were real actionable deficiencies to classified weapons systems, they’re getting worked on furiously right now. Rest assured the vulnerabilities would not be detailed as a “how to” manual for hostile nation states in a GAO non-classified report.”

Ross Rustici, Senior Director, Intelligence Services at Cybereason: 

“The requirements for the current generation of weapon systems was generally created in the early 90’s. What the GAO report really highlights is the long development cycle of advanced military platforms. The F-35, for example, started as the Joint Strike Fighter project in 1992. This was a year after the Revolution in Military Affairs was proven highly successful in Desert Storm and the US military was exploring the full advantage that highly networked troops gives a fighting force. For more perspective, AoL for Windows came out the same year the F-35 program was conceived. The first test flight of the plane was in 2006, a year after the the first major foreign intrusion, Titan Rain, was publicly named in US systems.

So, it comes as no surprise that these weapon systems fall vulnerable to all of the traditional issues that IT from the mid 2000s has. Nevertheless, the DoD must make up ground and figure out how to retrofit these systems to provide better standard protection. Default passwords and other things that amount to human error vulnerabilities should not exist within the DoD, especially advanced weapon systems. However, hardening beyond this point becomes a policy decision. Given US Cyber Command’s mission set, a valid argument can be made that is the duty of the newly minted Combatant Command to defend these systems from hackers. Much in the same way that a 5 of the 6 ships in a Carrier Strike Group are designated protection for the aircraft carrier, which by itself is largely defenseless. Alternatively, The DoD may decide that every weapon system must have an adequate autonomous cyber defense capability, much in the same way the M1 tank has enough armor to absorb enemy fire and preserve the capability of the tank itself.

But this has to be a force readiness and policy decision with resource alignment supporting it. If the DoD intends to shift cyber defenses to the platforms themselves, it will result in a large additional expenditure that requires significant intelligence support and to truly make weapon systems resilient to cyber counter measures, the manufacture first needs to know what they are.”

George Cerbone, Principal Solutions Architect at One Identity: 

“The GAO report is a summary of a series of tests that were done on a wide variety of military systems. As one might imagine, most of the specific results of those tests are classified, and we don’t know what the specific vulnerabilities are. What is perhaps more interesting is that the report indicates that the Pentagon suffers from the same problem that every large company or bureaucracy has to deal with: security is hard, it requires discipline, and there is a shortage of trained security people. The problems that were disclosed were typical of what we find in every large organisation: default passwords were not changed. Personnel may have followed compliance documents, but didn’t really understand what they were doing. Managers were defensive when deficiencies were discovered. And the solution is the same as it is in every large organisation: make security a priority, be disciplined, and train your people.

“One final thought: the typical reaction to these types of revelations is shock, outrage, denial, etc. Instead, I would like to suggest that finding these exposures is a wonderful thing. Every single one of the deficiencies that were found are all now known and can be fixed. And they can be fixed now, and not after a malicious attacker has exploited them. So instead of reacting with denial and shame, greet each of these reports with the joy of knowing you are on your way to being more secure.”