A new Government Accountability Office study reveals Department of Defense cybersecurity is not keeping up with weapons development, leaving US systems extremely vulnerable to cyberattacks.
From the GAO:
Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.
CNN:
The watchdog's report says the GAO "found that from 2012 to 2017, (Department of Defense) testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development."
(...)
"In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing," the report said.
In some cases, the "weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the internet and gain administrator privileges."
One of the reasons that the weapons systems are so vulnerable to cyber-attack is their connectivity to other systems, something long seen by the Pentagon as an advantage.
Weapons like the F-35 Joint Strike Fighter have been celebrated for their ability to connect to a range of other systems, allowing critical military information to be more easily shared.
But the GAO's reports says that connectivity makes weapons systems vulnerable as potential hackers would only need to penetrate one of the connected systems to potentially gain access to the others.
(...)
The revelation that so many Pentagon weapons systems are vulnerable to cyber-attacks raises questions about the billions of dollars the US has invested in its various programs.
The report said that part of the problem was the fact that cyber-security has only recently been emphasized when developing requirements for these systems.
GAO:
DOD has recently taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations. DOD, as directed by Congress, has also begun initiatives to better understand and address cyber vulnerabilities. However, DOD faces barriers that could limit the effectiveness of these steps, such as cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities.
The GAO says it is not offering recommendations at this time but will continue to evaluate the matter.
Watchdog: 'Nearly all' new US weapons systems vulnerable to cyber attacks (CNN)
WEAPON SYSTEMS CYBERSECURITY: DOD Just Beginning to Grapple with Scale of Vulnerabilities (GAO.gov)