U.S. weapons systems’ are increasingly dependent on computers, rendering “nearly all” of them susceptible to cyber attacks, Congress’s watchdog arm reported Tuesday, stressing that the Pentagon “does not know” the full extent of the threat.
A Government Accountability Office (GAO) audit found:
Nearly all weapon system functions are enabled by computers—ranging from basic life support functions, such as maintaining stable oxygen levels in aircraft, to intercepting incoming missiles. DOD has actively sought ways to introduce this automation into weapon systems … Yet this growing dependence on software and IT comes at a price. It significantly expands weapons’ [vulnerabilities to cyber attacks].
The GAO determined that weapons systems developed by the U.S. military from 2012 to 2017 are especially susceptible to cyber attacks.
“We found that from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the watchdog agency declared, later adding, “DOD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication.”
In conducting its audit, the GAO reviewed cybersecurity assessment reports from selected weapon systems tested between 2012 and 2017.
GAO auditors revealed that during some assessments, testers were able to hack into weapons systems and take control over them undetected “using relatively simple tools and techniques.”
“Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems,” the watchdog noted. “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.”
U.S. President Donald Trump’s administration has identified jihadist groups and transnational criminal organizations (TCOs) as well as Russia, China, and to a lesser extent Iran and North Korea as the top cybersecurity threats facing the United States.
“The Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats,” GAO cautioned.
According to the watchdog, the Pentagon is expected to spend more than $1.5 trillion to develop its current portfolio of weapon systems that are heavily reliant on computerized automation and connectivity, making them vulnerable to nefarious cyber activities.
Referring to the portfolio, the GAO added:
These weapons are essential to maintaining our nation’s military superiority and for deterrence. It is important that they work when needed, yet cyber attacks have the potential to prevent them from doing so. Cyber attacks can target any weapon subsystem that is dependent on software, potentially leading to an inability to complete military missions or even loss of life.
The GAO urged the Pentagon to take steps to improve its abilities to detect, respond to, and mitigate cyber threats.
“These cyber systems can affect the physical world so the consequences of a cyber attack may be greater than those of attacks on other types of systems,” the auditor emphasized.
The GAO acknowledged that the Pentagon has only recently begun to prioritize cybersecurity in weapon systems acquisitions, noting:
In part, because DOD historically focused on the cybersecurity of its networks but not weapon systems themselves, DOD is in the early stage of trying to understand how to apply cybersecurity to weapon systems. Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon systems cybersecurity.
Although DOD has begun to take steps to protect its weapons systems from cyber attacks, it is facing “systemic barriers” to accomplishing its goals.
“DOD is taking steps to improve its understanding of its weapon systems’ vulnerabilities, determine how to mitigate risks from those vulnerabilities, and inform future development of more secure systems,” the GAO revealed.
DOD is facing challenges in hiring and retaining cybersecurity personnel, the GAO pointed out, adding: “In addition, DOD faces barriers to information sharing, which hinder its ability to share vulnerability and threat information within and across programs.”
In September, the Pentagon unveiled its cyber strategy focused on prioritizing defense from cyber attacks and expanding military authority to prevent them.