Summary: GAO Report on Weapons System Cybersecurity

On Oct. 9, 2018, the Government Accountability Office (GAO) released a new report to the Senate Committee on Armed Services analyzing factors that contribute to the current state of Defense Department weapons’ cybersecurity, vulnerabilities in weapons under development and steps the Pentagon is now taking to develop more resilient systems. It finds that there are major cybersecurity weaknesses in the Department of Defense’s new and existing weapons systems.

Cyber-connected software and IT systems are “pervasive” in modern weapon systems, the report found, and these systems are more vulnerable than those of previous generations. According to the report, until recently, the Defense Department has not prioritized cyber security. As a result, Defense Department testing teams were routinely able to find “mission-critical” vulnerabilities using only limited resources and techniques, even though program officials believed these programs to be secure.

While the Defense Department has implemented new systems since 2014 to shore up its cyber vulnerabilities, a variety of systemic barriers, including the difficulties of sharing information and recruiting talented personnel, continue to make addressing these problems difficult. Meanwhile, a generation of weapon systems has been developed with insufficient cyber protection, and the complete scope of Defense Department’s exposure remains unclear.

Contributing Factors

According to the report, information security across the federal government has been designated a high-risk area since 1997—but until recently, the cyber security of weapon systems in particular has not been a major priority. This is despite the fact that the federal government and weapons contractors have long faced a pervasive array of threats including criminals, hackers, terrorists and adversarial nations. Some of these pervasive threats qualify as “advanced” under the GAO’s reckoning, meaning they can bring to bear “complex, long-term cyber attack operations” against high-value networks, utilizing significant technical expertise and resources.

Modern-day weapon systems are more vulnerable than in the past in part because they are “more software and IT dependent and more networked than ever before,” which creates more points of potential attacks for malicious actors. To illustrate this point, the report uses the example of a hypothetical aircraft (as the specifications of actual weapons systems in development remain classified) with 12 different types of vulnerable software systems including maintenance, collision avoidance and targeting. The report notes that each of these systems is a “potential access point for an adversary,” and that even “air gapped” systems can be accessed by physical devices such as flash drives and compact discs. Any weapon system connected to an external network such as GPS or the internet—or to a separate system connected to an external network—may also be vulnerable.

Until around 2014, according to the report, the Defense Department focused on protecting traditional networks and IT systems such as internal records rather than on its weapons systems. Citing multiple internal reports, the report’s authors note that cyber-security was also not a focus of the acquisitions process; for example, until a few years ago cyber-survivability was not a factor in a system’s key performance parameters. As a result, many systems currently in use or under development did not consider cyber security in early stages of research, development and testing. What’s more, adding cyber security features into these systems after the fact is likely to be costlier and less effective than if those features had been integrated from the beginning.

Weapons systems are also uniquely difficult to protect. Cyber security protocols developed for normal IT systems may not be particularly effective for weapons that are cyber-physical hybrids. Furthermore, because these systems are so complex and because an error can have catastrophic consequences in the physical world, patching and updating these systems is far more difficult than in purely software-based systems.

Extent of Vulnerabilities

The extent of the cyber vulnerabilities detailed in the report are startling. Between 2012 and 2017, Defense Department testing teams were routinely able to find serious vulnerabilities in nearly all the major weapons systems under development. In one case, a two-person team was able to gain initial entry to a weapon system in less than one hour and was able to gain full control within a single day.

After gaining access to these systems, testing teams were quickly able to exploit them. One team of testers trolled current users by sending warning messages asking the users to insert two quarters to continue operating. In another example, testers crashed the entire system by running a simple scan, a common initial step when gaining access to a computer system.

Not all hacking required a sophisticated toolset. On multiple occasions, they were able to gain access by guessing the administrator’s password or because the system was still using a default password available through an open-source search. In other cases, testers conducted their hacks using only information and programs easily discoverable online, instead of the complex methods that would be available to a nation state attempting an attack.

The test team’s attacks were even more effective because operators and administrators were so often ineffective at preventing or repairing the systems. One test team attempting to exploit a weapon system found that administrators had only corrected one of the 20 cyber vulnerabilities that had previously been identified. Another team was able to operate for several weeks undetected, even after they began to act deliberately “noisy” to try to draw the attention of administrators.

Even when testers’ activities were obvious, administrators often failed to respond. When testers deliberately crashed one weapons system, users did not suspect foul play because the system so often crashed organically. In another test, administrators ignored intrusion detection warnings because the warnings were always “red,” and the administrators had become desensitized.

The report is careful to note that these tests are unlikely to have revealed the full extent of system vulnerabilities. Though the testers had some advantages, in that they were given classified specifications on the targeted systems, they also operated with limited resources and time—constraints that would not apply to an actual advanced threat. The result is that the federal government simply does not know how vulnerable its systems truly are.

This problem is exacerbated, according to the report, by the false sense of confidence on the part of many program managers. Citing their extensive security controls, multiple managers told the GAO that their systems were secure, even though they had failed to conduct actual testing to confirm the efficacy of these controls. The cyber security experts consulted by the report’s authors indicated that actual testing is the only way to confirm the true extent of a system’s security.

Steps Towards Improvement

The report credits the Defense Department with taking steps since 2014 to shore up the weaknesses in cybersecurity for its weapons systems, but cautions that significant barriers remain.

One the most important steps the Department of Defense has already taken, according to the report, is to apply its existing cybersecurity policy to weapons systems, an approach that it has only adopted in the last few years. Another is to encourage both developers and users to emphasize cyber-resiliency—that is, the ability to operate even when systems are compromised. Furthermore, weapons contractors have increasingly been required to build cybersecurity into their designs throughout all stages of development.

The report further notes that the Pentagon has begun to put more resources and focus into cybersecurity across the board, but that there are systemic barriers to improving. It is difficult to share information about vulnerabilities between departments and agencies because of the high classification level of the material involved. Additionally, the Pentagon has difficulty attracting and maintaining qualified personnel. Weapons security is a distinct field from general cybersecurity, making the pool of talent small. To build its cyber capacity, the department and military services have invested significantly in building expertise within. But the problem remains that trained personnel are often incentivized to leave for the private sector, where salaries are substantially higher.

On the whole, the report indicates that Defense Department is likely moving in the right direction on cyber security for its weapons systems—but years of neglect have created myriad risks for U.S. weapons development.