The Department of Defense, despite being warned over and over and over again, is only just now beginning to figure out what cybersecurity measures it should be implementing in its weapons systems programs.
The US Department of Defense (DoD) only began to take cybersecurity seriously in 2017, according to a report released on Tuesday by the Government Accounting Office (GAO). The DoD’s failure to address cybersecurity concerns is abject enough to make it into the name of the report: “Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities.” The GAO’s investigation was focused on weapon systems and weapons systems acquisition.
The DoD has made efforts to secure its networks and IT systems, according to the GAO, but until recently it failed to realize that when you connect weapon systems to a network, they are subject to the same risks and also need protective measures.
The DoD is beginning to respond but, “It looks grim unless they really see this as a wake-up call and start taking actions in a serious manner,” said Cristina T. Chaplain, Director, Contracting and National Security Acquisitions at the GAO, and the primary author of the report in a podcast accompanying the report (a link to the podcast is embedded on this page).
“Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise,” the report states.
The GAO ventures few examples of what that might mean. One example “compromise” it cited would be if someone unauthorized were to get control of the oxygen flow to a fighter pilot’s cockpit/helmet. The GAO fussily avoids mentioning the risk of a hacker taking direct control of a weapon system, but it just can’t avoid warning that a possible consequence of ongoing lax cybersecurity is “loss of life.”
Security experts from industry are aware of the problem at the DoD. The GAO quotes representatives of “test organizations” who say that many officials in charge of weapons acquisition don’t understand the issue of system security. Of course, the industry has been documenting the increasing number of cyberattacks on public, private, and governmental systems for years – and counteracting the vast majority of the attacks, and then issuing public warnings about the problem.
Not that such warnings should be necessary. The possibility of being subject to cyber attacks has been known for a very long time. As the GAO notes, cybersecurity (officially referred to as “federal information security”) has been explicitly designated as a “government-wide high-risk area” since 1997.
“We and others have warned of these risks for decades,” the report says, citing reports on the exact same problem with weapons systems acquisition from at least two other government agencies in the last five years. “Nevertheless, until recently, DoD did not prioritize cybersecurity in weapon systems acquisitions.”
It has been 20 years – two whole decades – and there are agencies and offices within the DoD that are still not changing default passwords on various systems, according to the GAO.
Over the past few years, DoD testers have taken partial or full control of weapons systems under development, and reported that it was very, very easy to do so. Their activities were rarely if ever detected when in progress, and were rarely if ever detected after the fact – even in those instances when the testers deliberately allowed the system to log their presence. No one ever checked the logs.
One test team reported that they caused a pop-up message to appear on users’ terminals instructing them to “insert two quarters to continue operating,” the GAO report said.
Weapons include numerous interfaces that can be used as pathways to access the system (represented via fictitious weapon system for classification reasons)
But the problems are far more extensive and pervasive than simple security prophylaxis such as password protection and checking logs.
The GAO explains that the people running weapons programs tend to be aware that cybersecurity is a concern, they just fail to understand it. The GAO says it spoke with multiple program officials who’d said they had security controls in place, but had no idea how they were implemented. Nor did they know whether those controls were configured properly, and had no test data to tell.
DoD officials told the GAO that defense program offices “may not know which industrial control systems are embedded in their weapons or what the security implications of using them are,” according to the report, which goes on to say that, “Office of the Secretary of Defense officials informed us that, in response to section 1650 of the National Defense Authorization Act for Fiscal Year 2017, they are working to better understand the dependency of industrial control systems on mission impact.”
That is one measure that the GAO said shows the DoD is, finally, slowly, taking the problem seriously and is moving in the right direction. The GAO’s caveat is that progress doesn’t continue without consistent commitment from leadership and pointedly noted that the DoD’s top cyber advisor in 2017 closed down an assessment of weapons security that the GAO clearly believes was incomplete.
The reference is presumably to Major General Burke Wilson, who in early 2018 left the position of Marine Corps CIO (the position includes responsibility for the DoD’s cyber capabilities and activities) to join the staff of Secretary of Defense Jim Mattis. Wilson was replaced in February by Brigadier General Dennis Crall.
There are other governmental agencies that have nominal responsibility for cybersecurity, including the NSA and Cyber Command. Neither has explicit responsibility for evaluating cybersecurity in weapons systems, the GAO report notes.
“People look at weapons and think they’re automatically very different than their own home computers or the business networks that we see getting attacked every day, but they’re not so different in their make-up, they have the same components computer-wise that can be attacked,” Chaplain said in the podcast. “The key is to focus on that from the very beginning to give yourself a good chance of being able to withstand attacks or be able to deal with them as they occur.”
EDN editor-in-chief Brian Santo has been writing about science and technology for over 30 years, covering cable networks, broadband, wireless, the Internet of things, T&M, semiconductors, consumer electronics, and more.