New US weapons systems easy to hack

The US Department of Defense’s (DOD) new computerized weapons systems currently under development is peppered with security vulnerabilities that leave them easily susceptible to attack, according to a new report.

Background

In September 2018, US President Donald Trump signed into law a spending bill that increased defence spending for the next fiscal year to $674 billion – outpacing the rest of the world in military expenditure.

The Department of Defense also unveiled a more proactive cyber strategy to strengthen its cyber defence and deterrence posture. The new version of the strategy gives the US military authority to 
“defend forward” and act more aggressively in the case of cyber attacks.

“The Department will counter cyber campaigns threatening US military advantage by defending forward to intercept and halt cyber threats and by strengthening the cybersecurity of systems and networks that support DoD missions,” the strategy reads. The White House also rolled out a national cyber strategy last month, promising a more aggressive willingness to deploy offensive and defensive operations against threats in cyberspace.

Analysis

A new government report has found that the Department of Defense’s new computerized weapons systems can be easily hacked. The Government Accountability Office (GAO) was asked to review the state of DOD weapon systems cybersecurity as the department plans to spend about $1.66 trillion to expand its weapons portfolio in the coming years.

The GAO found in its audit of the weapon systems, a slew of security vulnerabilities.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report stated.

GAO testers “playing the role of adversary” uncovered fundamental security lapses that allowed them to take over some systems and largely operate undetected. In one instance, a two-person team was able to gain initial access to a weapon system in just one hour and full access within a day.

In another assessment, the weapon system “satisfactorily prevented” unauthorized access by remote users, but not insiders and near-siders. Once the test team gained initial access to the system, they were able to move throughout the system and escalate their privileges to take full or partial control of the system.

In one case, testers were able to take control of the operators’ terminals, allowing them to view what the operators were seeing on their screens in real-time and manipulate the system. A number of test teams reported they were able to copy, change or delete system data.

The auditors also stressed the importance of cyber hygiene such as regularly changing passwords and applying patches. One test team was able to guess an administrator password in just nine seconds. Multiple weapon systems that used commercial or open source software were found with default passwords that test teams were easily able to look up online.

The GAO said the Defense Department faces “mounting challenges” in protecting its weapon systems against sophisticated adversaries due to the computerized nature of weapon systems, DOD’s “late start” in prioritizing cybersecurity and its “nascent understanding of how to develop more secure weapon systems”. The vulnerabilities discovered and extent of potential exploits likely represents just a fraction of the total security issues in these systems, since some of the tests were limited or cut off early.

According to the GAO report, the DOD was aware of many of these “mission-critical cyber vulnerabilities.” However, Pentagon officials who met with GAO testers claimed their systems were secure and “discounted some test results as unrealistic.”

All tests were performed on computerized weapons systems that are still under development. The GAO warned these next-gen weapons systems would be an easy and high-value target for hacking groups unless steps are taken to improve cybersecurity.

“Officials from a DOD agency we met with, expressed confidence in the cybersecurity of their systems, but could not point to test results to support their beliefs. Instead, they identified a list of security controls they had implemented,” the report states. “However, security controls must be properly designed and implemented in order to be effective.”

Assessment

Our assessment is that the Department of Defence must prioritize cybersecurity as part of the development process given that these systems are heavily computerized and networked, making them more prone to attack. We believe that consistent internal testing procedures, followed through with immediate patching must be implemented in order to secure these systems in the interest of both operations and national security.