Major U.S. weapons systems are increasingly vulnerable to hacking attacks, according to federal investigators who "routinely found mission-critical cyber vulnerabilities" in multiple critical systems operated by the Department of Defense.
The Defense Department has been caught flatfooted when it comes to protecting critical systems that oversee and run an increasing number of U.S. defense systems, according to a new Government Oversight Report that warns defense officials have little understanding of how to protect these systems from hacking attacks by foreign governments and other rogue actors.
"The Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats," according to the 50-page report, which is fueling concerns on Capitol Hill. "This state is due to the computerized nature of weapon systems; DOD's late start in prioritizing weapon systems cybersecurity; and DOD's nascent understanding of how to develop more secure weapon systems. DOD weapon systems are more software dependent and more networked than ever before."
As the Defense Department invests more than $1.66 trillion to develop major weapons systems, "potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems," according to the report.
The security of these systems remains a top priority, yet glaring gaps remain, according to tests performed by government officials who were resistant to criticism about these cyber vulnerabilities.
"In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic," according to the report.
Tests performed with "simple tool and techniques" breached defense system security. In some cases, weapons systems security had never been tested at all.
"Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," according to the report. "In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats."
Due to the nature of weapons systems relying on network connectivity, they become vulnerable to malicious cyber hackers operating on behalf of hostile nations or terror factions.
"Automation and connectivity are fundamental enablers of DOD's modern military capabilities," the report states. "However, they make weapon systems more vulnerable to cyber attacks."
While government oversight authorities and many in Congress and elsewhere "have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity."
This has left deficiencies in weapons system security.
Current steps taken by the Defense Department to improve cybersecurity also have fallen short, according to the report.
The Defense Department "faces barriers that could limit the effectiveness of these steps, such as cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities," the report found.