US military systems wide open to cyber attack

The US Government Accountability Office has published a scathing report into the cybersecurity of the Department of Defense’s weapon system programs, finding that an entire generation of weapon systems may be vulnerable to compromise.

The report finds that the Department of Defense is “just beginning to grapple with the scale of vulnerabilities” plaguing its major weapon system programs.

“Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritise weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity.”

During optional testing DOD cybersecurity officials have routinely found mission-critical cyber vulnerabilities in weapon systems under development, the report states.

Indeed, “nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise”.

Penetration testers were able to take control of systems using relatively simple tools and techniques exploiting basic issues such as poor password hygiene and unencrypted communications.

But officials in charge of these weapons programs that the GAO met with often believed their systems were secure, even though in a number of cases they were unable to provide evidence to back up these beliefs.

The report also states that due to the limitations in the DOD’s testing practices, known vulnerabilities in the weapon systems’ cybersecurity are likely to be only a fraction of the total vulnerabilities.

Compounding the issue, a number of factors are making weapon system cybersecurity an increasingly difficult challenge, such as the increasingly computerised and networked nature of these systems and their growing reliance on software.

But despite repeated warnings, cybersecurity has not been a focus during weapon systems acquisition until only recently, and the DOD is still learning how to address weapon system cybersecurity, the report states.

“Numerous officials we met with said that this failure to address weapon systems cybersecurity sooner will have long-lasting effects on the department. Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the report states.

Even with the increased focus on security, if newer, more secure systems require being connected to less secure older systems, this risks making the newer system less secure by exposing it to the same vulnerabilities.

The report does note that DOD officials do recognise the need for a radical improvement in the department’s approach to weapon system cybersecurity, but the officials also admitted that it will take time to learn what does and does not work.

The DOD was recently named as a possible victim of an alleged Chinese state-sponsored supply chain attack which involved secretly inserting a tiny microchip on servers manufactured in China for Elemental Technologies by US-based Supermicro.

According to the Bloomberg report detailing the alleged attack, middlemen working on behalf of a unit of the Peoples’ Liberation Army bribed or coerced several subcontractors of Supermicro’s main contractors in China to secretly insert the chip, allowing for access to systems using the compromised servers.

Elemental servers are used in DOD data centres, the US Central Intelligence Agency’s drone operations and the onboard networks of US Navy warships, the report states.

A number of companies named in the report — including Supermicro and Apple — and the Chinese Government have all denied the allegations.

Image credit: ©stock.adobe.com/au/lucadp

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.