According to GAO, cyber-tests show virtually all new Pentagon weapons vulnerable to attack, according to NPR

Passwords that have taken a few seconds to guess or have never been changed from the factory settings. Cyber ​​vulnerabilities known, but never corrected. According to the Government Accountability Office, these two problems are common in some of the most recent weapons systems of the Ministry of Defense.

The flaws are highlighted in a new GAO report, which revealed that the Pentagon "was just starting to struggle" with the scale of the vulnerabilities of its weapons systems.

Drawing on data from the Cybersecurity tests conducted from 2012 to 2017 on the Department of Defense's weapons systems, the report states that "using relatively simple tools and techniques, the testers were able to take control of the systems and use them largely undetected "because of basic security vulnerabilities.

The GAO stated that the problems were widespread: "DOD testers have regularly discovered critical cyber vulnerabilities in almost all weapon systems under development."

When weapons program officials were asked about the weaknesses, the GAO stated that they "thought their systems were secure and felt that some test results were unrealistic".

According to the agency, the report stems from a request from the Senate Armed Services Committee, asking it to review the Pentagon's efforts to secure its weapons systems. To do this, the GAO has reviewed data from Pentagon security tests on weapon systems under development. He also interviewed officials in charge of cybersecurity, analyzing how systems are protected and how they respond to attacks.

The stakes are high. As the GAO notes, "the DOD plans to spend about $ 1.66 trillion to expand its current portfolio of major weapons systems." This expense also comes as the armed forces increasingly rely on computer systems, automation and connectivity.

Despite the growing importance of computers and networks, GAO said, the Pentagon has recently prioritized the priority of ensuring the cybersecurity of its weapons systems. It remains to be determined how to achieve this goal – and at this stage, the report states that "the DOD does not know the full size of the vulnerabilities of its weapons systems".

One of the reasons for the continuing uncertainty, according to the GAO, is that the Department of Defense's hacking and cybercrime tests were "limited in scope and sophistication". If they were hackers, for example, the testers did not have the time to attack the contractor systems or the time it took to spend months or years retrieving data and data. to take control of the networks.

Nevertheless, the tests cited in the report revealed "many examples of weaknesses in each of the four security objectives that cybersecurity tests normally look at: protect, detect, react, and recover."

GAO:

"A test report indicated that the test team was able to guess an administrator password in nine seconds." Several weapon systems used commercial or open-source software, but did not modify the default password when installing the software, which allowed the test teams to search for the password on the Internet and get the administrator privileges for this software. Several test teams said have used free publicly available information or software downloaded from the Internet to avoid or bypass the security controls of the weapon system. "

In many cases, simply analyzing the computer systems of the weapons caused them to shut down.

"A test had to be stopped for security reasons after the system was analyzed by the test team," says GAO. "It's a basic technique that most attackers would use and that requires little knowledge or expertise."

When problems were identified, they often remained unresolved. The GAO cites a test report in which only one of the 20 previously detected vulnerabilities had been corrected. When asked why all the problems had not been resolved, the GAO said: "The program officials said that they found a solution, but for some reason, they did not have a problem." not implemented, they attributed it to an error by the contractor ".

According to the GAO, one of the problems facing the Pentagon is the loss of key personnel who are enticed by lucrative offers to work in the private sector after gaining experience in cybersecurity.

The most skilled workers – experts able to detect vulnerabilities and detect advanced threats – can earn "more than $ 200,000 to $ 250,000 a year" in the private sector, GAO reports, citing a Rand study conducted in 2014. This type of salary, adds the agency, "far exceeds the pay scale of the DOD."

At a recent hearing on the preparation of the US military's cyber-military held by the Senate Armed Services Commission, officials acknowledged intense competition for engineers.

"The department is facing challenges in terms of cyber-workers," said Essye B. Miller, Acting Senior Deputy Minister and Chief Information Officer for the Department of Defense. She added, "The DOD has seen over 4,000 cyberspace-related civilian casualties every year in our business, which we are looking to replace because of the normal rotation of positions."