Nearly all new US weapons systems have "critical" cyber security issues, say listeners

Nearly all newly-developed US military weapons systems suffer from "critical computer vulnerabilities," revealed by a review of government-led security audits between 2012 and 2017, suggesting that military agencies have been hastily computerizing new weapons systems without prioritizing cybersecurity.

The findings were released Tuesday in a report of the Government Accountability Office. The report relied on years of security audits led by qualified "testers", mostly friendly hackers employed to search for flaws in the Pentagon's networks, thus duplicating the process of hacking. to detect security breaches.

Although the report has not identified any specific military programs, its authors describe easily exploitable cyber security vulnerabilities, which often result from the negligence or negligence of those who use the systems.

"From 2012 to 2017, DOD testers have regularly found critical cyber vulnerabilities in almost all weapon systems under development," GAO researchers wrote. "With the help of relatively simple tools and techniques, the testers were able to take control of these systems and function largely undetected."

[White House report points to severe shortcomings in U.S. military supply chain]

Among the findings of the report, security verifiers claimed to have been able to secretly take control of an unspecified weapons system, to view the screens of its operators and to manipulate the system itself. In one case, a test team posted pop-up messages in front of the screen used to operate a weapons system, prompting users to insert wards before continuing. In other cases, the testers found that they could copy or delete data deposits.

Vulnerabilities have often been caused by a lack of attention to basic cybersecurity practices, such as maintaining default passwords. In one case, a test team was able to guess an administrator's password in nine seconds, the report says.

The agency warned that the issues described in the report were likely a "fraction" of the total number of vulnerabilities affecting Defense Ministry systems, which are too large to be fully evaluated.

This report is the latest in a long list of warnings of this type going back several decades. The GAO had warned in 1996 that hackers had taken control of entire defense systems and in 2004, the Pentagon's focus on connecting systems via the Internet would create new opportunities for hackers.

[Pentagon moves closer to ‘swarming drones’ capability with new systems test]

Nevertheless, the report released Tuesday drew attention to a new trend that worries security experts. As more and more physical objects are controlled and exploited via the Internet, the possibility that hackers could hurt people or sabotage equipment – as opposed to a mere theft of information – is likely to hurt people. 39; increase.

While the Pentagon plans to spend about $ 1.6 trillion to develop new systems, as calculated by the GAO, it has jumped on the opportunity to connect the entire weapons systems. This connectivity allowed the Pentagon to acquire military capabilities once considered impossible, GAO researchers wrote in Tuesday's report, but also left more military systems open to attack.

In a letter to the President of the Senate Armed Services Commission, James M. Inhofe (R-Okla.), GAO researchers said that the Pentagon was using more and more software to handle certain critical functions, such as the activation or deactivation of a weapon, the maintenance of the pilot's oxygen level, a missile intended for his target, or the simple act of piloting an airplane makes him vulnerable to the manipulation of sponsored hackers. by the state.

"Cyber ​​attacks can target any subsystem of software-dependent weapons, potentially leading to an inability to carry out military missions or even loss of life," GAO researchers wrote.

[Pentagon walks back plan to withhold cash from defense contractors after pressure from lawmakers]

Although the report indicates that the Pentagon is increasingly compliant with cybersecurity standards, it also noted instances in which program officials have not corrected the vulnerabilities identified in previous audits. . In one case, only 1 of the 20 cyber-vulnerabilities identified in a previous assessment had been corrected, a problem that officials attributed to an error on the part of the contractors.

The report comes as the Pentagon is reassessing its relations with defense companies, considering taking a closer look at security assessments when buying large weapons systems.