The defense industry is attacking the flaws of cybersecurity in the new weapons systems

Nearly all newly-developed US military weapon systems suffer from "critical computer vulnerabilities," revealed by a review of government-led security audits between 2012 and 2017, suggesting that military agencies have been scrambling to computerize new weapons systems without prioritizing cybersecurity.

The results were published Tuesday in a report by the Government Accountability Office, which relies on years of security audits conducted by qualified "testers", the friendly hackers employed to search for network vulnerabilities. Pentagon.

Although the report did not identify specific military programs, its authors describe easily exploitable cybersecurity vulnerabilities resulting from the negligence or negligence of those who use the systems.

"From 2012 to 2017, DOD testers have regularly found critical cyber vulnerabilities in almost all weapon systems under development," GAO researchers wrote. "With the help of relatively simple tools and techniques, the testers were able to take control of these systems and function largely undetected."

[White House report points to severe shortcomings in U.S. military supply chain]

Security testers have shown that they can secretly take control of an unspecified weapon system, manipulate it and remotely display the computer screens of its operators. In one case, a test team posted pop-up messages in front of the screen used to operate a weapons system, prompting users to insert wards before continuing. In other cases, the testers discovered that they could copy or delete data deposits.

The results are not surprising for those who follow very public piracy of commercial products. Objects as varied as video cameras and pacemakers have been hacked, which has led many to assume that anything connected to the Internet is in danger.

Nevertheless, the ease with which the testers were able to access some of the Pentagon's classified weapon systems triggered alarms: in one case, those who operated the systems had left in place default passwords, which allowed find them online. A test team was able to guess the password of an administrator in nine seconds.

GAO cautioned that the issues described in the report were likely "a fraction" of the flaws in Defense Department networks, which are too broad to be fully assessed.

While the Pentagon plans to spend about $ 1.6 trillion to develop new systems, as calculated by the GAO, it has jumped at the opportunity to connect weapons systems. The F-35 Joint Strike Fighter, for example, relies on millions of lines of code to process sensor data and focuses on targets. This connectivity has allowed the Pentagon to acquire military capabilities once considered impossible, but it has also created opportunities for pirates.

"Because of this lack of focus on the cybersecurity of weapons systems, the DOD probably has a whole generation of systems designed and built without adequate consideration of cybersecurity," the report's authors wrote. "Addressing cybersecurity at the end of the development cycle or after deploying a system is more difficult and expensive than designing it from the beginning."

This report is the latest in a long list of warnings of this type going back several decades.

The GAO had warned in 1996 that hackers had taken control of entire defense systems and, in 2004, that the Pentagon's focus on connecting systems via the Internet would create new opportunities for hackers.

The report released Tuesday drew attention to a new, more worrying trend. As more and more physical objects are controlled and exploited via the Internet, the possibility that hackers could hurt people or sabotage equipment – as opposed to a mere theft of information – is likely to hurt people. 39; increase.

[They’re on the lookout for malware that can kill]

In a letter to the President of the Senate Armed Services Commission, James M. Inhofe (R-Okla.), GAO researchers explained that functions such as the activation or deactivation of a weapon, maintaining the pilot 's oxygen level, guiding a missile towards his goal planes can now be vulnerable to manipulation by state – sponsored pirates.

"Cyber ​​attacks can target any subsystem of software-dependent weapons, potentially leading to an inability to carry out military missions or even loss of life," GAO researchers wrote.

So who is at fault and what to do next?

The report pointed to instances in which program managers had not corrected the problems identified in previous audits. In one case, only one of the 20 cyber-vulnerabilities identified during a previous assessment had been corrected, a problem that officials attributed to an error by the contractors.

Frank Kendall, a senior defense official responsible for overseeing procurement during the GAO reporting period, said the first step was for military agencies to improve fundamentals such as password and the removal of fake emails.

He also suggested the need to "accept human imperfection," noting that such mistakes will still exist in large organizations. He said the Pentagon should consider replacing password login credentials with biometric identifiers, which Apple invented with the iPhone's fingerprint connection.

"The threat is ubiquitous and dynamic – it will not go away and will never be completely defeated," Kendall recently said in an email. "I hope that with the improved budget environment of the DOD, more resources will be allocated to the resolution of this problem."

Major defense contractors contacted by the Washington Post said they were aware of the cyber security issues raised by the GAO and are working to resolve them.

Todd Probert, vice president of mission support and modernization at Raytheon, said the fact that many weapons systems are vulnerable to cyber attacks should not be a shock. His company is responsible for maintaining the Patriot missile defense system designed to thwart nuclear missile launches, a pre-Internet system that must now be protected from hackers.

"Whether you're talking about your phone or a fighter plane, it's simply impossible for a computerized system to be totally safe from cyber threats," he said. "Instead, we must strive to make our systems resilient enough to repel or fight through attacks."

Raytheon has contracted to update old military aircraft with modern cybersecurity guards, seeking to protect not only computer systems but also connected parts such as diagnostic machines, avionics and saddlebags. electronic flight – "essentially anything that could introduce a cyber threat".

A spokeswoman for Lockheed Martin said the company has been working for years to consider cybersecurity early in system design, a key issue highlighted in the GAO report. The company undertook cyber-tablet exercises designed to simulate how it would react to hacking, much like a fire drill for cybersecurity.

A spokesman for Boeing declined to comment on the report. Northrop Grumman and General Dynamics did not respond to requests for comment.

[Pentagon walks back plan to withhold cash from defense contractors after pressure from lawmakers]

The findings come as the Pentagon questions the desirability of becoming more interested in cybersecurity when deciding which weapons to buy, which would place confidential classified data at the same level as the other. minimized costs and deadlines, which would require a major shift for defense companies. .

The three major industry associations serving defense contractors – the Professional Services Board, the National Defense Industries Association and the Aerospace Industries Association – are due to meet with Pentagon officials on Monday to give their views. opinion on the question.

In a telephone interview, NDIA President Hawk Carlisle said that cybersecurity should be a primary consideration for those buying or manufacturing weapons, but that the addition of new cybersecurity requirements could become too expensive for some.

"I do not know if it should be at the same level as the costs, performance and timing, and I do not know either that it must be the first pillar of every system purchased," Carlisle said. "But there are systems where this has to be a primary consideration."