In the report, released earlier this week, the GAO determined that, "The Department of Defence faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats. This state is due to the computerised nature of weapon systems; DoD's late start in prioritising weapon systems' cyber security; and DoD's nascent understanding of how to develop more secure weapon systems."
The report continues, "Automation and connectivity are fundamental enablers of DoD's modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DoD did not prioritise weapon systems' cyber security. Finally, DoD is still determining how best to address weapon systems' cyber security.
"In operational testing, DoD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DoD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats."
It makes the rather surprising observation that, "multiple factors make weapon systems' cyber security increasingly difficult, but DoD is just beginning to grapple with the challenge".
Further, "DoD systems are also more connected than ever before, which can introduce vulnerabilities and make systems more difficult to defend. According to the DSB [Defense Science Board], nearly every conceivable component in DoD is networked.
"Furthermore, some weapon systems may not connect directly to a network, but connect to other systems, such as electrical systems, that may connect directly to the public Internet."
Security conscious organisations within the US government have been warning DoD since the early 1990s that these issues exist, but cyber security has remained a low priority within DoD. Defence started to take cyber security somewhat seriously from about 2014, but broadly, only to the extent of protecting back-office environments (such as accounting services).
"Due to this lack of focus on weapon systems' cyber security, DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity," the report said.
"Bolting on cyber security late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning.
"Not only is the security of those systems and their missions at risk, the older systems may put newer systems in jeopardy. Specifically, if DoD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk. Furthermore, even if they are not connected, if the newer systems depend on the older systems to help fulfill their missions, those missions may be at risk."
The report also points out that many weapons systems — including combat aircraft — make extensive use of industrial control systems "to monitor and control equipment, and like computers, they include software. Many weapon systems use such systems to carry out essential functions. For example, a ship may use industrial control systems to control engines and fire suppression systems.
"According to NIST, industrial control systems were originally designed for use in trusted environments, so many did not incorporate security controls. Government and industry reports state that attacks on these systems are increasing. However, DoD officials said that program offices may not know which industrial control systems are embedded in their weapons or what the security implications of using them are."
It gets worse. "We found that from 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected. In some cases, system operators were unable to effectively respond to the hacks. Furthermore, DoD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication."
Presumably, this would include such platforms as the F-35, THAAD [Theatre High Altitude Area Defence, an anti-ballistic missile defence system] and other "big ticket" items.
"Cyber security test reports that we reviewed showed that test teams were able to gain unauthorised access and take full or partial control of these weapon systems in a short amount of time using relatively simple tools and techniques. We saw widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover," the report said.
"Test teams were able to defeat weapon systems' cyber security controls meant to keep adversaries from gaining unauthorised access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.
"Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating.
"The test reports indicated that test teams used nascent to moderate tools and techniques to disrupt or access and take control of weapon systems. For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise.
"Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls."
The report describes many incidents where testing teams were able to enjoy access undetected by operation staff. Many times they were deliberately "noisy" but still remained unobserved. Most test activities appeared in system logs by staff who were untrained in the access and use of such features.
It also pointed to a problem which has been described many times before. "Test officials said that once their staff members have gained experience in DoD, they tend to leave for the private sector, where they can command much higher salaries. According to a 2014 RAND study [document referenced in the original], personnel at the high end of the capability scale, who are able to detect the presence of advanced threats, or finding the hidden vulnerabilities in software and systems, can be compensated above US$200,000 to US$250,000 a year, which greatly exceeds DoD's pay scale."
The report concludes with an observation that most incidents and vulnerabilities are classified in such a way as to compartmentalise the knowledge (a "need to know" basis), thus making it difficult for people working on a system to be informed about relevant issues exposed on a different project.