Weapon systems being developed by the US Department of Defence (DoD) have been found to contain major cyber-security vulnerabilities.
This is according to a new report from the US Government Accountability Office (GAO) which has done a review of the systems ahead of a $1.66 trillion spending spree by the DoD into its advanced weapons systems.
GAO states in their report that: “From 2012 to 2017, DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected.”
Worryingly it also reported that DoD officials were unaware in some cases about the full extent of its weapon systems vulnerabilities and that tests were “limited in scope and sophistication.”
Red Team Testing
When red teams were given a crack at breaking into the advanced weapon systems being developed by the DoD they discovered several ways to penetrate them.
“In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.”
Another test team discovered that it could emulated a denial of service attack by rebooting the systems, which result in the system not being able to carry out its stated mission for a period of time. When viewing the incident: “41 Operators reported that they did not suspect a cyber attack because unexplained crashes were normal for the system.”
The potential damage that could be done by compromising these systems is extensive. Examples of functions enabled by software and potentially susceptible to compromise include powering a system on and off, targeting a missile, maintaining a pilot’s oxygen levels and flying aircraft.
Concerns over how robust the cyber-security is within the weapon systems of the US DoD is not a new issue and GAO have noted that: “We and others have warned of these risks for decades.”
Yet it seems cyber-security has not been a top priority for officials running these weapon development programs and that historically they have focused on the cyber-security of its networks and not the weapon systems themselves.
Advanced Weapon Systems
Unfortunately the GAO has reported that the DoD is only in the early stages of: “Trying to understand how to apply cybersecurity to weapon systems,” and that “several DoD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon systems cybersecurity.”
Sherban Naum SVP of Corporate Strategy and Technology at Bromium commented in an emailed statement to Computer Business Review that: “If the Government Accountability Office is raising the issue, then nation states and cybercriminals know of them already, leveraging yet to be known net-new vulnerabilities.”
“A vulnerability being exposed at the federal level is so much costlier than at the enterprise level. We can replace credit card records or restore customer loyalty. We can’t undo a rival nation state potentially roaming undetected inside weapons systems.”
“This reflects the core challenge of legacy systems being built with Trust Decisions at Buy Time, rather than a modern approach of Trust at Run Time. Systems were designed, built and operated based on architectural and technical limitation decisions years ago, and as such, trust was decided upon contract award.”