The Government Accountability Office released a new report on Tuesday that shows worrying cybersecurity flaws in U.S. weapons systems. Worse, the GAO report found that the Department of Defense knew about the vulnerabilities but didn’t take them seriously, leaving even systems still under development open to attack. That puts Americans at risk and is unacceptable.
Key passages of the report highlight the seriousness and scope of the problem.
For five years, until 2017, in-house DoD teams “routinely founds mission critical cyber vulnerabilities in nearly all weapons systems that were under development.” The tests used to assess security weren’t that complicated, but still found that key military systems could be taken control of by someone not authorized and operated largely undetected.
Other systems, according to the report, shut down when scanned for vulnerabilities. In one case, as part of a security evaluation, hackers were able to simulate a denial-of-service attack that temporarily disabled a weapons system, forcing it to reboot. In that case, the attack itself went unnoticed “because unexplained crashes were normal for the system.”
The danger of this is highlighted in another passage: “Due to this lack of focus on weapon systems cybersecurity, DoD likely has an entire generation of systems that were distinguished and built without adequately considering cybersecurity.”
These vulnerabilities extend far beyond the IT networks used by other government agencies that are also vulnerable to cyberattacks and includes weapons systems themselves. As the report explains, successful cyberattacks could “limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life.”
Some of those vulnerabilities include systems that regulate oxygen levels for pilots or intercept incoming missiles. In short, there is good reason to be worried that this failure to take cybersecurity seriously could have devastating consequences.
It’s also important to note that these vulnerabilities don’t exist in a vacuum. Our adversaries, including Iran, North Korea, and Russia, have all demonstrated a willingness to exploit cyber vulnerabilities. That state-funded actors would seek to compromise military installations is not only likely but certain.
The federal government must start taking cybersecurity seriously. Although silent Internet attacks don’t draw the same type of fear that bombs and missiles do, they have the potential to cause catastrophic damage. That DoD and other government agencies have failed to take these threats seriously and take appropriate action is unacceptable.
The U.S. must also do a comprehensive review not only of systems currently under development but also the older systems that they might be connected to. New, more secure technology can still be vulnerable if it relies on or is connected to older, less protected systems.
Additionally, cybersecurity and the real threat of cyberattacks must be considered in the same way that missile launches or other physical threats are. Lacking adequate protection, any traditional defensive or offensive technology could well be rendered useless.
Finally, cybersecurity and the supply chain security that goes along with it, must be considered from the get-go when building new military systems. rather than retrofitting systems that were built without such things in mind.