So just how secure are the United States’ sophisticated weapons systems from cyber threats? According to the U.S. Government Accountability Office (GAO), the answer may be not very.
In a widely covered assessment released on 9 Oct, the GAO reported that in operational testing, the Department of Defense (DoD) routinely found mission-critical cyber vulnerabilities in systems that were under development. Using relatively simple tools and techniques, testers posing as adversaries were able to take control of systems and largely operate undetected, due in part to basic issues, such as poor password management and unencrypted communications.
GAO also warned that DoD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, these tests were limited in scope and sophistication.
Advanced weapon systems increasingly rely on embedded software, automation and connectivity, with all important components networked into information systems to perform their mission critical functions, which by definition makes them more vulnerable than less “connected” systems to cyber intrusions. What the GAO found, however, was that cybersecurity has not been an acquisition priority, and that the program officials they met with believed their systems were secure and were quick to discount some test results as unrealistic.
According to the GAO, DoD is just beginning to grapple with the scale of vulnerabilities it faces, but has recently taken several steps to improve the cybersecurity of weapon systems, including issuing revised policies and guidance that better incorporate cybersecurity considerations. Congress has also funded DoD initiatives to better understand and address critical cyber vulnerabilities. The effectiveness of these steps has been limited, however, by DoD’s cyber workforce challenges and difficulties experienced in sharing information and lessons learned about vulnerabilities once they are discovered.
For more information, you can read the GAO report on Weapons Systems Cybersecurity (GAO-19-128) at: https://www.gao.gov/assets/700/694913.pdf