Many U.S. Weapons Systems Are Vulnerable to Cyberattack

An entire generation of U.S. weapons systems are likely vulnerable to cyberattacks, and defense officials in the United States are only beginning to grapple with the massive scope of the problem, according to a U.S. government watchdog.

The U.S. Government Accountability Office (GAO), which conducted a yearlong study on the issue, wrote in a report released Tuesday that Defense Department testers “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.”

The report said defense officials were often sanguine about the problems, believing their systems were secure and discounting some test results as “unrealistic.”

The report did not reveal which weapons systems investigators examined, citing security concerns.

GAO investigators examined the findings of Pentagon cybersecurity assessments over a five-year period, from 2012 to 2017. The testers were tasked with trying to find vulnerabilities, in part by hacking into the weapons systems.

In some cases, they were able to gain complete control of systems using simple techniques. The report describes one instance in which testers guessed an administrator password in nine seconds. In other cases, they shut down a system simply by scanning it—a typical first step in trying to carry out a digital attack.

The testers managed in some systems to manipulate what the soldiers operating the weapon were seeing on their computer screens. In another case described in the report, weapons testers “caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”

Defense and intelligence officials have for years warned about the potentially catastrophic effects such digital manipulation could have in the event of war. An attacker with such access to U.S. military systems could conceivably alter what U.S. sailors aboard a warship are seeing on their radar screens. They could manipulate computer systems to cause navigational errors or make enemy ships disappear from sensors.

Only sophisticated adversaries—chiefly China—are thought to have the potential ability to penetrate U.S. systems so thoroughly. But the GAO report describes such an astounding variety and depth of computer vulnerabilities that such scenarios may not be so unusual.

Still, these tests have left the Pentagon with only a limited understanding of the problem. According to the report, the Defense Department “does not know the full extent of its weapon systems cyber vulnerabilities due to limitations on tests that have been conducted.”

Independent analysts have long warned that these vulnerabilities could affect U.S. nuclear weapons systems with catastrophic effects.

“This report drives home again the urgent need to take steps to ensure nuclear weapons command and control in the face of a cyber-broadside that could disrupt or derange its operation,” said Bruce Blair, a former nuclear launch officer and a research scholar at Princeton University.

“It is irrational to operate systems on hair-trigger alert if they cannot be certified to be bug-free.”

Pentagon officials are increasingly taking into account cybersecurity vulnerabilities when testing and buying weapons systems, but the GAO report found that these reforms probably won’t have immediate impact.

According to the GAO, the Pentagon “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”

Addressing these vulnerabilities would likely require a massive investment that current Pentagon budgets don’t take into account.

The GAO noted that focusing on the newer systems at the expense of the older ones would not address the problem. If the Pentagon “is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk,” the report noted.

The report also found that the Pentagon is struggling to find technically qualified employees to work on the issue. It said information sharing across agencies remains a problem that is holding back efforts to identify and patch vulnerabilities.

Maj. Audricia Harris, a Pentagon spokeswoman, said in a statement that the Defense Department “stands ready” to “preserve peace through strength by identifying, countering, disrupting, degrading, and deterring behavior in cyberspace that is destabilizing and contrary to national interests.”

“We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our defense industrial base and defense critical infrastructure partners to secure critical information,” she said.