Many U.S. Weapons Systems Are Vulnerable to Cyberattack

Government watchdog says the Pentagon has not taken the threat seriously enough.

The Pentagon is seen from the air over Washington, D.C., on Aug. 25, 2013. (Saul Loeb/AFP/Getty Images)
The Pentagon is seen from the air over Washington, D.C., on Aug. 25, 2013. (Saul Loeb/AFP/Getty Images)
The Pentagon is seen from the air over Washington, D.C., on Aug. 25, 2013. (Saul Loeb/AFP/Getty Images)

An entire generation of U.S. weapons systems are likely vulnerable to cyberattacks, and defense officials in the United States are only beginning to grapple with the massive scope of the problem, according to a U.S. government watchdog.

The U.S. Government Accountability Office (GAO), which conducted a yearlong study on the issue, wrote in a report released Tuesday that Defense Department testers “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.”

The report said defense officials were often sanguine about the problems, believing their systems were secure and discounting some test results as “unrealistic.”

An entire generation of U.S. weapons systems are likely vulnerable to cyberattacks, and defense officials in the United States are only beginning to grapple with the massive scope of the problem, according to a U.S. government watchdog.

The U.S. Government Accountability Office (GAO), which conducted a yearlong study on the issue, wrote in a report released Tuesday that Defense Department testers “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.”

The report said defense officials were often sanguine about the problems, believing their systems were secure and discounting some test results as “unrealistic.”

The report did not reveal which weapons systems investigators examined, citing security concerns.

GAO investigators examined the findings of Pentagon cybersecurity assessments over a five-year period, from 2012 to 2017. The testers were tasked with trying to find vulnerabilities, in part by hacking into the weapons systems.

In some cases, they were able to gain complete control of systems using simple techniques. The report describes one instance in which testers guessed an administrator password in nine seconds. In other cases, they shut down a system simply by scanning it—a typical first step in trying to carry out a digital attack.

The testers managed in some systems to manipulate what the soldiers operating the weapon were seeing on their computer screens. In another case described in the report, weapons testers “caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”

Defense and intelligence officials have for years warned about the potentially catastrophic effects such digital manipulation could have in the event of war. An attacker with such access to U.S. military systems could conceivably alter what U.S. sailors aboard a warship are seeing on their radar screens. They could manipulate computer systems to cause navigational errors or make enemy ships disappear from sensors.

Only sophisticated adversaries—chiefly China—are thought to have the potential ability to penetrate U.S. systems so thoroughly. But the GAO report describes such an astounding variety and depth of computer vulnerabilities that such scenarios may not be so unusual.

Still, these tests have left the Pentagon with only a limited understanding of the problem. According to the report, the Defense Department “does not know the full extent of its weapon systems cyber vulnerabilities due to limitations on tests that have been conducted.”

Independent analysts have long warned that these vulnerabilities could affect U.S. nuclear weapons systems with catastrophic effects.

“This report drives home again the urgent need to take steps to ensure nuclear weapons command and control in the face of a cyber-broadside that could disrupt or derange its operation,” said Bruce Blair, a former nuclear launch officer and a research scholar at Princeton University.

It is irrational to operate systems on hair-trigger alert if they cannot be certified to be bug-free.”

Pentagon officials are increasingly taking into account cybersecurity vulnerabilities when testing and buying weapons systems, but the GAO report found that these reforms probably won’t have immediate impact.

According to the GAO, the Pentagon “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”

Addressing these vulnerabilities would likely require a massive investment that current Pentagon budgets don’t take into account.

The GAO noted that focusing on the newer systems at the expense of the older ones would not address the problem. If the Pentagon “is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk,” the report noted.

The report also found that the Pentagon is struggling to find technically qualified employees to work on the issue. It said information sharing across agencies remains a problem that is holding back efforts to identify and patch vulnerabilities.

Maj. Audricia Harris, a Pentagon spokeswoman, said in a statement that the Defense Department “stands ready” to “preserve peace through strength by identifying, countering, disrupting, degrading, and deterring behavior in cyberspace that is destabilizing and contrary to national interests.”

“We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our defense industrial base and defense critical infrastructure partners to secure critical information,” she said. 

 Twitter: @EliasGroll

More from Foreign Policy

Soldiers of the P18 Gotland Regiment of the Swedish Army camouflage an armoured vehicle during a field exercise near Visby on the Swedish island of Gotland on May 17.
Soldiers of the P18 Gotland Regiment of the Swedish Army camouflage an armoured vehicle during a field exercise near Visby on the Swedish island of Gotland on May 17.

What Are Sweden and Finland Thinking?

European leaders have reassessed Russia’s intentions and are balancing against the threat that Putin poses to the territorial status quo. 

Ukrainian infantry take part in a training exercise with tanks near Dnipropetrovsk oblast, Ukraine, less than 50 miles from the front lines, on May 9.
Ukrainian infantry take part in a training exercise with tanks near Dnipropetrovsk oblast, Ukraine, less than 50 miles from the front lines, on May 9.

The Window To Expel Russia From Ukraine Is Now

Russia is digging in across the southeast.

U.S. President Joe Biden and Secretary of State Antony Blinken participate in a virtual summit with the leaders of Quadrilateral Security Dialogue countries at the White House in Washington on March 12.
U.S. President Joe Biden and Secretary of State Antony Blinken participate in a virtual summit with the leaders of Quadrilateral Security Dialogue countries at the White House in Washington on March 12.

Why China Is Paranoid About the Quad

Beijing has long lived with U.S. alliances in Asia, but a realigned India would change the game.

Members of the National Defence Training Association of Finland attend a training.
Members of the National Defence Training Association of Finland attend a training.

Finns Show Up for Conscription. Russians Dodge It.

Two seemingly similar systems produce very different militaries.