Patch/Configuration Management, Threat Management, Vulnerability Management

GAO report slams Department of Defense cybersecurity practices

Securing the upcoming election against cyberattack or influence is rightfully garnering a great deal of attention, but a recent General Accounting Office (GAO) report indicates the United States is doing a poor job building weapon systems resistant to cyberattack.

The report noted that the very aspects that make some of the nation’s most dangerous weapons so effective also opens them up to attack by a cyber savvy adversary. These weaknesses include being automated and connected features that allow warships and advanced fighter planes to absorb and transmit huge amounts of data which greatly multiply their effectiveness in combat.

“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic,” the report stated.

In fact, the GAO found almost all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.

US Navy
The massive complexity of weapon systems and their sometimes remote location makes patching difficult for operators.

“If the Government Accountability Office is raising the issue, then nation states and cybercriminals know of them already, leveraging yet to be known net-new vulnerabilities. It’s important the Department of Defense implement layered dynamic defenses at the beginning, building in security protocols and protections as the government systems are being operated, allowing to modulate trust in real time, staying ahead of aggressors and adversaries,” Sherban Naum, Bromium’s senior vice president for corporate strategy and technology.

The GAO was able to use what it described as relatively simple tools and techniques, such as taking advantage of poor password management and unencrypted communications, to completely take over some systems with persistence. These shortfalls were blamed on the DOD's late start in prioritizing weapon systems cybersecurity and its nascent understanding of how to develop more secure weapon systems.

What was particularly concerning, the GAO said, is it only tested a small fraction of operational weapons along with those still under development.

The tests were conducted in response to a request from the ranking members of the Senate Committee on Armed Services.

The GAO report exhaustively detailed the problems the service branches have in securing their equipment in both digitally and physically from a cyberattack. Almost every weapon system has some level of computer control and warplanes, ships, missiles and armored vehicles can receive and transmit huge amounts of data and also have a multitude of maintenance ports that could give an attacker direct access to a target.

“According to the DSB (Defense Science Board), nearly every conceivable component in DOD is networked. Weapon systems connect to DOD’s extensive set of networks—called the DOD Information Network—and sometimes to external networks, such as those of defense contractors,” the report said.

The report noted the DoD has been warned many times over the last 20 years it needed to harden its systems and weapons against cyberattacks, but despite this heads up cybersecurity has not been a focus during weapons acquisition.

However, the GAO did say this is changing and the DoD is trying to change its ways, but this is a slow process.

The problem is dizzying in its complexity. The report noted that many weapon systems cannot use traditional IT methods for cybersecurity, which in many cases are not compatible. 

“Officials from one program we met with said they are supposed to apply patches within 21 days of when they are released, but fully testing a patch can take months due to the complexity of the system. Even when patches have been tested, applying the patches may take additional time,” the report said.

Complicating the problem is these weapons are spread all over the world with some being in hostile regions which means they can only be updated when returned to a safe location. This means it could be months if not years between periods when an update can be installed.

Then there were the large number of poor cyber practices found in use by the military, which in all fairness are similar to those in the civilian world. These included simple, easy to guess passwords or not resetting default passwords. Other faults found were previously discovered vulnerabilities not being fixed.

“This isn’t just scary, it’s a microcosm of a broader privileged access security issue that the Federal government needs to address.

Some of these issues can be fixed by hiring, training and retaining troopers with weapon system cybersecurity expertise, although program officials interviewed for this report stated that this was one of the most difficult challenges for them to overcome. The dearth of similarly trained people in the civilian world causes part of this problem because once a service member is trained to a high standard they tend to leave the military to take a good paying job in the private sector.

Pravin Kothari, CEO CipherCloud, took a glass half full approach to analyzing the report. While admitting the cyber vulnerabilities are a challenge for everyone, he wanted to throttle back any panic the report might incite.

He pointed out that many weapon systems are air gapped and not visible to normal networks making direct access difficult and that specialized weapons systems do not use a standard TCP/IP protocol, but instead may use proprietary, highly specialized network communications protocols and encryption techniques.

Finally, there is the last line of defense that can be found at every military installation. A trained soldier, sailor, Marine or airman with a rifle.

“If you do try to get in close proximity to a classified weapons system it won’t be more than a few seconds before a highly motivated marine interrupts your activities,” Kothari said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.