A brief look at the news is enough for anyone to realize that cyber attacks are a real threat. Just recently, we’ve seen western governments strongly condemn Russia for hacking attacks. We also saw a couple of reports that claimed that China could backdoor into products using hardware implants — although one of them was strongly refuted. And we shared a story about Google+ suffering from a serious security issue that Google was afraid to tell the public about.
With all that in mind, you’d expect the Pentagon’s newest weapons to be protected by all sorts of complex systems meant to thwart cyber attacks. It turns out that’s not the case.
A brand new report from the Government Accountability Office (GAO), picked up by Reuters and NPR among others, reveals that nearly all of the Pentagon’s new weapons are susceptible to hacks.
In some cases, weapons programs officials dismissed the potential attacks, calling the tests unrealistic. In other instances, they acknowledge that the flaws were known, but only partially repaired.
From the report, emphasis ours:
In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.
Here’s another account:
One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.
And one final account:
One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise.
The report also details one instance where, out of 20 vulnerabilities discovered, just one had been addressed. Officials said they had identified a solution, but for some reason it wasn’t implemented, blaming the contractor. What’s even more troubling, the GAO says, is that most of the weapons in development have major vulnerabilities, and the DOD “likely does not know the full extent of the problems.”
One reason why the Pentagon seems not to be prepared to deal with cyber attacks is the lack of personnel. Skilled hackers may be more attracted to cyber-security gigs in the private sector.