WASHINGTON — Cybersecurity tests conducted on Pentagon weapons systems “were able to take control of systems and largely operate undetected” because of elementary security weaknesses and openings, the General Accounting Office said Tuesday.
Adding to the threat — Pentagon officials thought all was fine, the GAO said.
“DOD’s (Department of Defense) weapons are more computerized and networked than ever before, so it’s no surprise that there are more opportunities for attacks.,” the GAO said. “ Yet until relatively recently, DOD did not make weapon cybersecurity a priority.”
The GAO said that “testers playing the role of the adversary were able to take control of systems relatively easily and operate largely undetected.”
The 50-page report was the result of a request from the Senate Armed Services Committee, whose members have expressed concerns about the safeguards of weapons system to cyber attack.
Pentagon officials had no immediate response to the report.
The GAO said the Pentagon “does not know the full scale of its weapon system vulnerabilities.” Some GAO teams were able to guess an administrative password in nine seconds, including using the default password for some systems that was never changed when open source software was installed, the report said.
“Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls,” the report said.
The GAO said that “in operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.”
The tests showed weaknesses in the four security objectives routinely run for cybersecurity tests: protect, detect, respond, and recover, the GAO said.
“Automation and connectivity are fundamental enablers of DOD’s modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity,” the GAO said. “Finally, DOD is still determining how best to address weapon systems cybersecurity.
The GAO said it was asked to do the study because the Pentagon plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems and “potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems.” Better cybersecurity is needed to add off such attacks, the GAO said.