Today's Hard|Forum Post
Today's Hard|Forum Post

Tuesday October 09, 2018

Cybersecurity Vulnerabilites in Weapon Systems Blemish the Department of Defense

A study by the U.S. Government Accountability Office (GAO) has shown how vulnerable U.S. weapon systems under the control of the Department of Defense (DOD) have become. This is due to the weapon systems becoming more networked and software dependent and the DoD is still in the early stages of placing an emphasis on learning about weapon cybersecurity. The DoD has typically concentrated efforts to keep its network secure, but not the actual weapon systems.

The GAO found mission-critical systems that had various vulnerabilities, but program officials brushed the threats off as unrealistic as they were adamant that their systems were secure. Passwords that took only 9 seconds to guess and unencrypted communications allowed testers to commandeer weapons systems undetected. One test team reported that "they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating." Test teams reportedly looked up the default password for open-source software on the internet to take control of weapons systems. The GAO report didn't even consider related issues such as Internet of Things, contractor facilities, microelectronics, contracting, and industrial control systems. The 50 page document is quite interesting to read.

News Image

Further complicating matters, weapon systems are dependent on external systems, such as positioning and navigation systems and command and control systems in order to carry out their missions--and their missions can be compromised by attacks on those other systems. A successful attack on one of the systems the weapon depends on can potentially limit the weapon's effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life. Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.

Discussion