Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense's newest weapons systems, according to the Government Accountability Office.
The flaws are highlighted in a new GAO report, which found the Pentagon is "just beginning to grapple" with the scale of vulnerabilities in its weapons systems.
Drawing data from cybersecurity tests conducted on Department of Defense weapons systems from 2012 to 2017, the report says that by using "relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected" because of basic security vulnerabilities.
The GAO says the problems were widespread: "DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development."
When weapons program officials were asked about the weaknesses, the GAO says, they "believed their systems were secure and discounted some test results as unrealistic."
The agency says the report stems from a request from the Senate Armed Services Committee, asking it to review the Pentagon's efforts to secure its weapons systems. The GAO did so by going over data from the Pentagon's own security tests of weapon systems that are under development. It also interviewed officials in charge of cybersecurity, analyzing how the systems are protected and how they respond to attacks.
The stakes are high. As the GAO notes, "DOD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems." That outlay also comes as the military has increased its use of computerized systems, automation and connectivity.
Despite the steadily growing importance of computers and networks, the GAO says, the Pentagon has only recently made it a priority to ensure the cybersecurity of its weapons systems. It's still determining how to achieve that goal — and at this point, the report states, "DOD does not know the full scale of its weapon system vulnerabilities."
Part of the reason for the ongoing uncertainty, the GAO says, is that the Defense Department's hacking and cyber tests have been "limited in scope and sophistication." While they posed as hackers, for instance, the testers did not have free rein to attack contractors' systems, nor did they have the time to spend months or years to focus on extracting data and gaining control over networks.
Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."
From the GAO:
"One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls."
In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.
"One test had to be stopped due to safety concerns after the test team scanned the system," the GAO says. "This is a basic technique that most attackers would use and requires little knowledge or expertise."
When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.
One issue facing the Pentagon, the GAO says, is the loss of key personnel who are lured by lucrative offers to work in the private sector after they've gained cybersecurity experience.
The most capable workers – experts who can find vulnerabilities and detect advanced threats – can earn "above $200,000 to $250,000 a year" in the private sector, the GAO reports, citing a Rand study from 2014. That kind of salary, the agency adds, "greatly exceeds DOD's pay scale."
In a recent hearing on the U.S. military's cyber readiness held by the Senate Armed Services Committee, officials acknowledged intense competition for engineers.
"The department does face some cyberworkforce challenges," said Essye B. Miller, the acting principal deputy and Department of Defense chief information officer. She added, "DOD has seen over 4,000 civilian cyber-related personnel losses across our enterprise each year that we seek to replace due to normal job turnover."