A government watchdog has said the Department of Defense has not done enough to protect critical weapons systems from cyberattacks.
The new report out of the Government Accountability Office on Tuesday said that the Pentagon has “not made weapon cybersecurity a priority,” and, although there have been some improvements over the years, the department’s “nascent understanding” of how to secure weapons systems has left officials scrambling on “how best to address weapon systems cybersecurity.”
The GAO was asked to review the Pentagon’s weapons systems cybersecurity and found a litany of vulnerabilities — which it didn’t disclose in detail as the contents were classified — but that the department “likely does not know the full extent of the problems.”
“A successful attack on one of the systems the weapon depends on can potentially limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life,” the report said.
According to its findings, the watchdog’s testers used relatively simple tools and techniques to take control of systems and operate almost undetected — because of poor password management and unencrypted communications.
“They could see, in real-time, what the operators were seeing on their screens and could manipulate the system,” the report read, and observe how operators responded to requests.
“Another test team reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating,” it added.
In one case, testers were able to download more than 100 gigabytes of data from severs without detection.
“Here’s my password.” (Photo credit: EMMANUEL DUNAND/AFP/Getty Images)
Many of these flaws were exploited because the systems were running commercial or open-source software that operators “did not change the default password when the software was installed,” which “allowed test teams to look up the password on the Internet and gain administrator privileges for that software.”
Another security weakness documented by testers included a failure to patch software, even when known exploits had been developed and released online.
But that’s just the basic-level issues that the GAO reported as part of its limited tests to show that even the low-level skilled hackers could do damage — not accounting for the many more skilled attackers that may work for foreign adversaries or nation-state-backed groups.
In the past four years, the Pentagon has issued more than a dozen department-wide memos and policies to improve cybersecurity across the board. The GAO said it is “essential” that the department continues to develop and implement new cybersecurity initiatives.
A spokesperson for the Pentagon did not immediately respond to a request for comment.