Last week, the U.S. Government Accountability Office (GAO) released yet another report on the state of the U.S. Department of Defense’s cybersecurity. The GAO’s conclusions can be summed up in two words: unsurprisingly abysmal. The report states, “Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.”
In addition, the report asserts that the Defense Department “does not know the full extent of its weapon systems cyber vulnerabilities due to limitations on tests that have been conducted.” It pretty much goes downhill from there.
This latest report is just one of many from the GAO, other government groups, and research organizations that have been sounding the alarm since the early 1990s about the Defense Department’s woefully inadequate approach to cybersecurity across the board, and with regard to its weapon systems in particular. After each stinging report, the DoD promises to improve tomorrow. Yet, tomorrow never seems to arrive. This failure to act might help explain why its major weapon systems are accessed by foreign powers—at least 29 at last count (allegedly) by China alone.
The GAO, which has made hundreds of recommendations on how the Defense Department could improve its cybersecurity over the years, has apparently decided to take a different tack. Instead of new suggestions, it is laser focused on documenting the (in)adequacy of the Department’s cybersecurity, starting with its weapon systems. The GAO perhaps is thinking that the only way the department will ever truly change its behavior is for its lackluster cybersecurity to become the object of a public shaming campaign. Reason and successful cyberattacks haven’t proven sufficiently motivational.
Generating incredulity is not difficult to do. The GAO report documents a consistently ignorant as well as arrogant attitude when it comes to the Pentagon’s approach to weapon systems’ cybersecurity. For instance, the report states, “Cybersecurity test reports that we reviewed showed that test teams were able to gain unauthorized access and take full or partial control of these weapon systems in a short amount of time using relatively simple tools and techniques.”
Yet, many weapon system program managers the GAO met with “indicated that their systems were secure, including some with programs that had not had a cybersecurity assessment…. Program officials cited the security controls they applied as the basis for their belief that their systems were secure. For example, officials from a DOD agency we met with expressed confidence in the cybersecurity of their systems, but could not point to test results to support their beliefs. Instead, they identified a list of security controls they had implemented.”
How confident should those agency officials be in their “tick in the box” cybersecurity compliance? Not much, if the results of other weapon systems cybersecurity tests are any indication. During testing of one system, the GAO report noted, the testers were able to operate for weeks without being detected, even though the test team was deliberately “noisy” and not trying to disguise its activities.
In another test, a denial of service attack was initiated by the test team by rebooting the system, taking the system down for a short time. However, the system operators “reported that they did not suspect a cyberattack because unexplained crashes were normal for the system.”
And in a third incident, the system cybersecurity controls indeed discovered the intrusion and flagged it to the operators, but the warning was ignored because, the operators stated, the security controls always indicated “red.”
While the report documents several other incidents, I think the more interesting aspect of the report is why the Defense Department got to this point where, the GAO says, it is “just beginning to grapple” with the scale of its weapon systems’ cybersecurity vulnerabilities. One reason the GAO highlighted is that the Defense Department has spent most of its time focused on trying to secure its networks. It is a huge embarrassment to have teenagers penetrating your computers repeatedly; public and political embarrassment is decidedly motivational.
Simply put, weapon-system cybersecurity was not a Defense Department priority, despite the decades of admonitions it had received. Until recently, the GAO says, the Defense Department did not view cyber survivability of its weapon systems as a key performance indicator by which to measure program success.
As a result, “because cybersecurity key performance parameters were not required, Joint [Defense] Staff officials and some program officials said that many current weapon systems had no high-level cybersecurity requirements when they began, which in turn limited emphasis on cybersecurity during weapon system design, development, and oversight.”
Not making cybersecurity a key parameter also meant that it wasn’t a high priority in the department’s weapon testing program, either. The omission also served to reinforce the idea within weapon system program offices their systems were seen as being secure. Cybersecurity was an afterthought, if it was thought about at all.
Another issue that no one likes to talk about is cost. The Pentagon is always trying to lower the cost of its weapon systems acquisitions. With cost cutting in mind, it decided years ago to move to commercial off-the-shelf and later [PDF] open systems software in its defense programs. But it didn’t always fully understand [PDF] the repercussions, not only in terms of sustaining these systems, but securing them. Patching cybersecurity weaknesses in legacy weapon and support systems is a rapidly rising cost burden that is increasingly worrying senior defense officials.
The GAO report says, “Numerous officials we met with said that this failure to address weapon systems cybersecurity sooner will have long-lasting effects on the department. Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”
Consequently, “Not only is the security of those systems and their missions at risk, the older systems may put newer systems in jeopardy. Specifically, if DoD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk. Even if they are not connected, if the newer systems depend on the older systems to help fulfill their missions, those missions may be at risk.”
It is important to keep in mind that the GAO report did not “look in depth at related issues in the context of weapon systems, such as the security of contractor facilities, so-called ‘Internet of Things’ devices, microelectronics, contracting, and industrial control systems.” Further, what it presented was deliberately veiled, high-level, and unclassified information; the detailed, classified information regarding what it found undoubtedly paints an even uglier picture.
The only bright spot the GAO found is that current Defense Department officials do seem to understand that DoD’s approach to weapon systems cybersecurity has to radically improve. However, these officials also candidly admitted to the GAO that “it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon systems cybersecurity.”
Let’s hope that the cybersecurity of future autonomous weapon systems aren’t the subject of those missteps.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.