As weapons become more software dependent and more networked than ever, the United States federal Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats. This is due to the computerised nature of weapons; and DOD’s late start in prioritising weapon cybersecurity. So says the US Government Accountability Office ( GAO) in a report to the US Senate.
According to the report to the Senate Committee on Armed Services, the DOD is just beginning to grapple with the scale of its vulnerabilities; potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems.
Using relatively simple tools and techniques, the GAO says, testers were able to take control of systems and largely operate undetected, due in part to basics such as poor password management and unencrypted communications.
A compromise could include powering a system on and off, targeting a missile, maintaining a pilot’s oxygen (or not), and flying aircraft. An attacker could potentially manipulate data in these systems, prevent components or systems from operating, or cause them to function in undesirable ways, the report warns.
As the DOD admits, many weapon systems rely on commercial and open source software and are subject to any cyber-vulnerabilities; and use firewalls. According to the report, the DOD struggles to hire and retain cybersecurity personnel, particularly those with weapon systems cyber expertise (which is nopt the same as general cybersecurity expertise).
The report admits it’s difficult to find the correct balance between protecting information, so that it is not accessible to potential adversaries, and sharing it, so that DOD has an informed workforce.
For the report in full visit https://www.gao.gov/assets/700/694913.pdf.
Ross Rustici, senior director, intelligence services, Cybereason said: “The requirements for the current generation of weapon systems was generally created in the early 90’s. What the GAO report really highlights is the long development cycle of advanced military platforms. The F-35, for example, started as the Joint Strike Fighter project in 1992. This was a year after the Revolution in Military Affairs was proven highly successful in Desert Storm and the US military was exploring the full advantage that highly networked troops gives a fighting force. For more perspective, AoL for Windows came out the same year the F-35 program was conceived. The first test flight of the plane was in 2006, a year after the the first major foreign intrusion, Titan Rain, was publicly named in US systems.
“So, it comes as no surprise that these weapon systems fall vulnerable to all of the traditional issues that IT from the mid 2000s has. Nevertheless, the DoD must make up ground and figure out how to retrofit these systems to provide better standard protection.”
Edgard Capdevielle, CEO at Nozomi Networks, said: “It’s not entirely surprising that military leaders turned a blind eye to security weaknesses within the Pentagon’s multibillion-dollar weapons systems; however, it does demonstrate the pervasive attitude that overlooks the real dangers of not building cybersecurity in from the beginning. Addressing cybersecurity vulnerabilities after the fact is a monumental task, so it’s unfortunate that the military failed to take action despite continued warnings from the Government Accountability Office.
“The recent report from the government watchdog shows that attackers could have exploited these weaknesses quite easily – and wouldn’t have needed sophisticated tools to do so. This is a reality that we’re seeing more and more of – that attackers nowadays no longer need the resources or skill of a nation-state to pull off a successful attack. The current threat landscape is quickly expanding as attackers with various levels of sophistication are more easily finding the tools and tactics needed to be successful and government organisations need to sit up and take action.”
And Sherban Naum, SVP, Corporate Strategy and Technology at Bromium, said: “The US government has a massive budget for defense spending, yet that isn’t reflected in security provisions implementing trust decisions in real time, a must for weapons systems, communications infrastructure and related supply chain needs. If the government doesn’t make cybersecurity a priority from the offset, this leaves critical architectural vulnerabilities that need to be addressed immediately. If the Government Accountability Office is raising the issue, then nation states and cybercriminals know of them already, leveraging yet to be known net-new vulnerabilities. It’s important the Department of Defense implement layered dynamic defenses at the beginning, building in security protocols and protections as the government systems are being operated, allowing to modulate trust in real time, staying ahead of aggressors and adversaries.
“A vulnerability being exposed at the federal level is so much costlier than at the enterprise level. We can replace credit card records or restore customer loyalty. We can’t undo a rival nation state potentially roaming undetected inside weapons systems because there were insufficient security investments in modular, run-time security. This reflects the core challenge of legacy systems being built with Trust Decisions at Buy Time, rather than a modern approach of Trust at Run Time. Systems were designed, built and operated based on architectural and technical limitation decisions years ago, and as such, trust was decided upon contract award. A modern architecture must reflect the ability to make trust decisions at the time processes are executed, limiting trust to fine grained execution at run time, built upon a dynamic root of trust rather than static. Software defined hardware is not a new concept, yet systems were hard coded with a limited ability to adjust to real time threats. It’s time for the federal government to make cybersecurity a national priority, and ensure it is treated as such during the development of systems outlined in the GAO report.”