The U.S. Government Accountability Office (GAO) published a report on Tuesday highlighting the vulnerabilities in the Department of Defense’s (DOD) major computerized weapons systems.
The agency revealed that data from cybersecurity tests conducted on the weapons systems between 2012 and 2017 showed that by using “relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected" because of security vulnerabilities.
"DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development,” the GAO report said.
The vulnerabilities were linked to multiple culprits, but the top two factors were unencrypted communications and poor password management. In some cases, testers were able to gain access because the systems were running commercial or open-source software where the operators “did not change the default password when the software was installed.”
Widespread security issues
The agency said it hasn’t yet been able to get a clear idea of the scale of vulnerabilities affecting its weapon systems based on the analysis.
"For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders," the report said. “Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals."
The GAO said the problem is rooted in the fact that the DOD has never made security a priority for its weapon systems and hasn’t taken all the measures necessary to secure their systems.
“Testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected,” the GOA said in a statement. “DOD’s weapons are more computerized and networked than ever before, so it’s no surprise that there are more opportunities for attacks.”