The Department of Defense’s (DOD) weapon systems feature cyber vulnerabilities that leave them susceptible to attack, according to a new government report released Tuesday.
The Government Accountability Office (GAO) found in its audit of the Defense Department’s weapon systems that test teams were easily able to bypass measures meant to keep hackers out, and that in some instances just scanning for the vulnerabilities was enough to shut down the systems altogether.
The report also found that some agencies in the department were aware of some of the cyber vulnerabilities, but did not take steps to resolve them.
It was also determined that DOD not know the extent of the cyber vulnerabilities, as some of the tests on the systems were limited or cut off early.
“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states.
Some defense officials told GAO investigators that they believed their systems were secure from cyber attacks. And others questioned the accuracy of the tests claiming there were attacks that could realistically be launched on their programs.
“For example, officials from a DOD agency we met with expressed confidence in the cybersecurity of their systems, but could not point to test results to support their beliefs. Instead, they identified a list of security controls they had implemented,” the report states. “However, security controls must be properly designed and implemented in order to be effective. As we noted earlier, test teams routinely found and defeated poorly implemented security controls.”
The report noted that the department had taken steps to improve cybersecurity for the weapons systems, and that it will continue to test for the vulnerabilities. Still, officials told the GAO that the initial lack of action on the topic “will have long-lasting effects on the department.”
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the report states.
GAO said in the report that it was not making any recommendations at the time, but that it would continue to evaluate DOD’s weapon systems.
The report comes shortly after DOD unveiled a more proactive cyber strategy last month, saying that it would "defend forward" to prevent cyberattacks against the U.S. The Trump administration also released a national cyber strategy last month and said that it would act more aggressively in cyberspace.