Defense experts are seizing on a stunning federal report highlighting cyber vulnerabilities in U.S. weapons systems, calling it an embarrassing wake-up call for the Pentagon.
A Government Accountability Office (GAO) report released this week found that nearly all of the weapons systems it tested had extensive cyber flaws. The report warned that the Department of Defense (DOD) “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”
Experts said the alarming report was shining a light on the Pentagon's systematic failure to consider cyber threats in building the country's most powerful weapons.
“Military members’ lives could depend on the weapon system working as it's supposed to,” said Bob Taylor, former Pentagon acting general counsel during the Obama administration. “But if it contains a vulnerability that could be triggered by an adversary, it may not carry out a function that you’re counting on it having.
"And that could be a matter of life and death,” he added.
The report contains a number of startling examples of how hackers are able to penetrate weapons systems.
Testers were able to disrupt systems, change and download data. They also found that they could shut down parts of a system by simply scanning for cyber flaws. In one case, they were able to entirely take over a weapons system in just one day. One team of hackers was even able to send a message asking that users insert at least two quarters in order to continue using a system.
But the report was most damning over the Pentagon's consideration of cybersecurity in the systems themselves, finding that the department was still "in the early stage of trying to understand how to apply cybersecurity to weapon systems.”
Maj. Audricia M. Harris, a Pentagon spokesperson, said in a statement to The Hill that the department “takes threats to our nation seriously.”
“We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our Defense Industrial Base and Defense Critical Infrastructure partners to secure critical information,” she said.
Rep. Jim LangevinJames (Jim) R. LangevinHillicon Valley — Cybersecurity's breakout year On the Money – Washington grapples with regulating crypto Congress zooms in on cybersecurity after banner year of attacks MORE (D-R.I.), a member of the House Armed Services Committee and co-founder of the Congressional Cybersecurity Caucus, said he was “not surprised” by the report's findings.
“While DoD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” he said in a statement.
Lawmakers have long pressured the military to seriously address its cyber flaws.
A defense authorization bill for fiscal 2016 required the Pentagon to test for cyber weaknesses in weapon systems and create plans to mitigate cyber attacks.
This year's defense authorization bill went further, mandating that the department detail a budget for their cybersecurity efforts.
The Pentagon has stepped up its efforts to address cyber in recent years.
For example, U.S. Cyber Command was elevated last year to be a standalone agency, instead of being housed within the NSA. And contractors with the department that handle unclassified data were required to implement certain cybersecurity standards by the start of 2018 or risk losing the contracts.
Still, the GAO report found that defense officials believed the security measures they had implemented were enough to defeat hackers, even though teams were able to penetrate systems.
Military leaders publicly acknowledged at a Senate hearing last month that the Pentagon struggles with recruiting staffers to work on cyber issues. Lt. Gen. Stephen G. Fogarty, the commander of U.S. Army Cyber Command, told lawmakers the division has “a challenge in retaining the core skills that we need.”
Edgard Capdevielle, CEO of industrial cybersecurity firm Nozomi Networks, said that the report highlighted the scope of the Pentagon's problems. Capdevielle said it's “not entirely surprising that military leaders turned a blind eye to security weaknesses within the Pentagon’s multibillion-dollar weapons systems.”
“Addressing cybersecurity vulnerabilities after the fact is a monumental task, so it’s unfortunate that the military failed to take action despite continued warnings from the Government Accountability Office,” he said.
John Harmon, a former NSA analyst and vice president of sales for cyber firm Endgame, said many Pentagon officials are focused on getting weapons systems to comply with necessary regulations so they can go into service. But that means that longterm thinking about cyber threats takes a back seat.
He also noted that cyber standards must constantly be updated. Some systems, like ships, are built to last for decades.
“Compliance is not security, it’s compliance,” Harmon said.
“Some of these systems again were built a long time ago. And sure, they might be compliant with when they were put out, but they’re not up to date when it comes to there being some kind of a system that actually protects these things from some kind of sophisticated adversary.”
Defense watchers said improving the Pentagon's cyber health would need a change in culture.
Taylor, now a senior counsel for the law firm Hogan Lovells, said military leaders need to send a stronger message to Pentagon officials about adopting good cybersecurity practices and better recognizing risks.
“I think that there really needs to be a strong message the people will be held accountable for not adequately responding to the shortcomings that have been revealed, and to create a culture of real care and attention to the vulnerabilities that the network weapons systems create,” he said.