It’s a fact—some industries are more digitally secure than others. Based on your own knowledge, which ones do you think have the best cybersecurity? The American military and the Pentagon ought to be near the top of the list, right? They have weapons, equipment, infrastructure, and oodles of resources, all of which can can protect them both offensively and defensively. In fact, they have the ability to wipe entire towns off of the map, and if access to that particularly powerful technology were to fall into the wrong hands—well, it could be quite deadly. And let’s not forget, cyberwarfare is the future of combat, which means this attack goal is by no mean unrealistic. You would think, given the trillions of dollars spent on their military programs, that the Pentagon and U.S. forces would have the world’s top cybersecurity experts keeping everything hardened like Fort Knox.
No country in the world spends more money on their military than the U.S., who allocates nearly three times as much money as the second most expensive military—namely, China. But keep in mind, China also has about 4.3 times as many people as the U.S., so the situation is a little different.
The good ole’ U.S. of A. also has many of the world’s top institutions for computer technological research. They include MIT, the University of California at Berkeley, and their associated Lawrence Livermore National Laboratory, which is dedicated to the development of science and technology applied to national security. As a result, recent findings of a report released on October 9 by the U.S. Government Accountability Office are truly shocking. The U.S. GAO conducted a thorough series of tests of the Pentagon’s weapons systems and revealed just how devastatingly poor their cybersecurity really is. The tested systems include networks connected to F-35 fighter jets and missile systems. Cyberattacks to those targets could cause catastrophic destruction and cost many human lives.
The report first explains why the study was conducted, “DOD (Department of Defense) plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber attack capabilities that target DOD systems. Cybersecurity, defined as the process that protects information and their systems, can reduce the likelihood that attackers are able to access U.S. systems and limit the damage if they do. GAO was asked to review the state of DOD weapon systems cybersecurity.”
Here are some of the scariest findings:
“We found that from 2012 to 2017, DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected. In some cases, system operators were unable to effectively respond to the hacks. Furthermore, DOD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication.”
Some of the discovered security weaknesses were pretty darn pedestrian. There were lots of default passwords. If you buy a wireless router for your home, you really must change the password that was pre-installed on it. Databases full of default passwords for various makes and models of routers can be found all over the internet. Everyone knows that. Why on earth would the military leave their default passwords on any device? And even when their passwords were original, they were still weak. “One test report indicated that the test team was able to guess an administrator password in nine seconds.” And that’s just a human being making guesses, not a password-cracker trying multiple combinations per second, who would obviously be a lot more successful.
Network vulnerability scanning suites like Nessus and Metasploit are pretty simple to use. They are even used to test the security of small networks, such as those belonging to small businesses with fewer than fifty employees. The report stated, “One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise.” So in truth, this is script kiddie stuff.
It wouldn’t take long for someone with only basic cybersecurity knowledge to penetrate military systems that can make things go boom! “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.”
Cristina T. Chaplain is the lead author of the report, and she discussed it on a recent U.S. GAO podcast. She said, “The Pentagon’s own testing shows they can be pretty easily hacked. Until recently, the Pentagon was not prioritizing cybersecurity in the development process. Over the past decade or so, the Pentagon has really emphasized networking the weapons systems and bringing them together, which increases the span of their challenge in terms of cyber.”
The U.S. military helped to develop ARPAnet and TCP/IP, which made the modern internet possible. That technology has been developed by the American government since the 1960s, and yet, apparently the Pentagon didn’t start prioritizing cybersecurity until about ten years ago. That’s completely and utterly unfathomable…
David Edelman, who used to advise President Obama on cybersecurity policies, said, “I will say that the GAO can be prone to cyber hyperbole, but unless their sampling or methodology were way off or deliberately misleading, DOD has a very grave problem on its hands. In the private sector, this is the sort of report that would put the CEO on death watch.”
Private sector corporations don’t usually own nuclear weapons, which means the reprimands for not looking after the cybersecurity of military weapons systems should be a lot more severe than just a reprimand for not looking after the cybersecurity of movie theater networks. Compare the threat of pirated Hollywood films to the threat of cyber attackers sending bomber drones over Washington D.C.—which one seems more pressing?
Seeing the big picture, Edelman says, “The key conclusion is that the DOD needs a new weapons security paradigm. In a world where our most sophisticated fighter jets are effectively supercomputers with very hot engines, that’s a risk we have to take very seriously.”