I have just read one of the most appalling national security reports that I’ve seen in quite a while, an account of such neglect and malfeasance inside the Pentagon and the defense industries that, if we were to get into a major war, the trillions of dollars that we’ve spent on advanced weapons over the years might be all for naught. Our ability to win such a war may be in doubt.
The report, by the Government Accountability Office, is called Weapon Systems Cybersecurity: DOD Just Beginning to Grapple With Scale of Vulnerabilities. It’s the subtitle that should make jaws drop.
They should have begun to grapple with them decades ago.
In 1967, at the dawn of the internet, a handful of computer scientists warned that networks, which allow access to information from many unsecured locations, would produce inherent vulnerabilities.
In 1984, President Ronald Reagan signed the first presidential directive warning of dangerous gaps in computer security.
Since 1991, various scientific panels warned that modern computerized weapons and sensors are vulnerable to hacking by criminals, foreign spies, or even fairly unsophisticated troublemakers.
In 1997, in a top-secret exercise called Eligible Receiver 97, two dozen members of the National Security Agency—using commercial equipment—hacked into all of the Defense Department’s networks, including the National Military Command Center. This center serves as the liaison between the president and various combatant commands, including the nuclear weapons complex under Strategic Command.
After that incident, Pentagon officials installed intrusion-detection systems on hundreds of computers and created Joint Task Force-Computer Network Defense, which set up a 24/7 cybersecurity watch center and devised protocols for responding to intrusions. Other organizations of growing sophistication followed, culminating in 2010, with the establishment of U.S. Cyber Command.
And yet, after all these studies and warnings and revelations (and I’ve cited only a few), this new GAO report—which was first reported on Wednesday evening in the New York Times—concludes that the Defense Department is only “in the early stage of trying to understand how to apply cybersecurity to weapon systems.” Note the language: It’s not that Pentagon officials are in “the early stage” of applying cybersecurity to weapon systems (which would be tardy enough); they’re in the early stage of merely “trying to understand” how to do so.
This is the case, even though, as the report notes, these systems “are more software- and IT-dependent, and more networked, than ever.”
Now, to some degree, vulnerability goes with the territory. A quarter-century ago, the Defense Department realized that digital technology and computerized networks would improve the military in many ways. They would give troops and commanders a wider view of the battlefield, allow them to coordinate and respond to intelligence data more rapidly, and enable the weapons themselves to hit targets with astonishing accuracy. What no one realized at the time was that outsiders could intrude into these networks, and not just monitor but also copy, alter, or delete the data. In other words, they could distort the picture of the battlefield, falsify intelligence, and turn smart bombs into wayward ones.
In the private sector, IT specialists have come up with ways to deal with these vulnerabilities and at least mitigate their impact: changing passwords, patching software flaws, logging files, and separating truly vital networks from routine ones, among others.
The problem is that, in many cases, the Defense Department and weapons contractors have failed to take even these basic measures. In some cases, according to the GAO, red-team hackers have correctly guessed administrators’ passwords in as little as 9 seconds. In many cases, weapons operators have received software updates to patch vulnerabilities—but haven’t installed them. Rarely do the operators log files to look for hackers. In many cases (and this may be most inexcusable at all), programs for “logistics, personnel, and other business-related systems” are “connected to the same network as weapon systems.” If hackers get into one of these less sensitive systems, they can slide easily into the most sensitive ones.
As a result, government hackers who test these systems “routinely find mission-critical cyber vulnerabilities in nearly all weapons under development.” The report goes on: “Using relatively simple technology and techniques, testers were able to take control of these systems and largely operate undetected.” In one case, it took a two-person team one hour to gain partial access to a system—just one day to gain full control. In other cases, hackers were able to take control of the operators’ terminals—seeing, in real time, what the operators were seeing and then manipulating the view.
In January 2013, nearly six years ago, a panel of the Defense Science Board released a 138-page report, based on an 18-month study, that reached similar conclusions. It cataloged several recent U.S. military war games and exercises that tested the cybersecurity of weapons or communications systems, and concluded that the hackers “invariably” penetrated the defenses, “disrupting or completely beating” the side being hacked.
“The network connectivity that the United States has used to tremendous advantage, economically and militarily, over the past 20 years,” the DSB report observed, “has made the country more vulnerable than ever to cyber attacks.” The report concluded: “The United States cannot be confident that our critical Information Technology systems”—including military systems—“will work under attack from a sophisticated and well-resourced opponent.”
Judging from the GAO report, nothing has changed in the interim five years, much less in the 20 years since the first major studies, simulations, and real-life hacks that one might have thought would prod the U.S. military and its weapons manufacturers into action.
One problem is that the whole issue is still a sideline in the defense industry. The report notes that when manufacturers and Pentagon officials test new weapon systems to see if they perform as well as their requirements had specified, they usually don’t measure their resistance to a cyberattack.
Which leads to a more basic problem: a severe shortage of cybersecurity officials and officers. In many of the hacking tests, the operators of weapon systems didn’t know they were being hacked; the intrusion-detection system gave a warning, but they didn’t know what it meant—or, if they did, they didn’t know what to do.
In one sense, this isn’t the Defense Department’s fault. As the GAO report laments, it’s hard for the DOD, or the government overall, to hire and maintain skilled cyber technicians, who could earn more than $200,000 a year in the private sector. This is a problem, but it isn’t an insuperable one. The GAO estimates that the Pentagon will spend $1.66 trillion in the coming years on high-tech weapons. It shouldn’t be hard to come up with a couple billion more to give those weapons a decent chance of working.