WASHINGTON — Defense Department weapons programs are vulnerable to cyberattacks, and the Pentagon has been slow to protect the systems which are increasingly reliant on computer networks and software, a federal report said Tuesday.
The U.S. Government Accountability Office said the Pentagon has worked to ensure its networks are secure, but only recently began to focus more on its weapons systems security. The audit, conducted between September 2017 and October 2018, found that there are “mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats.”
Pentagon officials have acknowledged for years that the department, the military services and defense contractors are under persistent cyber probes and attacks, including from state actors seeking to steal data to gain an economic or technological advantage. The report doesn’t name potential attackers, but it noted that some “advanced threat actors” are aware of the vulnerabilities and “have well-funded units that focus on positioning themselves to potentially undermine U.S. capabilities.”
U.S. officials have repeatedly accused Russia and China of using cyberattacks to breach government and commercial networks and systems.
The GAO, which is Congress’ investigative arm, provides no details about what the specific military systems are or how they are vulnerable, due to their classified nature. The report said that nine major defense acquisition programs from various military services were reviewed.
In one case, it said, “it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.”
In other cases, the report said that testers — using simple tools and techniques — were able to take control of computer terminals and see what the operators were seeing in real time. Another team was able to send a pop-up message to the computer terminals “instructing them to insert two quarters to continue operating.” The teams were also able to copy, change and delete data.
Vulnerabilities found within the systems included being able to turn a weapon on or off, affect missile targeting, adjust oxygen levels or manipulate what controllers see on their computer screens.
The report cited problems with poor passwords, insecure lines of communication and the Defense Department’s ongoing struggle to get qualified cybersecurity staff.