GAO Report Warns Nearly All New U.S. Weapons Systems Can Be Hacked

Critical cybersecurity flaws were found in "nearly all" weapons systems operationally tested by the U.S. Department of Defense between 2012 and 2017 and the agency "does not know the full extent of the problems" that exist, a new report has claimed.

A damning 50-page report suggested digital protections in place were "insufficient," warned that government officials had a "false sense of confidence in the security of their programs" and said the DOD was "just beginning to grapple with the scale of vulnerabilities" it now faces.

In its analysis, made public Tuesday, the U.S. Government Accountability Office (GAO) said hackers who had tested the systems under development could "operate undetected." It listed example targets including flight software, communications lines and industrial control systems.

The study was conducted, the GAO elaborated, because the defense agency is currently planning to spend around $1.66 trillion to develop its weapons systems. They need to be protected from adversaries who have "advanced cyber-espionage and cyber-attack capabilities," it said.

But the report noted: "We found that from 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, testers were able to take control of these systems."

The road ahead

Evidence suggested there is still a lot of work to be done to bolster security. The audit disclosed a number of shocking ways that key systems were seemingly open to attack.

"In one case, it took a two-person test team just one hour to gain initial access to a weapons system and one day to gain full control of the system they were testing," the GAO wrote.

In another case, it said testers took control of operators' terminals. "They could see, in real-time, what the operators were seeing on their screens and could manipulate the system," it detailed.

Analysts found passwords were being poorly managed and multiple weapons systems had used open-source software. One administrator login credential was cracked in just nine seconds.

And in a post-Edward Snowden world—when a single insider can leak secretive data and cause embarrassment on a global scale—one GAO discovery may alarm Pentagon officials.

It said: "Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data."

The cost of connection

The report noted that "nearly all" DoD weapon system functions now rely on computers, from life support functions in aircraft to the interception of incoming missiles. It said the move to digital "comes at a price." The main cost? It "significantly expands weapons' attack surfaces."

The GAO stressed that cybersecurity is being bulked up, but warned the process will be slow and arduous. It conducted the audit from July 2017 to October 2018. The findings were able to be published in an unclassified format as they lacked data about specific weapon vulnerabilities. Some bugs will likely have been resolved by the time the report hit the public domain.

The agency said it is "not making recommendations at this time" and will continue to evaluate.

Army Major Audricia Harris, spokeswoman for the Pentagon, told CNN that the agency "takes threats to our nation seriously."

She said: "We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our defense industrial base and defense critical infrastructure partners to secure critical information."