New report highlights Pentagon’s cyber flaws

The GAO report revealed that most weapons systems it tested had deep cyber flaws. It is “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity” the report stated.

Last month, the military publicly acknowledged at a Senate hearing that it struggled with recruiting cyber specialists. Lt. Gen. Stephen Fogarty, the commander of US Army Cyber Command, told lawmakers of “a challenge in retaining the core skills that we need”.

Edgard Capdevielle, CEO of industrial cybersecurity firm Nozomi Networks, said that the report highlighted the scope of the Pentagon’s failure to maintain cyber security. Capdevielle said it was “not entirely surprising that military leaders turned a blind eye to security weaknesses within the Pentagon’s multibillion-dollar weapons systems”.

“Addressing cybersecurity vulnerabilities after the fact is a monumental task, so it’s unfortunate that the military failed to take action despite continued warnings from the Government Accountability Office,” he told The Hill.

A defense authorisation bill for fiscal 2016 had ordered the Pentagon to test for cyber weaknesses in weapon systems and upgrades to counter cyber attacks.

But the Pentagon has systematically failed to evalue the extent of cyber threats to America’s most powerful weapons, the report warned. “Military members’ lives could depend on the weapon system working as it’s supposed to,” according to Bob Taylor, former Pentagon advisor.

Taylor suggested that the problem was the culture at the Pentagon. He urged military leaders to put pressure on Pentagon officials regarding cyber security practices and risks.

“I think that there really needs to be a strong message the people will be held accountable for not adequately responding to the shortcomings that have been revealed, and to create a culture of real care and attention to the vulnerabilities that the network weapons systems create,” he said.

“That could be a matter of life and death,” he added. Taylor was an Obama administration appointee.

John Harmon, a former NSA analyst, said that many Pentagon officials are too focused on getting weapons systems to comply with necessary regulations. “Compliance is not security, it’s compliance,” Harmon said.

He also noted that while cyber standards must constantly be updated, many weapons systems, like ships, are built to last for decades. “Some of these systems again were built a long time ago. And sure, they might be compliant with when they were put out, but they’re not up to date when it comes to there being some kind of a system that actually protects these things from some kind of sophisticated adversary.”

Examples of how hackers are able to penetrate weapons systems, were presented showing how systems could be disrupted, changed and data could be downloaded. Parts of a system could even be shut down while scanning for cyber flaws.

In one notable case, a weapons system was actually taken over in just one day by a team of hackers. They said the Pentagon was still “in the early stage of trying to understand how to apply cybersecurity to weapon systems”.

A Pentagon spokesperson, asked to comment on the report, said in a statement to The Hill that the department “takes threats to our nation seriously”.

“We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our Defense Industrial Base and Defense Critical Infrastructure partners to secure critical information,” the spokesperson said.

Jim Langevin, a Democrat member of the House Armed Services Committee and co-founder of the Congressional Cybersecurity Caucus, said he was “not surprised” by the report’s findings. “While DoD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” he said in a statement.

The 2018 defense authorisation bill has gone even further, mandating that the department detail a budget for their cybersecurity efforts.

US Cyber Command is a standalone agency, and not housed within the US National Security Agency (NSA).