Cant make this up and further there is a huge element of deniability that such vulnerabilities exists.
GAO: In recent cybersecurity tests of major weapon systems DOD is developing, testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected.
DOD’s weapons are more computerized and networked than ever before, so it’s no surprise that there are more opportunities for attacks. Yet until relatively recently, DOD did not make weapon cybersecurity a priority. Over the past few years, DOD has taken steps towards improvement, like updating policies and increasing testing.
Federal information security—another term for cybersecurity—has been on our list of High Risk issues since 1997.
Today’s weapon systems are heavily computerized, which opens more attack opportunities for adversaries (represented below in a fictitious weapon system for classification reasons). The full report here.
*** From Wired in part:
In other cases, the report states that automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.
Like most unclassified reports about classified subjects, the GAO report is rich in scope but poor in specifics, mentioning various officials and systems without identifying them. The report also cautions that “cybersecurity assessment findings are as of a specific date so vulnerabilities identified during system development may no longer exist when the system is fielded.” Even so, it paints a picture of a Defense Department playing catch-up to the realities of cyberwarfare, even in 2018.
Edelman says the report reminded him of the opening scene of Battlestar Galactica, in which a cybernetic enemy called the Cylons wipes out humanity’s entire fleet of advanced fighter jets by infecting their computers. (The titular ship is spared, thanks to its outdated systems.) “A trillion dollars of hardware is worthless if you can’t get the first shot off,” Edelman says. That kind of asymmetrical cyberattack has long worried cybersecurity experts, and has been an operational doctrine of some of the United States’ biggest adversaries, including, Edelman says, China, Russia, and North Korea. Yet the report underscores a troubling disconnect between how vulnerable DOD weapons systems are, and how secure DOD officials believe them to be.
“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic,” the report reads. DOD officials noted, for instance, that testers had access that real-world hackers might not. But the GAO also interviewed NSA officials who dismissed those concerns, saying in the report that “adversaries are not subject to the types of limitations imposed on test teams, such as time constraints and limited funding—and this information and access are granted to testers to more closely simulate moderate to advanced threats.”
It’s important to be clear that when the DOD dismisses these results, they are dismissing the testing from their own department. The GAO didn’t conduct any tests itself; rather, it audited the assessments of Defense Department testing teams. But arguments over what constitutes a realistic testing condition are a staple of the defense community, says Caolionn O’Connell, a military acquisition and technology expert at Rand Corporation, which has contracts with the DOD.