Cool Cool Cool Oversight Office Says It's Incredibly Easy To Hack The Defense Dept.'s Weapons Systems

holy_shit(1).pdf [PDF]:

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.

Terrified/horrified yet?

In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations.

The Government Accountability Office's report contains nearly no good news. Just bad news on top of bad news with the chilling reminder that these are weapons systems so a malicious attack could do more than damage systems or exfiltrate sensitive data. It could actually kill people.

Why is the Defense Department's" um" defense in such shoddy shape? Well, it didn't get that way overnight. It took literally decades for it to arrive at this nexus point of technological advances and laissez-faire cybersecurity oversight.

Multiple factors contribute to the current state of DOD weapon systems cybersecurity, including: the increasingly computerized and networked nature of DOD weapons, DOD's past failure to prioritize weapon systems cybersecurity, and DOD's nascent understanding of how best to develop more cyber secure weapon systems. Specifically, DOD weapon systems are more software and IT dependent and more networked than ever before. This has transformed weapon capabilities and is a fundamental enabler of the United States' modern military capabilities. Yet this change has come at a cost. More weapon components can now be attacked using cyber capabilities. Furthermore, networks can be used as a pathway to attack other systems. We and others have warned of these risks for decades. Nevertheless, until recently, DOD did not prioritize cybersecurity in weapon systems acquisitions.

The GAO points out the DOD has spent more time locking down its accounting systems than its weapons systems, even as the latter has increasingly relied on computer hardware and software to operate. The systems used by the DOD are a melange of commercial and open-source software, which relies on vendors to provide regular updates and patch vulnerabilities. (Unfortunately for the DOD, some vulnerabilities may not have been disclosed to software/hardware vendors by other government agencies like the NSA.) But the DOD gives itself a 21-day window to apply patches and some remote weapons systems may go months without patching because they often need to return from deployment to be patched properly.

The end result is a network of defense systems riddled with security holes. The GAO says it doesn't take much to commandeer weapons of mass destruction.

Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.

Some programs were slightly more resistant to outside attacks. But they couldn't fight off attacks from insiders or contractors.

[O]ne assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

System data could be easily manipulated, resulting in the exfiltration of 100 GBs of sensitive data. Other data was altered by testers, with the alterations going unmolested and unnoticed.

Ready for more horror?

[I]n some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system"

[...]

One test report indicated that the test team was able to guess an administrator password in nine seconds.

[...]

Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software.

And no one at the DOD is learning from their mistakes.

One test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected. The test team exploited the same vulnerabilities to gain control of the system. When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error. Another test report indicated that the test team exploited 10 vulnerabilities that had been identified in previous assessments.

Other tests by the GAO went "undetected for weeks." DOD employees did not see crashes as possible indicators of malicious attacks, stating that "unexplained crashes were normal for the system." Operators had become desensitized to security warnings, thanks in part to one system that always indicated it was under attack.

This isn't to say the DOD isn't try - dear sweet god in heaven:

One test report indicated that operators identified test team intrusion attempts and took steps to block the test team from accessing the system. However, the test team was able to easily circumvent the steps the operators took. In another case, the test team was able to compromise a weapon system and the operators needed outside assistance to restore the system.

Run silent, run deep.

As testers took over systems and escalated privileges, DOD officials interviewed by the GAO were expressing confidence in their cybersecurity programs. What programs the officials couldn't really say, since assessments appear to be a rarity and those that are carried are skin-deep. They admitted many systems had never been comprehensively tested, either due to the late implementation of penetration testing programs or because tests "would interfere with operations."

The only thing surprising about the report is that the systems weren't already crawling with malicious software by the time the GAO got around to engaging in penetration testing. Maybe state-sponsored hackers are just biding their time, waiting for an opportune moment to take control of US weapons systems. Or maybe the thought of turning a cyberwar into a conventional war isn't that appealing. Directly attacking DOD systems would pretty much be the software equivalent of declaring war, and very few countries are willing to escalate from military-sponsored action to boots on the ground.

But if it's only better judgment holding our enemies back, that's not going to last forever. Better judgment isn't exactly the calling card of several world powers, including our own at the present. The DOD has been told it sucks at security several times over the past 30 years. The message has yet to sink in. The GAO will revisit this years down the road. Perhaps the DOD will fare better the next time around. It certainly can't do worse than it is now.