By Zachary Fryer-Biggs, Center for Public Integrity
A handful of costly military satellites and ground stations were deployed between 2012 and 2016 so they could pass secure messages between the U.S. Army’s portable radios and cellular networks around the globe. But when a team of Navy hackers tested it in 2015 and 2016, the system turned out not to be so secure.
It had more than 1,000 cyber vulnerabilities, half of which had “a high potential of giving system access to an intruder,” a 2016 Pentagon testing report said.
The network, known as the Mobile User Objective System, turns out to be just one of many new major Pentagon weapons systems found vulnerable to hacking. A new report from auditors at the Government Accountability Office (GAO) concluded on Oct. 9 that “nearly all” of the weapons systems in the Pentagon’s $1.7 trillion dollar purchasing pipeline have glaring cybersecurity holes.
Here’s the problem: The Pentagon and other federal agencies for the past few years have been intensifying their efforts to protect their own computer networks from hacking—after some spectacular breaches, including a hack of sensitive government personnel files in 2015 and Edward Snowden’s theft of NSA files in 2013.
But the military hasn’t worked as hard over the past decade to protect its software-dependent weapons systems from hacking, according to the GAO.
The consequences in a crisis or military conflict could be grave, since cyber breaches involving weapons systems could in theory give an enemy the opportunity to make the weapons misfire or fail. It’s not the first time this warning has been issued—at least a half-dozen military studies since the 1990s have sounded alarms that Pentagon systems were becoming enticing hacking targets, the report said.
Only in 2014 did the Pentagon begin to routinely check for cyber vulnerabilities in weapons systems, the GAO noted, and many systems haven’t been tested at all. “Until recently, DOD [Department of Defense] did not prioritize cybersecurity in weapon systems acquisitions,” the report said. “DOD is in the early stage of trying to understand how to apply cybersecurity to weapon systems.”
The GAO, which serves as Congress’s watchdog group reviewing the work of government agencies, conducted the study at the request of the Senate Armed Services Committee. The report does not describe any vulnerabilities in specific weapons systems, noting that classification rules protect details of what was found during testing. But it points to multiple instances where military hackers testing the cybersecurity of weapons systems, called red teams, managed to get into platforms in seconds because of lax security.
During one test a red team guessed a key password in nine seconds. And in several other instances, weapons makers used publicly available software in their systems without changing the default passwords.
The report also highlighted particular vulnerabilities associated with older weapons systems, some of which might be connected to newer ones meant to be more secure. “Until around 2014, there was a general lack of emphasis on cybersecurity throughout the weapon systes acquisition process,” the report said. “If attackers can access one of those [older] systems, they may be able to reach any of the others through the connecting networks.”
Frank Kendall, who served as the head of weapons buying and testing for the Pentagon from 2012 to 2017, disputed some of the report’s pessimism. He said his colleagues aggressively looked at cybersecurity well before 2014, when the GAO report said major scrutiny began. “What they say isn’t true,” Kendall wrote in an email. “Before then I think we called it ‘information assurance,’ which was basically the same thing. I upped the emphasis a lot … but testing and having requirements for cybersecurity goes way back.”
Kendall noted that in a 2015 the Pentagon enacted a rule that the risk from cyber threats had to be considered as part of buying decisions, and in 2017, it said cybersecurity precautions had to be incorporated in the development of all new weapons systems.
But Cristina Chaplain, a senior GAO official and one of the report’s authors, said in an interview that many weapons-buying officials have a false sense of confidence about the security of their systems. “People assume there’s a lot of natural protection built into these things,” beyond what’s present in home computers, Chaplain said. But some of the flaws are simple, like easy-to-guess passwords.
The GAO report lists 15 policy or guidance document changes since 2014 that have helped spur testing of weapons systems. But it says the Pentagon “does not know the full extent of its weapon systems cyber vulnerabilities” due to rushed and inadequate tests, and difficulty recruiting highly qualified cyber experts. Even when weaknesses are found in one round of testing, they sometimes aren’t fixed, the report noted.
In one program, not named in the unclassified version of the GAO report, 20 security issues were flagged by cyber experts, but only one had been addressed when the system was rechecked later. General Dynamics, the company responsible for the MUOS ground systems, said in a statement that it is “confident in the security of the Mobile User Objective System (MUOS) havin g received an ‘Authority to Operate’ from the U.S. Navy in August and continue to improve and adapt the system’s security to outpace new and emerging threats.”
UPDATE 6:28 pm: This story has been updated to include General Dynamics’ comments.
The Center for Public Integrity is a nonprofit, nonpartisan, investigative newsroom in Washington, D.C. More of its reporting can be found here.