A report from the Government Accountability Office (GAO) found that Pentagon weapons are woefully underprepared in the face of a cyberattack. Equipment such as F-35 jets and missile systems is vulnerable to hacking.
“In recent cybersecurity tests of major weapon systems [the Department of Defense] is developing, testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected,” the report says. The agency discovered “mission-critical cyber vulnerabilities” in almost every weapon system being developed.
Many of these security issues center around the fact that so many systems and devices are connected to the internet. On many Pentagon weapons systems that use open source or commercial software programs, the organization didn’t bother changing the default passwords—a huge and very simple security faux pas. The GAO also found that the Pentagon was using poor password practices across the board, as well as unencrypted communications.
In the GAO’s investigation, it found that in one instance, a two-person team was able to hack and gain complete control of a weapons system they were testing in only one hour. In another case, a tester was able to guess an administrator password in less than 10 seconds.
At this point, the GAO isn’t making any recommendations on what the Department of Defense should do next. The organization has been warning the Pentagon about these types of weapons system security vulnerabilities for more than 20 years. One part of the issue may be that these security assessments aren’t taken seriously. Another problem is that in some cases the findings apply to classified systems, which can make it difficult to share information and knowledge.
Officials that the GAO met with, however, reported feeling that their systems are indeed secure. Some GAO test results were even discounted, believed to be unrealistic of hackers’ true abilities in the wild. This could show a dire lack of understanding about networking security that the U.S. government needs to remedy, stat.