EXECUTIVE SUMMARY:

The US Government Accountability Office (GAO) has released a report outlining the results of cybersecurity testing of Department of Defense (DOD) weapons systems from 2012-2017. Its conclusion: The majority of weapons are vulnerable to cyberattack due to poor password issues, failure to update systems, system complexity, and not enough talent to manage the issues.

The GAO—which notes that the weapons systems are more software dependent and more networked than ever before—was asked to review the cybersecurity status of the DOD’s weapons portfolio as the DOD readies to spend $1.66 trillion to develop its existing weapons portfolio. In conducting its review, the GAO drew from data from the Pentagon’s own testing, as well as interviews with cybersecurity officials.

As NPR reports, the GAO found widespread problems, saying, “DOD testers routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development.”

One of the clear findings in the study is that testers were able to easily gain control of the systems. “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing,” said the report.

Wired writes that the GAO found that one tester was able to guess an admin password in nine seconds and another disabled a system by scanning it—a technique that the GAO says “requires little knowledge or expertise.”

In addition, Wired writes that testers were able to infiltrate and stay in the system for weeks, undiscovered, in one case. “In other cases, the report states that automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.”

What makes the findings even more alarming is that the testing was relatively lightweight. As NPR reports, the GAO described the hacking and tests as ‘limited.’ “While they posed as hackers, for instance, the testers did not have free rein to attack contractors’ systems, nor did they have the time to spend months or years to focus on extracting data and gaining control over networks,” notes NPR.

“We saw widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover,” stated the report.

Commenting on the report, R. David Edelman, former special assistant to President Barack Obama on cybersecurity and tech policy told Wired, “In the private sector, this is the sort of report that would put the CEO on death watch.”

According to the GAO, DOD officials “believed their systems were secure and discounted some test results as unrealistic.”

Identified problems often went unaddressed. One of the contributing factors could likely be tied to a talent shortage. Higher compensation opportunities elsewhere can be a big draw.  As NPR reports, “The most capable workers – experts who can find vulnerabilities and detect advanced threats – can earn ‘above $200,000 to $250,000 a year’ in the private sector,” according to the GAO, who cited a 2014 Rand study. That pay scale goes well beyond the agency’s.

In its report, the GAO said it is not making any recommendations, but will continue to evaluate the situation.

Get the full story at NPR.