Hackers pierced the weapon system’s terminal, giving them the ability to feed operators false commands or spoof logistics. But instead, the intruders opted to display a taunting message across the screen, according to a new report from the Government Accountability Office. They chose a time-tested instruction.
"Insert two quarters to continue operating.”
In this case, the the hackers in question were red-team testers discovering vulnerabilities in Pentagon weapons systems under development. The prank was just one example that was included in a 50-page report that that underscored just how susceptible American military weapons are to cyberattacks. The report did not name the particular weapon system that offered arcade style instruction, but it fit the description of a drone.
While the Pentagon has a weapons portfolio of roughly $1.66 trillion, the GAO found that “nearly all” American missiles, jets, ships and lethal equipment under development are vulnerable cyberattacks. Testing showed that hackers could infiltrate weapons systems in development with “relatively simple tools and techniques” that included guessing passwords, using publicly available software and scanning systems, according to the October report.
In one case, a test team was able to infiltrate a weapons platform by guessing the administrator’s password in nine seconds. In another example, passwords for weapons had not been changed from their default settings, which were quickly found over the internet.
The extent of the problem is not known, according to the report, because “for a number of reasons, tests were limited in scope and sophistication.” But without correction, the test meant the potentially hacked system could alert the enemy to an incoming attack or not working altogether.
The Pentagon’s “own testing shows they can be pretty easily hacked,” Cristina Chaplain, a director for contracting and national security acquisitions at the GAO said on an agency podcast. “People look at weapons and think they are automatically very different than their home computers or the business networks that we see getting attacked every day, but they are not so different.”
The report only reviewed weapons that were in development as opposed to those in the field. Chaplain said she hoped before the systems are deployed the vulnerabilities would be discovered, but “it’s not a guarantee”
A string of high-profile hacks which have resulted in the pilfering of some of America’s most closely guarded weapons details. A Chinese man pled guilty in 2016 to stealing sensitive details of the C-17 Globemaster, and Lockheed F-35 and F-22 stealth fighters. And in early 2018, Chinese hackers stole “massive amounts of highly sensitive data related to undersea warfare” from a naval contractor, according to the Washington Post.
“It looks grim unless they really see this as a wake-up call and start taking actions in a serious manner,” Chaplain said. Until recently, the Pentagon “was not prioritizing cyber to the extent it should in the development process.”
How to protect weapons
Experts laid out a series of proposals for Fifth Domain on the best ways to boost cybersecurity of weapons. The task will require a culture of cyber hygiene, resilient systems and a workforce overhaul, the experts said.
In the agency podcast, Chaplain said a number of basic steps could be taken to change “cultural issues” of cybersecurity inside the Pentagon’s weapons procurement program, including better password management and securing weapons from development to deployment.
There is “a culture right now at [the Department of Defense] where we feel like the extent of this problem really isn’t appreciated at the program level,” Chaplain said.
The Pentagon should expect that hackers will break into its weapon systems and as a result the department should build resiliency into its systems, Jamie Stevenson, chief technology officer at the advanced solutions group of Leidos, told Fifth Domain. Leidos is one of the prime cybersecurity and network contractors for the U.S. government.
“You are looking at the ultimate game of cat and mouse. It is one of those things that there are always going to be new vulnerabilities” Stevenson said. The question becomes “how can you bake resiliency into your system.”
Raytheon is building a layered approach to securing weapons systems because it also expects hackers to discover vulnerabilities, Todd Probert, a vice president for the defense contractor’s mission support and modernization department told Fifth Domain. Raytheon is also one of the prime cybersecurity and defense contractors of the U.S. government.
“On one end of the spectrum, it is just IT, going back to updates that come out for operating systems and regular patches and staying current with them,” Probert said. “A little further up the food chain, the processes for how we build software has fundamentally changed over the past five to 10 years." He added that it is important to test code before it is deployed for bugs.
But the GAO report also said that one of the largest challenges the Pentagon faces in protecting weapons from cyberattacks is hiring and retaining personnel who are qualified for the job. It has been a problem not just for the Pentagon, but for the entire U.S. government.
“Maintaining a cybersecurity workforce is a challenge government-wide and that this issue has been a high-priority across the government for years.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.