The DOD’s Most Expensive Weapon Systems Are Hackable

The DOD’s Most Expensive Weapon Systems Are Hackable

The DOD’s Most Expensive Weapon Systems Are Hackable


By Wes O’Donnell
Contributor, In Military and InCyberDefense

A new report from the U.S. Government Accountability Office recently found that U.S. weapon systems developed between 2012 and 2017 have “mission critical” cyber vulnerabilities. The GAO released its report last Tuesday after a Senate Armed Services Committee request, which occurred prior to approval of $1.66 trillion in spending by the armed forces to develop current weapon systems.

According to the report, DOD routinely found in operational testing that there were mission-critical cyber vulnerabilities in weapons systems under development. However, program officials that GAO met believed their systems were secure and discounted some test results as unrealistic.

Using relatively simple tools and techniques, testers were able to take control of systems and largely operate them undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, cyber vulnerabilities that DOD is aware of likely represent a fraction of the total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of cyber threats.

Despite GAO Report, DOD Denies Extensive Cyber Vulnerabilities Exist in Its Weapon Systems

In the private sector, a report like the one created by the GAO would put the CEO and other leadership at risk of being fired. But the DOD denies that such cyber vulnerabilities exist to the extent that the GAO stated in its report.

Congress recently directed the DOD to better understand and address cybersecurity. However, significant challenges could limit the effectiveness of these steps.

For instance, there is a severe shortage of trained cybersecurity professionals. Also, there are workforce issues that the DOD must contend with prior to making real strides toward improving security around high-tech weapon systems.

In addition, today’s weapon systems are heavily computerized. That creates more attack opportunities for adversaries (represented below in a fictitious onboard weapon system for classification reasons).

Meanwhile, America’s adversaries are busy developing and perfecting their cyberattack capabilities that target not just DOD systems, but many other aspects of the U.S. infrastructure.

GAO Report Also Finds Fault with Lack of Information Sharing about Cyber Threats

The GAO’s report also found severe inefficiencies in the way information about cyber threats is shared across programs within the Pentagon. For instance, officials on a program with a heavily connected weapon system stated that their system is only as secure as its weakest link, but they do not have information on the vulnerabilities of systems that their weapon connects to because of classification issues.

In addition, if a weapon system experienced a cyberattack, the intelligence community would not provide the DOD program officials with specific details of that attack. Again, this is due to the type of classification of that information.

Classification levels and sharing of information are at the root of the DOD’s failure to acknowledge that it has a problem at all.

What Can Be Done to Improve Weapon Systems Cybersecurity?

Standing from the outside, it seems clear that the DOD could take a number of steps to remedy this situation.

First, the DOD needs an Apollo program to recruit and retain top cybersecurity talent for its workforce. This recruitment could be accomplished through incentives and internships, as well as strategic partnerships with schools and universities.

Next, the DOD needs to address the barriers to information sharing for classified or compartmentalized systems. A new policy could certainly be developed that would improve the flow of information without compromising national security.

Finally, the DOD needs to take cyber threats more seriously than its current programs suggest. For instance, the DOD does not have a permanent process in place to periodically access the cybersecurity of systems already in the field.

Section 1647 of the National Defense Authorization Act for Fiscal Year 2016 requires the Secretary of Defense to evaluate the cyber vulnerabilities of each DOD weapon system by the end of 2019. The Secretary of Defense must also develop strategies to mitigate risks stemming from those vulnerabilities.

It is likely that Defense Secretary Mattis is taking these claims by the GAO seriously and is tasking appropriate sections within the Pentagon to work on a long-term solution. Until then, let’s hope that valuable lessons have been learned about critical cyber vulnerabilities in future weapon systems.





Learn From The Leader

American Military University (AMU) is proud to be the #1 provider of higher education to the U.S. military, based on FY 2018 DoD tuition assistance data, as reported by Military Times, 2019. At AMU, you’ll find instructors who are former leaders in the military, national security, and the public sector who bring their field-tested skills and strategies into the online classroom. And we work to keep our curriculum and content relevant to help you stay ahead of industry trends. Join the 64,000 U.S. military men and women earning degrees at American Military University.

Request Information

Please complete this form and we’ll contact you with more information about AMU. All fields except phone are required.

Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Validation message here
Ready to apply? Start your application today.

We value your privacy.

By submitting this form, you agree to receive emails, texts, and phone calls and messages from American Public University System, Inc. which includes American Military University (AMU) and American Public University (APU), its affiliates, and representatives. I understand that this consent is not a condition of enrollment or purchase.

You may withdraw your consent at any time. Please refer to our privacy policy, terms, or contact us for more details.