Security Vulnerabilities in US Weapons Systems
The US Government Accounting Office just published a new report: “Weapons Systems Cyber Security: DOD Just Beginning to Grapple with Scale of Vulnerabilities” (summary here). The upshot won’t be a surprise to any of my regular readers: they’re vulnerable.
From the summary:
Automation and connectivity are fundamental enablers of DOD’s modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks. Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity.
In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.
It is definitely easier, and cheaper, to ignore the problem or pretend it isn’t a big deal. But that’s probably a mistake in the long run.
MarkH • October 10, 2018 10:49 AM
From personal knowledge, I can attest that Global Strike Command (yes, that’s what they call it … used to be called SAC), the arm of the US Air Force responsible for its nuclear arsenal, has been investing in a cybersecurity program for more than 5 years.
I’m not in a position to evaluate how thorough or effective that initiative has been. Given the nature of its responsibilities, it’s logical and appropriate that Global Strike has been proactive about information security, and perhaps is “out in front” of other segments of the US military.
For what it’s worth, I’m very confident that “the ultimate weapon” is not connected to the public internet. However, the assets and facilities of this Command are vast and sprawling, with many possibilities for vulnerability not directly connected with command and control of nuclear weapons.