Report: US weapons systems are highly vulnerable to cyber attacks

Tests showed that they're quite easy to infiltrate.

The Department of Defense will have to ramp up its cybersecurity efforts now that it's planning to spend $1.66 trillion to develop major weapons systems. According to a new report (PDF) by the Government Accountability Office, nearly all of Pentagon's weapons systems are vulnerable to cyberattacks. The DoD, the report reads, didn't make cybersecurity a priority, even though GAO has been warning it for decades about the risks it's taking by not making sure its systems are properly protected. That leaves the nation's weapons, such missiles and drones, susceptible to attacks meant to take over their controls.

By request from the Senate Armed Services Committee, GAO assessed the department's readiness to deal with cyberattacks by looking at cybersecurity tests conducted on its weapons systems from 2012 to 2017. It found that testers were routinely able to infiltrate and commandeer the weapons systems they're testing. In at least one case, they were able to find the correct administrator password in nine seconds, because the DoD never bothered changing the default. All the testers had to do was look it up on the internet. Further, they were able to operate undetected -- the other testers meant to fend them off were unable to do so.

GAO also believes that the Pentagon doesn't know how bad its vulnerability issues truly are, because the tests were limited in scope. In addition, most of the vulnerabilities the tests unearthed remain unresolved. The Pentagon only addressed one of 20 identified vulnerabilities, and even though officials found solutions for some of them, they were never implemented "for some reason." While there could multiple factors that contribute to DoD's lack of action, one of them is losing its best workers to the private sector. The department doesn't have the budget to match the salaries private companies offer top cybersecurity experts, whom it needs to be able to detect and combat advanced/state-sponsored cyber threats against the government.