By request from the Senate Armed Services Committee, GAO assessed the department's readiness to deal with cyberattacks by looking at cybersecurity tests conducted on its weapons systems from 2012 to 2017. It found that testers were routinely able to infiltrate and commandeer the weapons systems they're testing. In at least one case, they were able to find the correct administrator password in nine seconds, because the DoD never bothered changing the default. All the testers had to do was look it up on the internet. Further, they were able to operate undetected -- the other testers meant to fend them off were unable to do so.
GAO also believes that the Pentagon doesn't know how bad its vulnerability issues truly are, because the tests were limited in scope. In addition, most of the vulnerabilities the tests unearthed remain unresolved. The Pentagon only addressed one of 20 identified vulnerabilities, and even though officials found solutions for some of them, they were never implemented "for some reason." While there could multiple factors that contribute to DoD's lack of action, one of them is losing its best workers to the private sector. The department doesn't have the budget to match the salaries private companies offer top cybersecurity experts, whom it needs to be able to detect and combat advanced/state-sponsored cyber threats against the government.