This past Tuesday, the Government Accountability Office (GAO) revealed a terrifying report: America’s weapon systems are riddled with cyber vulnerabilities. These vulnerabilities are leaving U.S. defenses open to attack. This cannot remain the status quo. The Department of Defense (DOD) must bring its weapon systems’ cybersecurity up to speed by addressing past failures and attracting new cybersecurity expertise to protect America’s increasingly tech-dependent future.
The GAO’s recent tests found vulnerabilities in “nearly all” weapon systems currently being developed. The details of the vulnerabilities are alarming. According to the report, in tests of major weapon systems DOD is currently developing, “testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected.” Flaws as basic as poor password management and unencrypted communications—one administrator’s password took only nine seconds to guess—plagued the systems. Test teams were able to observe remote monitors, send annoying pop-ups, change or delete data, and even cause systems to shut down entirely. In one instance, a two-person test team hacked its way to full control of a system in just a day.
As though these vulnerabilities were not alarming enough, DOD officials seemed oblivious to the potential danger they faced. As the report notes, “Program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.”
This attitude is not a result of a lack of discussion about cybersecurity. In the past four years, the DOD has issued or updated guidance regarding weapon systems’ cybersecurity fifteen times. Moreover, one DOD staff team pointed GAO officials to a list of security controls they had implemented. The DOD team had assumed that merely having these controls in place meant they were safe. But without proper testing, there is no way to assess whether these controls are actually sufficient for keeping hackers out.
America cannot let these problems remain unaddressed in a world where states have repeatedly proven their willingness to engage in cyber-attacks. In 2007, Russian hackers attacked Estonia’s banks, news outlets and government. In 2015, 225,000 Ukrainians lost electricity after Russia hacked into the power grid in Kiev. And in 2014, a U.S. Senate panel accused China of repeatedly hacking computer systems belonging to American companies—including defense contractors.
The unclassified version of the GAO report does not detail which weapon systems are most at risk. But the sheer prevalence of risks—and GAO’s acknowledgment of a multitude of yet-to-be-found flaws—are disconcerting enough. Allowing these vulnerabilities to exist is not an acceptable option. So how can the DOD close the cybersecurity gap quickly?
A “best practices” list of security controls is inefficient on its own because it assumes cyber risks look the same from day to day. The reality is that hackers are constantly creating new types of cyber-attacks. Therefore, a fully-functional security program must also be continually evolving. One cybersecurity control might keep out one type of cyber-attack, only to succumb tomorrow to a new kind. Therefore, the DOD should frequently and systematically test each system for new, unpredicted vulnerabilities.
To do that, the DOD will have to find ways to attract talent—and keep it. Currently, DOD salaries for cybersecurity experts are not competitive. According to Glassdoor, the average DOD cybersecurity analyst makes only $86,000 per year. It’s little surprise that these experts are leaving the military for private companies, where top analysts often earn compensation of $200,000 per year or more.
Recommended: Why No Commander Wants to Take On a Spike Missile
Nor does it help that not just any cybersecurity expert can solve the issues plaguing DOD weapon systems. Expertise in applying cybersecurity to weapon systems requires knowledge beyond that which many professional information technology certifications provide. In addition to an understanding of cybersecurity, a DOD cybersecurity expert must also know how the agency’s acquisition process works and understand the technical aspects of each weapon system’s various components.
To help ease the shortfall, DOD program officials should rely more fully on cyber experts at the National Security Administration and Cyber Command. Because most of the DOD’s work is classified, there is limited ability to share information about risks and potential solutions with outside specialists. Therefore, leaning on the capacities of other government agencies is vital. And, according to the report, “NSA officials said that they will provide advice to acquisition programs if asked to do so.”
It is far easier to design a system with adequate cyber protection than to try to retroactively fix problems caused by poorly-designed older systems. And it is beyond foolish to overlook or ignore weak spots America’s enemies are sure to exploit. If America wants to remain a global power tomorrow, the DOD must embrace tomorrow’s technology with open arms.
Kathryn Waldron is a Research Associate at the R Street Institute and a Graduate Research Fellow at George Mason University.