The Defense Department plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber-espionage and cyber-attack capabilities that target DOD systems. Effectively protecting information and information systems can reduce the likelihood that attackers are able to access systems and limit the damage if they do.
The Government Accountability Office was asked to review the state of DOD weapon systems cybersecurity. Its report addresses factors that contribute to the current state of DOD weapon systems’ cybersecurity, the vulnerabilities in weapons that are under development, and the steps DOD is taking to develop more cyber resilient weapon systems.
To undertake this work, GAO analyzed weapon systems cybersecurity test reports, policies, and guidance. GAO interviewed officials from key defense organizations with weapon systems cybersecurity responsibilities as well as program officials from a non-generalizable sample of nine major defense acquisition program offices.
DOD’s weapons are more computerized and networked than ever before, unsurprisingly there are more opportunities for attacks. Yet until relatively recently, DOD did not make weapon cybersecurity a priority. Over the past few years, DOD has taken steps towards improvement, like updating policies and increasing testing.
The Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats. As well as the aforementioned computerized nature of weapon systems, DOD’s late start in prioritizing weapon systems cybersecurity and DOD’s nascent understanding of how to develop more secure weapon systems has presented a precarious situation. DOD weapon systems are more software dependent and more networked than ever before. Systems that could potentially fall foul to cyber attacks include targeting systems, friend or foe identification systems, flight software, communications, and microelectronics used throughout the weapon system.
GAO has warned of the cyber risks for decades, but until recently, the agency said, DOD did not prioritize weapon systems cybersecurity. In fact, DOD is still determining how best to address weapon systems cybersecurity.
GAO found that in operational testing, DOD routinely detected mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, GAO says the vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.
DOD has however recently taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations. DOD, as directed by Congress, has also begun initiatives to better understand and address cyber vulnerabilities. However, DOD faces barriers that could limit the effectiveness of these steps, such as cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities. To address these challenges and improve the state of weapon systems cybersecurity, GAO says it is essential that DOD sustain its momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DOD’s weapon systems cybersecurity efforts.