Authorized hackers were quickly able to seize control of weapons systems being acquired by the American military in a test of the Pentagon’s digital vulnerabilities, according to a new and eye-opening government review.
The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hacking.
A public version of the study, published last week, deleted all names and descriptions of which systems were attacked so the report could be published without tipping off American adversaries about the vulnerabilities. Congress is receiving the classified version of the report, which specifies which among the $1.6 trillion in weapons systems that the Pentagon is acquiring from defense contractors were affected.
But even the declassified review painted a terrifying picture of weaknesses in a range of emerging weapons, from new generations of missiles and aircraft to prototypes of new delivery systems for nuclear weapons.
“In one case, the test team took control of the operators’ terminals,” the report said. “They could see, in real time, what the operators were seeing on their screens and could manipulate the system” — a technique reminiscent of what Russian hackers did to a Ukrainian power grid two years ago.
The Government Accountability Office, the investigative arm of Congress, described “red team” hackers who were pitted against cyberdefenders at the Pentagon. The tested weapons were among a total of 86 weapons systems under development; many were penetrated either through easy-to-crack passwords, or because they had few protections against “insiders” working on elements of the programs.
Sometimes the testing teams toyed with their Pentagon targets. One team “reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”
The searing assessment comes after years of warnings about the vulnerabilities of the military systems — some of which the Government Accountability Office said were ignored — and just as President Trump gives American commanders more flexibility to deploy cyberweapons without obtaining presidential approval.
It also suggests that the United States is vulnerable to cyberattacks when it seeks to disable enemy systems.
Nuclear weapons themselves were not included in the report; they are mostly controlled by the Energy Department, which oversees their design and testing. But nuclear weapons have become a focus of increasing scrutiny, both inside and outside the defense establishment.
Last month, the Nuclear Threat Initiative, a group that studies nuclear threats, published a detailed report about the risks that nuclear weapons systems could be subject to cyberattacks. It warned that such attacks “could have catastrophic consequences,” including the risk that weapons could be used in response to “false warnings or miscalculation.”
“The world’s most lethal weapons are vulnerable to stealthy attacks from stealthy enemies — attacks that could have catastrophic consequences,” former Energy Secretary Ernest J. Moniz, former Senator Sam Nunn and former Defense Minister Des Browne of Britain wrote in that report.
“Today, that fact remains the chilling reality,” wrote the three Cold War veterans. “Cyberthreats are expanding and evolving at a breathtaking rate, and governments are not keeping pace. It is essential that the U.S. government and all nuclear-armed states catch up with — indeed, get ahead of and stay ahead of — this threat.”
It can be a scary business that we’re in sometimes, huh?
I think all people can ask for is that we have our very best men and women on the case protecting us at all times. And if your business is looking for that kind of protection, look no further than The 20. Contact us today.