Cool Cool Cool Oversight Office Says It's Incredibly Easy To Hack The Defense Dept.'s Weapons Systems
from the just-a-hack-away-from-a-dystopian-hellscape dept
holy_shit(1).pdf [PDF]:
In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.
Terrified/horrified yet?
In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations.
The Government Accountability Office's report contains nearly no good news. Just bad news on top of bad news with the chilling reminder that these are weapons systems so a malicious attack could do more than damage systems or exfiltrate sensitive data. It could actually kill people.
Why is the Defense Department's… um… defense in such shoddy shape? Well, it didn't get that way overnight. It took literally decades for it to arrive at this nexus point of technological advances and laissez-faire cybersecurity oversight.
Multiple factors contribute to the current state of DOD weapon systems cybersecurity, including: the increasingly computerized and networked nature of DOD weapons, DOD’s past failure to prioritize weapon systems cybersecurity, and DOD’s nascent understanding of how best to develop more cyber secure weapon systems. Specifically, DOD weapon systems are more software and IT dependent and more networked than ever before. This has transformed weapon capabilities and is a fundamental enabler of the United States’ modern military capabilities. Yet this change has come at a cost. More weapon components can now be attacked using cyber capabilities. Furthermore, networks can be used as a pathway to attack other systems. We and others have warned of these risks for decades. Nevertheless, until recently, DOD did not prioritize cybersecurity in weapon systems acquisitions.
The GAO points out the DOD has spent more time locking down its accounting systems than its weapons systems, even as the latter has increasingly relied on computer hardware and software to operate. The systems used by the DOD are a melange of commercial and open-source software, which relies on vendors to provide regular updates and patch vulnerabilities. (Unfortunately for the DOD, some vulnerabilities may not have been disclosed to software/hardware vendors by other government agencies like the NSA.) But the DOD gives itself a 21-day window to apply patches and some remote weapons systems may go months without patching because they often need to return from deployment to be patched properly.
The end result is a network of defense systems riddled with security holes. The GAO says it doesn't take much to commandeer weapons of mass destruction.
Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.
Some programs were slightly more resistant to outside attacks. But they couldn't fight off attacks from insiders or contractors.
[O]ne assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.
System data could be easily manipulated, resulting in the exfiltration of 100 GBs of sensitive data. Other data was altered by testers, with the alterations going unmolested and unnoticed.
Ready for more horror?
[I]n some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system…
[...]
One test report indicated that the test team was able to guess an administrator password in nine seconds.
[...]
Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software.
And no one at the DOD is learning from their mistakes.
One test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected. The test team exploited the same vulnerabilities to gain control of the system. When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error. Another test report indicated that the test team exploited 10 vulnerabilities that had been identified in previous assessments.
Other tests by the GAO went "undetected for weeks." DOD employees did not see crashes as possible indicators of malicious attacks, stating that "unexplained crashes were normal for the system." Operators had become desensitized to security warnings, thanks in part to one system that always indicated it was under attack.
This isn't to say the DOD isn't try — dear sweet god in heaven:
One test report indicated that operators identified test team intrusion attempts and took steps to block the test team from accessing the system. However, the test team was able to easily circumvent the steps the operators took. In another case, the test team was able to compromise a weapon system and the operators needed outside assistance to restore the system.
Run silent, run deep.
As testers took over systems and escalated privileges, DOD officials interviewed by the GAO were expressing confidence in their cybersecurity programs. What programs the officials couldn't really say, since assessments appear to be a rarity and those that are carried are skin-deep. They admitted many systems had never been comprehensively tested, either due to the late implementation of penetration testing programs or because tests "would interfere with operations."
The only thing surprising about the report is that the systems weren't already crawling with malicious software by the time the GAO got around to engaging in penetration testing. Maybe state-sponsored hackers are just biding their time, waiting for an opportune moment to take control of US weapons systems. Or maybe the thought of turning a cyberwar into a conventional war isn't that appealing. Directly attacking DOD systems would pretty much be the software equivalent of declaring war, and very few countries are willing to escalate from military-sponsored action to boots on the ground.
But if it's only better judgment holding our enemies back, that's not going to last forever. Better judgment isn't exactly the calling card of several world powers, including our own at the present. The DOD has been told it sucks at security several times over the past 30 years. The message has yet to sink in. The GAO will revisit this years down the road. Perhaps the DOD will fare better the next time around. It certainly can't do worse than it is now.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, defense department, dod, vulnerabilities, weapons
Reader Comments
Subscribe: RSS
View by: Time | Thread
'Why would it be OUR responsibility to secure OUR systems?'
If the systems are that poorly secured the question is not 'Are they compromised?' it's 'How much are they compromised, and by how many parties?' With security that bad it's all but a given that the number is well over 'zero'.
When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error.
Given we're talking about weapons systems, if they actually cared that should be former contractor error, as any contractor that ignored critical security like that should be swiftly shown the door and replaced with one that gives the matter the serious consideration it deserves.
The contractors may be at fault for indifference towards the issue, but so is the DOD for their indifference as well.
Perhaps the DOD will fare better the next time around. It certainly can't do worse than it is now.
Indeed, as the totally-not-often-said-before-a-disaster saying goes, 'What's the worst that could happen?'
[ link to this | view in chronology ]
Re: 'Why would it be OUR responsibility to secure OUR systems?'
Who? As Tim writes, there's "nearly no good news". In other words, they didn't find a secure system from any contractor. There's not a huge number of military weapons manufacturers to choose from either. If you boot out all the large ones, who's left who can handle that volume?
[ link to this | view in chronology ]
Re: Re: 'Why would it be OUR responsibility to secure OUR systems?'
'We've got a military contract for several million/hundred million/billion dollars, and our last contractor got canned for incompetence. Who wants to replace them?'
Pretty sure there would be plenty of companies willing to step up with a possible payday of that size on the table.
It sounds like most of the problems are on the software side of things, so it's not like they need a company capable of major manufacturing, and if need be they could get the hardware from one company, and then rely on other for the code/support.
[ link to this | view in chronology ]
Re: Re: Re: 'Why would it be OUR responsibility to secure OUR systems?'
If the hardware company is willing to (or contractually required to) cooperate with someone they might view as a competitor. These aren't exactly open platforms where you just pop in a USB stick, install a new OS, and wait while it downloads your weapon drivers. (Or if they are, add that to the "terrified/horrified" pile.)
Companies might be willing, but the invitation is unlikely to be as open as you suggest. The bidding company will need security clearances, probably has to know how to navigate military purchasing systems.... nevertheless, you're likely right that a bunch will apply if it's a software-only deal. Would the military have had the foresight to acquire copyrights, or would the replacement have to be written from scratch? If it's this bad, maybe it doesn't matter.
[ link to this | view in chronology ]
Re: 'Why would it be OUR responsibility to secure OUR systems?'
Perhaps their best hope is that all the hackers in their system start applying security patches to keep each other out?
[ link to this | view in chronology ]
Re: Re: 'Why would it be OUR responsibility to secure OUR systems?'
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
~Bad People
[ link to this | view in chronology ]
Re:
Don't worry, only the good guys will use the all-important, must-have for the sake of law and order backdoor.
The bad guys won't need to. No one closes/locks/watches the front door, the windows are open, there's a hole in the wall, the flapping dog door is five feet wide, the siding is transparent, the garage door won't close all the way, the walkout basement doesn't even have a door, and the owner keeps all of their keys hanging on a peg by the mailbox with a big neon sign pointing at it so they won't lose them.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Bad guys won't be able to use these backdoors, because everyone knows that's how it works!
That's why everyone knows that no home has ever been broken into by a bad guy who then robbed it or harmed/murdered the residents inside!
[ link to this | view in chronology ]
Biding time
If some foreign government took control, they wouldn't install "malicious software", they'd install patches. To keep other countries out, and keep the government from noticing any insecurity. Of course they'd leave something open for themselves, but nothing that could be identified as malicious software. It might just be a copy of OpenSSH, replacing the telnet that came with the thing.
There's little benefit to even doing that, while relations are peaceful. Knowing they'll be able to use manufacturer-supplied security holes to fight off an American attack, if the time ever comes, is enough—unless they expect another country might be targeted at the same time and take control first.
[ link to this | view in chronology ]
What about the opponents???
But this is a *very strong caution* against a direct shooting war with either of them, and in the future, anyone at all with an educated workforce.
Power it up, "Hold onto your butts!", no idea what might happen next. Why is the CPU warm??? Cyberbattle going on inside, game of cat and mouse!
[ link to this | view in chronology ]
The only thing surprising about the report is that the systems weren't already crawling with malicious software ... Maybe state-sponsored hackers are just biding their time...
Or maybe every single intruder that goes near a DoD system backs off, refusing to mess with what appears to be a laughably obvious honeypot.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Attack of the Rogue Droids
[ link to this | view in chronology ]
We should rename dod to dept of war
Guard duty is not glamorous enough. (Looking at you NSA)
[ link to this | view in chronology ]
Re: We should rename dod to dept of war
There is a need for separate teams, and new coaches with different sets of plans. One looking at defense and one looking at offense, otherwise they are just offensive (pun intended).
[ link to this | view in chronology ]
For more in this vein, give Command and Control a read for a horrifying historical look at the security of our nuclear weapons.
[ link to this | view in chronology ]
And somehow the government still loves to haul private companies in for a public beatdown to keep the base riled up while some kid in Finland has operational control over a nuclear missile....
Before demanding better from others, perhaps they should fix their own damn house & see how hard it is and why their demands everyone else do it perfectly all the time make us laugh.
[ link to this | view in chronology ]
Re: Top men, Top men.
More likely Moscow, Tehran, Peking, North Korea, etc.
[ link to this | view in chronology ]
we're all safe
[ link to this | view in chronology ]
Does anybody remember Stuxnet?
[ link to this | view in chronology ]
Does anybody remember Stuxnet?
How do we/they know that the systems aren't already compromised by hidden backdoors waiting for the right time to be activated and disable the system or use it to attack us?
[ link to this | view in chronology ]