The Government Accountability Office warned in a report issued today that the Defense Department “faces mounting challenges in protecting its weapons systems from increasingly sophisticated cyber threats,” and, because of its “late start” in prioritizing weapons systems cybersecurity, needs to “sustain its momentum” in developing and implementing key weapon systems security initiatives.
Despite the somewhat dire language in its report, GAO said it was not making “any recommendations at this time” to DoD, and will continue to evaluate the issue.
In the report, GAO said DoD is facing weapons systems security challenges not only because of what it called the agency’s late start, but also because of the increasingly computerized nature of weapons systems which makes them more software and network dependent, and “DoD’s nascent understanding of how to develop more secure weapons systems.”
“Although GAO and others have warned of cyber risks for decades, until recently, DoD did not prioritize weapon systems cybersecurity. Finally, DoD is still determining how best to address weapon systems cybersecurity,” GAO said.
“In operational testing, DoD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic,” GAO said.
It continued, “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DoD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.”
On the plus side, GAO said DoD has “recently taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations. DoD, as directed by Congress, has also begun initiatives to better understand and address cyber vulnerabilities.”
“However, DoD faces barriers that could limit the effectiveness of these steps, such as cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities,” GAO said. “To address these challenges and improve the state of weapon systems cybersecurity, it is essential that DoD sustain its momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DoD’s weapon systems cybersecurity efforts.”
The Defense Department’s press shop did not have an immediate response to the GAO report late today.