Shock & Awe: Cyber Vulnerabilities in U.S. Weapon Systems
The Pentagon has long been seen as the holy grail for hackers. Hollywood has depicted the Department of Defense’s digital networks as an impenetrable fortress, equipped with “Ocean’s 11”-like layers of security. But a shocking new study from the Government Accountability Office shows that when it comes to cybersecurity, DoD’s systems are less like Fort Knox and more like a pillow fort.
DoD Under Fire For Failing to Address Cybersecurity
The GAO report, released last month, found that almost all of the weapon systems in the Pentagon’s purchasing pipeline had major, “mission critical” cybersecurity vulnerabilities. Many of the GAO’s findings were truly frightening. Password hygiene at DoD was horrendous. One pen tester managed to guess an administrator password in just nine seconds. Multiple weapon systems used commercial or open source software, but administers never changed the default passwords.
Poor password practices, however, were just the tip of the iceberg. One pen tester was able to partially shut down a weapons system simply by scanning it — which, according to the GAO, is a technique so basic that it “requires little knowledge or expertise.” Test teams were easily able to take control of weapon systems. For example, a two-person team only needed one hour to gain initial access, and only one day to gain full control of the system they were testing. Additionally, DoD repeatedly failed to pick up the pen testers’ probes. Testers sometimes were in the weapon systems for weeks without being detected.
Part of the problem is that the military’s weapon systems are more computerized and networked than ever before. As R. David Edelman, former special assistant to President Obama for cybersecurity and tech policy, notes: “Our most sophisticated fighter jets are effectively supercomputers with very hot engines.” Prioritizing connectivity is a double-edged sword. On the one hand, it enables efficiencies that ensure our military can perform at the highest level. On the other hand, it greatly expands DoD’s attack surface — creating an enormous number of potential vulnerabilities that cyber threat actors can exploit.
The Pentagon, like many organizations, was slow to take cyber concerns into account when setting up its systems. Consequently, the study notes that “DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” But perhaps more disturbingly, even when warned about bugs in their systems, the Pentagon repeatedly failed to fix the problems. The GAO found that only one out of 20 vulnerabilities detailed in previous risk assessments had been addressed during the time period surveyed in the latest study.
DoD has dismissed the GAO’s study, arguing that the test conditions were not realistic. However, in doing so, the Pentagon was contesting the work of their own department. The GAO didn’t conduct any of the tests itself; instead, it audited the assessments of DoD testing teams. At the very least, the GAO study suggests that there is a disturbing disconnect between how vulnerable DoD weapon systems are and how secure DoD officials believe them to be. Only time will tell who is right. If DoD is wrong, the consequences could be catastrophic.
Does Your Organization Defend Better than DoD?
As a senior executive, you probably don’t oversee complicated weapon systems. The most lethal instrument you use is more likely to be a letter opener. Still, this GAO report has important lessons to apply to your own organization. DoD’s weapon systems can seem far more sophisticated than the devices and networks you use at the office. But they’re not nearly as different as you would think. Whether you’re managing a small business or a Fortune 50 company, the fundamental principles of cybersecurity still apply to your enterprise.
Here are a few of the top takeaways:
Penetration Testing is Important
Much of the research in the GAO report came from the Pentagon’s penetration testers. Pen testing (sometimes also called “ethical hacking” or “white hat hacking”) is the process of examining a computer system to spot any security vulnerabilities that a cyber threat actor could exploit. Think of an ethical hacker like a secret agent. Their job is to get inside the mind of your potential adversaries and anticipate how they might attempt to infiltrate your network. If these cyber sleuths see any weaknesses in your organization’s security posture, you can mitigate the vulnerabilities before the bad guys find them.
Organizations should pen test regularly — ideally once per year. Penetration testing can be automated with software applications or performed manually.
Maintain Good Password Hygiene
Poor password management was systemic at the Pentagon. Unfortunately, DoD employees are not the only members of the cyber hygiene hall of shame. Everyone from music megastars to top tech CEOs have been caught using weak passwords. The two most commonly used passwords are still “123456” and “Password.” Poor password hygiene comes with serious consequences for companies. A whopping 81% of all data breaches were the result of weak or stolen passwords.
So what’s the secret to a strong password? They should be long (eight characters or more), complex (alphanumeric, special characters, mix of upper and lowercase, etc.), and reset regularly (every 30 to 60 days). Alternatively, you can use a passphrase — a sequence of random words — to secure your accounts and devices.
Denial and Delay is a Dangerous Strategy
DoD has dismissed the results of the GAO report. But cyber experts say that the Pentagon is ignoring this study at their own peril. As R. David Edelman put it, “In the private sector, this is the sort of report that would put the CEO on death watch.”
Too many organizations are in denial about the state of cybersecurity in their enterprise. This is a problem, because you can’t fix something that you refuse to admit is broken. As any psychologist would tell you, acceptance is the first step on the road to recovery. Pen tests are pointless unless you actually use the findings to fix the flaws in your network.
It can be tempting to sweep inconvenient results under the rug. But eventually, a breach will come back to bite you. Complacency can ultimately be a career killer — a lesson too many C-Suite executives have learned the hard way.
We’re Here to Help
If even the Pentagon has a precarious cyber posture, then certainly your business is not secure either. Fortunately, CyberVista is here to help. Our Resolve programs can teach you how to properly oversee cyber risk, provide a deep-dive session on a specific cyber topic, or even run you through a cyber breach scenario to test how well you perform during a digital crisis. When it comes to cyber risk, it’s important to be proactive—so let’s get started!