Pentagon Slow to Protect Weapons From Cyber Attacks

(Bloomberg) -- The Pentagon hasn’t made cybersecurity for its multibillion-dollar weapons systems a major focus until recently despite years of warnings, according to Congress’s watchdog agency.

“Instead, for many years,” until about 2014, the Pentagon “focused cybersecurity efforts on protecting networks and traditional IT systems, such as accounting systems, rather than weapons,” the Government Accountability Office said in a report released Tuesday entitled: “DOD Just Beginning to Grapple with Scale of Vulnerabilities.”

The report doesn’t name any specific weapons systems but underscores that the same software that can turn the F-35 jet into a flying computer capable of absorbing and distributing massive amounts of data also can introduce vulnerabilities that can cripple a system.

“There was a general lack of emphasis on cybersecurity throughout the acquisition process” even as operational tests of systems between 2012 and last year “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the GAO said in the report to the Senate Armed Services Committee.

“Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected” and “in some cases, system operators were unable to effectively respond to the hacks,” the GAO said. “Furthermore, DOD does not know the full scale of its weapon system vulnerabilities because, for a number of reasons, tests were limited in scope and sophistication.”

“We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our Defense Industrial Base and Defense Critical Infrastructure partners to secure critical information,” Army Major Audricia Harris, a Pentagon spokeswoman, said in an emailed statement.

Todd Probert, Raytheon Co.’s vice president of Mission Support and Modernization, said the GAO report wasn’t surprising. “The military has been working closely with industry to understand the risks these vulnerabilities pose and how to better secure their systems.” Congress and the military “must also increase funding specifically for cyber vulnerability assessments and cyber hardening,” he said.

Still, the report said, “DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”

To contact the reporter on this story: Tony Capaccio in Washington at acapaccio@bloomberg.net

To contact the editors responsible for this story: Bill Faries at wfaries@bloomberg.net, Larry Liebert

©2018 Bloomberg L.P.