By CHHS Extern Kaitlyn Holzer

On October 9th, 2018, the United States Government Accountability Office (GAO) published a report to the Senate that details the cybersecurity vulnerabilities of the Department of Defense’s (DOD) weapon systems. The DOD published the report in support of its plan to spend $1.66 trillion to further develop their major weapon systems.

The increase of the computerized nature of DOD weapon systems and DOD’s failure to prioritize the cybersecurity of these systems has contributed to the cyber vulnerabilities exposed in the GAO’s report. Historically, the DOD has focused on the cybersecurity of their networks rather than their weapon systems. Additionally, DOD cyber vulnerabilities were not properly acknowledged and addressed because DOD officials believed their systems were resilient to cyber attacks. However, operational testing showed that the DOD cybersecurity measures were severely underdeveloped. Testers were able to hack into DOD weapon systems and take control while remaining undetected. The methods used to hack into DOD systems included scanning a weapon system and guessing administrative passwords. The report claims that one tester gained access to a DOD weapon system in nine seconds by guessing a password. When DOD operators were able to detect an attack, they were not able to respond without outside assistance.  Additional data reveals that almost all weapons tested by the DOD between 2012 and 2017 had “mission critical” cyber vulnerabilities.

DOD organizations have responsibilities related to the cybersecurity of weapon systems, but there is no central organization for DOD cybersecurity. Authorizing officials within each DOD program are responsible for overseeing the program’s security protocols and authorizing cyber risk. Organizations such as the National Security Agency and Cyber Command are able to provide advice and review cybersecurity protocols, but are not responsible for cyber risk.

The DOD has begun to take steps to improve their weapon systems cybersecurity. Since it appears the DOD is sustaining its momentum in developing adequate cybersecurity protocols, the GAO report did not include any recommendations. The most recent step in increasing weapon systems cybersecurity is the DOD Cyber Survivability Endorsement Implementation Guide. This guide sponsors cyber survivability requirements based on a program’s risk category and mission. Additionally, the DOD is now engaging in technology maturation, or building cybersecurity into early prototypes, developmental testing, and operating testing.

Although the DOD is working to increase cybersecurity measures within their weapon systems, it faces systemic barriers that will make their recent initiatives and policy changes difficult to implement. First, the DOD struggles to hire and retain cybersecurity personnel with weapon systems expertise. Cyber personnel with adequate expertise expect compensation in the range of $200,000 to $250,000 per year, according to the report. That salary exceeds the DOD’s pay scale. Second, the DOD faces barriers to information sharing. The information pertaining to weapon systems is often classified, making it difficult to find the correct balance between sharing information within military branches and other federal agencies. Further, there is no DOD-wide cybersecurity classification guideline, meaning information that is classified in the Air Force may not be classified in the Navy.

In the months ahead, the DOD’s new cybersecurity strategy will be under watch by the GAO and the Senate, as Congress votes on the DOD’s most recent budget request. Regardless of Congress’ vote, the DOD will need to continue to improve their weapon systems cyber vulnerabilities or risk over a trillion dollars of advanced military weapons and the security of the nation.