In July 2015, Wired magazine published a report of a test in which a team of computer “hackers,” using a wireless connection to the car’s computers, controlled the car’s computers. They turned the air conditioning and radio on, shut off the engine and the brakes. At one point, they cut off operation of the car’s transmission.
An October report by the Government Accountability Office to the Senate Armed Services Committee says that the Pentagon’s most advanced weapon systems may be vulnerable to the same sort of cyber attacks.
Let’s dispense with the term “hacker,” which conjures an image of a pajama-clad teenager sitting in his mom’s basement with a beer and a laptop. The concerted, long-term cyber attacks that are made against our defense and intelligence establishments are perpetrated by powerful nations and terrorist groups.
These adversaries employ thousands of people whose only function is to find and exploit vulnerabilities in U.S. computer networks, weapon systems and satellites. Those people — in China, North Korea, Russia and Iran, among other adversaries — are exceptionally proficient at what they do.
Which makes the GAO report’s findings simply terrifying. The GAO reviewed the way that U.S. weapon systems are designed and found that the process essentially ignores the threat of cyber attacks. In part, the report found that:
“[F]rom 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected. In some cases, system operators were unable to effectively respond to the hacks.”
These days, computers control essentially every function in a weapon system. The F-35 Joint Strike Fighter is run by dozens of computers that control everything from navigation and communication to — quite literally — every function the pilot is responsible for, including dropping bombs. The F-35’s computers are programmed with at least 5 million lines of code.
What is true for the F-35 is equally true for our constellations of satellites, our missiles and all other weapon systems. Their vulnerabilities arise not only from possible cyber attacks against the aircraft but also from such attacks on command and control systems, logistical support and other systems, on the ground and in the air, that connect to the weapon systems.
Staying on the F-35 example, the aircraft is supposed to be a “sensor hub,” gathering and transmitting information to other aircraft as well as ships, satellites and command systems on the ground. It isn’t connected to the Internet, but every radio signal it receives can carry a cyber attack into the aircraft itself.
American weapon systems aren’t connected to the Internet, but they are often connected to systems that are. Sophisticated cyber attackers may take years to find how one system enables them to access another and provide the means of controlling any and all of them. The GAO found ” widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond and recover.”
It also found that, “DOD does not know the full extent of its weapon systems cyber vulnerabilities due to limitations on tests that have been conducted.” To say the least, that is inexcusable.
It’s not as if the threat of cyber interference in the operation of machinery is something new. Inserting “malware” — software that can seize control of a machine’s operation — has been the objective of cyber attackers for decades. The most famous — so far — was the “Stuxnet” malware, inserted into Iranian uranium enrichment centrifuges, causing the centrifuges to run at excessive speed, destroying many. The “Stuxnet” attack was publicized in 2010.
It’s a short and easily foreseeable step to apply the methodology of the “Stuxnet” attack to attack a weapon system.
How, then, can our weapons designers and Pentagon weapons purchasers have failed to protect our weapon systems and the systems on which they depend adequately? It makes no sense to purchase trillions of dollars of defense systems knowing that they can be neutered — or turned against us — by cyber attacks.
Someone — either the president or Defense Secretary James Mattis — should be asking some really pointy-type questions and demanding that the holes in our defense systems be plugged.
The GAO didn’t study the CIA and NSA programs to design and operate our spy satellites. The question of whether those agencies are building adequate cyber defenses into those systems remains unanswered.
An Oct. 14 report in The Washington Times said that our military is struggling to maintain readiness with its over-aged aircraft after 17 years of war. The report said that Mr. Mattis demanded that 80 percent readiness of the Pentagon’s aircraft a day before the Pentagon ordered the grounding of all F-35s due to one of its many problems.
The Pentagon budget increase that President Trump got this year from Congress is woefully inadequate to replace the over-aged aircraft. It will take that much money — or more — to fix the cyber vulnerabilities of our weapon systems, both old and new.
And it will take more than spending to fix these problems. Both the president and Mr. Mattis need to make them their top priority. If that leadership isn’t made effective, our defense forces will continue their evolution into a cyber-neutered tiger.
• Jed Babbin, a deputy undersecretary of defense in the George H.W. Bush administration, is the author of “In the Words of Our Enemies.”