The Pentagon’s increasing reliance on cutting-edge technologies, from semi-autonomous weapon systems to artificial intelligence applications, have revolutionized America’s way of war but also exposed critical gaps in the department’s cybersecurity operations.
Investigators at the Government Accountability Office found the Defense Department’s approach to protecting vital cyber networks and the systems that operate some of the Pentagon’s most advanced weapons from attack is woefully inadequate. As U.S. military leaders increasingly rely on largely autonomous weapons, with cyber-based command and control systems, the threat of those weapons being compromised through network attacks will only get worse, a new GAO report released Tuesday states.
“Automation and connectivity are fundamental enablers of [the Pentagon’s] modern military capabilities. However, they make weapon systems more vulnerable to cyber attacks,” agency analysts wrote. While GAO leadership “have warned of cyber risks for decades, until recently, [the Defense Department] did not prioritize weapon systems cybersecurity.” That cybersecurity deficit in highly-networked combat systems, analysts wrote, have left department scrambling for a fix.
“Using relatively simple tools and techniques, testers were able to take control of [weapon] systems and largely operate undetected,” GAO officials found. In some cases, members of the government watchdog group were able to crack overly simplified passwords and ” unencrypted communications” to gain control of several weapon systems. Agency officials did not identify the specific weapon systems that were accessed using such techniques.
Department officials have taken several steps to improve cybersecurity on net-centric weapon systems, but implementation of those steps has proved challenging, due to “cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities,” Tuesday’s GAO report stated.
Iranian hackers in 2011 were allegedly able to break into the control systems aboard the U.S. Air Force’s highly-classified RQ-170 long-range reconnaissance drone, making it land the aircraft in Iranian territory. Nicknamed “the Beast of Kandahar,” the drone was conducting an extended aerial surveillance mission near the Iranian border when its control systems were hacked.
Iranian tricked the drone’s guidance systems to think it was landing in U.S-held territory in Afghanistan, when in fact the CIA-operated aerial drone was guided to land inside Iran.
Reported gaps in the plane’s global positioning system allowed Iranian military officials to take control of the plane from its CIA handlers. Iranian intelligence learned about the GPS vulnerabilities by examining other American drones captured by Tehran, according to reports at the time.