Saturday, February 1, 2025
Latest:
The Register

Hunt for Red Bugtober: US military’s weapon systems riddled with security holes – auditors

TH Author

Computer security vulnerabilities are widespread in US military hardware, and the Pentagon is only beginning to understand how to fix them.

This is according to a October report [PDF] on cybersecurity practices in Uncle Sam’s armed forces, drawn up by the Government Accountability Office (GAO).

Leading with the subtle title “DOD Just Beginning to Grapple with Scale of Vulnerabilities,” the dossier outlines how known exploitable flaws in components like micro-controllers, industrial control system boards, and management software, are being left un-patched with little in the way of plans to address them. That’s bad news as more and more stuff is hooked up to computer networks and the internet, from where holes can be potentially exploited.

“Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity,” the scathing report stated.

“In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.”

lab rat

Uncle Sam to strap body sensors to hackers in nuke lab security study

READ MORE

According to the auditors, the problem lies both in the structure of the Department of Defense itself – where network and information security is kept separate from weapons systems and acquisitions – and in the way the weapons are increasingly relying on network connectivity and smart connectivity to function.

As a result, the report claims the department is only beginning to figure out what it needs to patch and how it needs to go about doing it in things like missile guidance systems or fighter jets. Even new systems, the GAO says, are being introduced with major vulnerabilities and exposures like default passwords and unencrypted data connections.

“In part because DOD historically focused on the cybersecurity of its networks but not weapon systems themselves, DOD is in the early stage of trying to understand how to apply cybersecurity to weapon systems,” the report reads.

“Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon systems cybersecurity.”

In the meantime, GAO says that the Pentagon should focus on upping its efforts to develop cybersecurity offices (read: recruit more techies) and find ways to better coordinate communications between departments so they can share vulnerability and threat information with one another. ®

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE