The Defense Department is in the stages of improving the cyber security of the weapon systems it develops and the vulnerabilities of these systems are made worse due to their complexity, warns a new report by congressional auditors.

The potential risks from these vulnerabilities are huge.

“These weapons are essential to maintaining our nation’s military superiority and for deterrence,” says the 50-page report, Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities (GAO-19-128). It adds that “Cyber attacks can target any weapon subsystem that is dependent on software, potentially leading to an inability to complete military missions or even loss of life.”

The report, which was prepared for the Senate Armed Services Committee, says GAO and others such as the National Research Council and Defense Science Board have warned for years about cyber risks to weapons systems. It says that DoD only recently has begun to prioritize and understand how to build in cyber security into its weapon systems, and that it may not happen overnight.

“Several DoD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon systems cybersecurity,” GAO says.

The reasons for cyber vulnerabilities in weapons include their dependency on software and information technology, and because they are “more networked than ever before,” the report says, and points out that “networks cane be used as a pathway to attack other systems.”

GAO graphic showing fictitious weapon system with embedded software and IT systems that could be vulnerable to cyber attacks. Source: GAO
GAO graphic showing fictitious weapon system with embedded software and IT systems that could be vulnerable to cyber attacks. Source: GAO

The report doesn’t detail specific vulnerabilities due to them being classified but highlights the pervasive use of software and IT systems within systems by showing a fictitious military aircraft that includes flight software, life support systems, targeting systems, industrial control systems, communications, collision avoidance and other systems. All these systems that automate a weapon system also “significantly expands weapons’ attack surfaces,” GAO says.

Historically, DoD has focused its cyber security efforts on protecting networks and traditional IT systems, the report says. That changed a few years ago when cyber security for weapons began to be addressed, although the report adds that the department is still sorting out how to address the security of its weapon systems.

“Due to this lack of focus on weapon systems cybersecurity, DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” GAO says. It says that between 2012 and 2017, “DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” noting that it was easy for these testers to take control of the cyber security controls within weapon systems.

The report warns that DoD doesn’t fully understand the scale of these cyber vulnerabilities because the testing was “limited in scope and sophistication.”

The report notes that industrial control systems, which are used on weapon systems such as Navy ships to control engines, were designed for use in trusted environments and often lacked security controls. For several years DoD has been funding efforts to better understand how to secure these systems, it says.

To address the cyber security vulnerabilities in weapon systems, DoD has issued and updated guidance related to the development of systems that are cyber resilient, and is endeavoring to better understand these vulnerabilities, GAO says.

Still, challenges remain such as recruiting and retaining a cyber security workforce and resistance to sharing information internally about cyber vulnerabilities in weapon systems, GAO says. However, GAO acknowledged that given cyber espionage efforts against defense contractors, “concerns about protecting sensitive information are warranted.”

This is the first time GAO has reported on cyber security vulnerabilities in the acquisition of weapon systems.