DoD Cybersecurity Performance Audit

At the direction of the Senate Armed Services Committee (SASC), the Government Accountability Office (GAO) conducted a performance audit on the Department of Defense (DoD) from July 2017 to October 2018 that examines the cybersecurity of weapons systems. Since 1997, federal information security has been one of GAO’s government-wide high-risk areas. SASC directed GAO to “conduct a series of reviews of DoD’s efforts to improve the cybersecurity of the weapon systems it develops.” The report’s primary focus is on systems currently under development.

GAO reviewed cybersecurity assessment reports from weapon systems that were tested over the last five years to identify vulnerabilities in the systems currently under development. This is the GAO’s first report on cybersecurity in the context of weapon systems acquisitions. While the initial GAO report presents findings without recommendations, GAO plans to evaluate DoD’s weapon systems cybersecurity efforts on an ongoing basis. The report does not examine in depth related issues such as contractor security, the internet of things devices, microelectronics, contracting, and industrial control systems.

GAO points out that while some weapon systems are purely IT systems, most are not. For instance, missiles, ships, and aircraft are considered “cyber-physical systems”— co-engineered networks that interact with physical and computational components. These systems have similarities in that they rely on, and are subject to the vulnerabilities of, commercial and open source software. They also rely on firewalls and other common security controls and can be exploited if not properly configured. No matter how secure a system is, it is only as secure as its weakest component, and in many cases that component is the human element that takes shortcuts in simple things such as password protocols.

GAO found “DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.” The test teams were able to gain unauthorized access to take full or partial control of systems using relatively simple tools and techniques. The GAO also reported poor password management in the test reports it reviewed. One test found that the test team was able to guess the administrator password in nine seconds. Furthermore, many systems using open source software failed to change the default password upon installation of the software. Test teams easily accessed the systems using default passwords found on the internet.

The GAO points out that while these tests revealed vulnerabilities, the time and scope constrained tests were not particularly robust. A real adversary would not have those limitations. The success rate of the initial limited penetration tests should be troubling to DoD — clearly both GAO and SASC are concerned. Section 1647 of the 2016 National Defense Authorization Act (NDAA) directs the Secretary of Defense to evaluate the cyber vulnerabilities of each weapon system by the end of 2019 and to develop strategies to mitigate risks that result from those vulnerabilities.

The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats.

Senate Armed Services Committee Chairman Inhofe (R-OK), October 10th

One of the biggest challenges the GAO identifies is DoD’s inability to hire and retain cybersecurity personnel with weapon system cybersecurity expertise. DoD is not alone in this challenge and the GAO notes the Federal Government as a whole has difficulty hiring and retaining cybersecurity personnel. The GAO identifies non-competitive salaries by the government as the major contributing factor.