GAO-19-128, WEAPON SYSTEMS CYBERSECURITY: DOD Just

GAO-19-128, WEAPON SYSTEMS CYBERSECURITY: DOD Just

United States Government Accountability Office Report to the Committee on Armed Services, U.S. Senate October 2018 WEAPON SYSTEMS CYBERSECURITY DOD Just Beginning to Grapple with Scale of Vulnerabilities GAO-19-128 October 2018 WEAPON SYSTEMS CYBERSECURITY DOD Just Beginning to Grapple with Scale of Vulnerabilities Highlights of GAO-19-128, a report to the Committee on Armed Services, U.S. Senate Why GAO Did This Study What GAO Found DOD plans to spend about $1.66 The Department of Defense (DOD) faces mounting challenges in protecting its trillion to develop its current portfolio of weapon systems from increasingly sophisticated cyber threats. This state is due major weapon systems. Potential to the computerized nature of weapon systems; DOD’s late start in prioritizing adversaries have developed advanced weapon systems cybersecurity; and DOD’s nascent understanding of how to cyber-espionage and cyber-attack develop more secure weapon systems. DOD weapon systems are more capabilities that target DOD systems. software dependent and more networked than ever before (see figure). Cybersecurity—the process of protecting information and information systems—can reduce the likelihood Embedded Software and Information Technology Systems Are Pervasive in that attackers are able to access our Weapon Systems (Represented via Fictitious Weapon System for Classification systems and limit the damage if they Reasons) do. GAO was asked to review the state of DOD weapon systems cybersecurity. This report addresses (1) factors that contribute to the current state of DOD weapon systems’ cybersecurity, (2) vulnerabilities in weapons that are under development, and (3) steps DOD is taking to develop more cyber resilient weapon systems. To do this work, GAO analyzed weapon systems cybersecurity test Automation and connectivity are fundamental enablers of DOD’s modern military reports, policies, and guidance. GAO interviewed officials from key defense capabilities. However, they make weapon systems more vulnerable to cyber organizations with weapon systems attacks. Although GAO and others have warned of cyber risks for decades, until cybersecurity responsibilities as well as recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is program officials from a non- still determining how best to address weapon systems cybersecurity. generalizable sample of nine major In operational testing, DOD routinely found mission-critical cyber vulnerabilities in defense acquisition program offices. systems that were under development, yet program officials GAO met with What GAO Recommends believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to GAO is not making any take control of systems and largely operate undetected, due in part to basic recommendations at this time. GAO issues such as poor password management and unencrypted communications. will continue to evaluate this issue. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats. DOD has recently taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations. DOD, as directed by Congress, has also begun initiatives to better understand and address cyber vulnerabilities. However, DOD faces barriers that could limit the effectiveness of these steps, such as cybersecurity workforce challenges and difficulties sharing information and lessons about vulnerabilities. To address these challenges and improve the View GAO-19-128. For more information, contact Cristina Chaplain, 202-512-4841, state of weapon systems cybersecurity, it is essential that DOD sustain its [email protected] momentum in developing and implementing key initiatives. GAO plans to continue evaluating key aspects of DOD’s weapon systems cybersecurity efforts. United States Government Accountability Office Contents Letter 1 Background 5 Multiple Factors Make Weapon Systems Cybersecurity Increasingly Difficult, but DOD Is Just Beginning to Grapple with the Challenge 11 Tests Revealed that Most Weapon Systems Under Development Have Major Vulnerabilities, and DOD Likely Does Not Know the Full Extent of the Problems 21 DOD Has Begun Taking Steps to Improve Weapon Systems Cybersecurity 28 Agency Comments 37 Appendix I Scope and Methodology 38 Appendix II Examples of Types of Cyber Attacks 41 Appendix III Roles and Responsibilities for Cybersecurity in the Department of Defense 42 Appendix IV GAO Contact and Staff Acknowledgments 44 Tables Table 1: Key Characteristics of Adversary Threat Tiers 9 Table 2: Examples of Warnings of Risks Associated with Increased Reliance on Software and Networking 16 Table 3: Timeline of Key Department of Defense (DOD) Policy and Guidance Changes to Improve Weapon Systems Cybersecurity 29 Table 4: Military Service Initiatives Focusing on Weapon Systems Cybersecurity 33 Table 5: Challenges with Sharing Information about Cyber Vulnerabilities and Threats 36 Table 6: Examples of Types of Cyber Attacks 41 Table 7: Selected Roles and Responsibilities for Cybersecurity in the Department of Defense 43 Page i GAO-19-128 Weapon Systems Cybersecurity Figures Figure 1: Key Activities in Cyber Attacks and Cyber Defense 7 Figure 2: Embedded Software and Information Technology Systems Are Pervasive in Weapon Systems (Represented via Fictitious Weapon System for Classification Reasons) 12 Figure 3: Weapons Include Numerous Interfaces That Can Be Used as Pathways to Access the System (Represented via Fictitious Weapon System for Classification Reasons) 14 Figure 4: Weapon Systems Are Connected to Networks That May Connect to Many Other Systems (Notional Depiction for Classification Reasons) 15 Figure 5: Vulnerabilities that the Department of Defense Is Aware of Likely Represent a Small Amount of Actual Vulnerabilities Due to Limitations in Cybersecurity Testing 26 Page ii GAO-19-128 Weapon Systems Cybersecurity Abbreviations DOD Department of Defense DOT&E Director of Operational Test and Evaluation DSB Defense Science Board IT Information Technology NSA National Security Agency NIST National Institute of Standards and Technology RMF Risk Management Framework This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page iii GAO-19-128 Weapon Systems Cybersecurity Letter 441 G St. N.W. Washington, DC 20548 October 9, 2018 The Honorable James M. Inhofe Chairman The Honorable Jack Reed Ranking Member Committee on Armed Services United States Senate The Department of Defense (DOD) plans to spend about $1.66 trillion to develop its current portfolio of weapon systems.1 These weapons are essential to maintaining our nation’s military superiority and for deterrence. It is important that they work when needed, yet cyber attacks have the potential to prevent them from doing so. Cyber attacks can target any weapon subsystem that is dependent on software, potentially leading to an inability to complete military missions or even loss of life. Examples of functions enabled by software—and potentially susceptible to compromise—include powering a system on and off, targeting a missile, maintaining a pilot’s oxygen levels, and flying aircraft. An attacker could potentially manipulate data in these systems, prevent components or systems from operating, or cause them to function in undesirable ways. Some advanced threat actors are aware of this and have well-funded units that focus on positioning themselves to potentially undermine U.S. capabilities. For example, according to the National Security Agency (NSA), advanced threats are targeting national security systems. According to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team and industry reports, advanced threats may conduct complex, long-term cyber attack operations. These reports show that threats may employ cyber reconnaissance, such as probing systems, and cyber espionage, such as cyber theft, to develop detailed knowledge of the target system to design and deploy more damaging attacks. 1We use “weapon systems” and “acquisition programs” to refer to major defense acquisition programs. These include a broad range of systems, such as aircraft, ships, combat vehicles, radios, and satellites. They are programs that are estimated to require a total expenditure for research, development, test, and evaluation of more than $480 million, or for procurement of more than $2.79 billion, in fiscal year 2014 constant dollars, for all increments or are designated as such by DOD for oversight purposes. For more information, see GAO, Weapon Systems Annual Assessment: Knowledge Gaps Pose Risks to Sustaining Recent Positive Trends, GAO-18-360SP (Washington, D.C.: Apr. 25, 2018). Page 1 GAO-19-128 Weapon Systems Cybersecurity Furthermore, in 2017, the Director of National Intelligence testified that some adversaries remain undeterred from conducting reconnaissance, espionage, influence, and even attacks in cyberspace.2 Cybersecurity is the process of protecting information

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    50 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us