A new report from the U.S. Government Accountability Office brings both good and bad news. For governments around the world that might like to sabotage America’s military technology, the good news is that this would be all too easy to do: Testers at the Department of Defense “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development” over a five-year period, the report said. For Americans, the bad news is that up until very recently, no one seemed to care enough to fix these security holes. In 1991, the report noted, the U.S. National Research Council warned that “system disruptions will increase” as the use of computers and networks grows and as adversaries attack them. The Pentagon more or less ignored this and at least five subsequent warnings on the subject, according to the GAO, and hasn’t made a serious effort to safeguard the vast patchwork of software that controls planes, ships, missiles, and other advanced ordnance against hackers. The sweeping report drew on nearly 30 years of published research, including recent assessments of the cybersecurity of specific weapon systems, as well as interviews with personnel from the Department of Defense, the National Security Agency, and weapons-testing bodies. It covered a broad span of American weapons, examining systems at all of the service branches and in space. The report found that “mission-critical cyber vulnerabilities” cropped up routinely during weapons development and that test teams “easily” took over real systems without detection “using relatively simple tools and techniques,” exploiting “basic issues such as poor password management and unencrypted communications.” Testers could also download and delete data, in one cases exfiltrating 100 gigabytes of material, and could tap into operators’ terminals, in one instance popping up computer dialogs asking the operators “to insert two quarters to continue.” But a malicious attacker could pull off much worse than jokes about quarters, warns the GAO: “In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system.” Posing as surrogates for, say, Russian or Chinese military hackers, testers sometimes found easy victories. “In some cases,” the GAO found, “simply scanning a system caused parts of the system to shut down,” while one “test team was able to guess an administrator password in nine seconds.” The testers found embarrassing, elementary screw-ups of the sort that would get a middle school computer lab administrator in trouble, to say nothing of someone safeguarding lethal weapon systems. For example, “multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet.”

“In some cases, simply scanning a system caused parts of the system to shut down.”

Asked how she thought a culture of cyber-insecurity could flourish at an institution as guarded as the military, Cristina Chaplain, a director at the GAO, explained that the problem may be that the armed services overestimated the value of secrecy. “For the past 20 years, their focus has been on [networking] systems together,” at the expense of connecting them securely, because it was simply assumed that “security by obscurity” would be all that was needed — that, say, a classified bomb designed and built in secret is impervious to outside threats by virtue of being kept hidden. The whole culture of military secrecy, the belief that “they’re so standalone and so stovepiped that they’re almost secure just by virtue of that,” as Chaplain put it, is much to blame. The findings are all the more disturbing given that the GAO said they “likely represent a fraction of total vulnerabilities” due to limitations in how the Defense Department tests for cybersecurity.