The first step in solving any problem is admitting there is one. But a new report from the US Government Accountability Office finds that the Department of Defense remains in denial about cybersecurity threats to its weapons systems.

Specifically, the report concludes that almost all weapons that the DOD tested between 2012 and 2017 have “mission critical” cyber vulnerabilities. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.

The GAO released its report Tuesday, in response to a request from the Senate Armed Services Committee ahead of a planned $1.66 trillion in spending by the Defense Department to develop its current weapons systems. Subtitled "DOD Just Beginning to Grapple with Scale of Vulnerabilities," the report finds that the department "likely has an entire generation of systems that were designed and built without adequately considering cybersecurity." Neither Armed Services Committee chairman James Inhofe nor ranking member Jack Reed responded to requests for comment.

The GAO based its report on penetration tests the DOD itself undertook, as well as interviews with officials at various DOD offices. Its findings should be a wakeup call for the Defense Department, which the GAO describes as only now beginning to grapple with the importance of cybersecurity, and the scale of vulnerabilities in its weapons systems.

“I will say that the GAO can be prone to cyber hyperbole, but unless their sampling or methodology were way off or deliberately misleading, DOD has a very grave problem on its hands,” says R. David Edelman, who served as special assistant to President Obama on cybersecurity and tech policy. “In the private sector, this is the sort of report that would put the CEO on death watch.”

DOD testers found significant vulnerabilities in the department’s weapon systems, some of which began with poor basic password security or lack of encryption. As previous hacks of government systems, like the breach at the Office of Personnel Management or the breach of the DOD’s unclassified email server, have taught us, poor basic security hygiene can be the downfall of otherwise complex systems.

"In the private sector, this is the sort of report that would put the CEO on death watch." R. David Edelman, former White House cybersecurity adviser

The GAO report says that one tester was able to guess an admin password on a weapons system in nine seconds. Other weapons used commercial or open source software but administers failed to change the default passwords. Yet another tester managed to partially shut down a weapons system by merely scanning it—a technique so basic, the GAO says, it “requires little knowledge or expertise.”

Testers were sometimes able to take full control of these weapons. “In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing,” the report states.

The DOD also had a hard time detecting when testers were probing the weapons. In one case, testers were in the weapons system for weeks, according to the GAO, but the administrators never found them. This, despite the testers being intentionally “noisy.” In other cases, the report states that automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.

Like most unclassified reports about classified subjects, the GAO report is rich in scope but poor in specifics, mentioning various officials and systems without identifying them. The report also cautions that "cybersecurity assessment findings are as of a specific date so vulnerabilities identified during system development may no longer exist when the system is fielded." Even so, it paints a picture of a Defense Department playing catch-up to the realities of cyberwarfare, even in 2018.