Passwords that are easy to guess in seconds as they are not changed from those set by the factory. Known cyber vulnerabilities, but never fixed. These are the biggest problems encountered and affecting some of the US Department of Defense's most recent weapons development systems, according to the Government Accountability Office which presented them in a recent new report.
Tracking data from cybersecurity tests conducted on Department of Defense weapon systems from 2012 to 2017, the report states that by using "relatively simple tools and techniques, the fake" hackers were able to take control of the systems. and to operate undetected "due to the underlying vulnerabilities in IT security.
The GAO says the vulnerability issues it has encountered are widespread. "Defense hackers who tested and systematically found critical vulnerabilities in nearly every weapon system under development."
When the officials of the various weapons programs were asked what the weaknesses are, they replied to the GAO "they thought the systems were safe and we were baffled by the test results."
The agency says the report was requested by the Senate Arms Services Committee. The GAO reviewed data from the Pentagon's security tests on weapon systems under development and also interviewed cybersecurity officials, analyzing how the systems are protected and how they respond to attacks.
The stakes are high, as the GAO notes, because the Department of Defense plans to spend about $ 1,66 trillion to develop its current portfolio for major weapons systems. "
Despite the ever-growing importance of computers and networks, the GAO states, the Pentagon has only recently given IT security priority to its programs to develop new weapon systems.
The GAO also said the Department of Defense's hacking and cyber tests were "limited in scope and sophistication."
“One of the GAO reports indicated that the hacking team was able to guess an administrator password in nine seconds. They were used by commercial or open source software users, but they did not change the default password when the software was installed, which allowed test teams to find the password on the Internet and gain administrator privileges for that software.
When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of the 20 vulnerabilities that had previously been found was traced to the solution.
One of the problems plaguing the Pentagon, the GAO says, is the loss of cybersecurity-savvy personnel who are increasingly drawn to the more lucrative offers from the private sector.
The most capable and experienced workers, able to find vulnerabilities and detect advanced threats, can earn over $ 200000 annually in the private sector.