New Report Finds Pentagon Weapon Systems Riddled With Vulnerabilities
Periodically, the government issues reports reminding us that the nuclear missile system runs, in part, on 8-inch floppy disks. It’s disgraceful. It’s shameful. It’s a sign of government rot and poor prioritization.
Well, it might be. It’s probably not the smartest thing, in all respects, to run nuclear defenses off computers too weak to play Zork. But on the other hand, as a new GAO report makes clear, there are arguably some advantages to running one’s nuclear defense system off a computer that can’t play Zork. It leaves time for playing Spacewar on a PDP-1!
Just kidding. It’s because our other weapon systems are so riddled with vulnerabilities, you’d think they were running Windows 98 SE with ActiveX, Active Desktop, and Outlook Express installed. (Kids, to people of a certain era, that’s practically a death threat). The report starts by noting that for decades, the DoD “did not prioritize” matters of weapon security and is still figuring out how to better address these threats, despite the fact that we’ve been facing them for decades. This does not bode well for what happens in the next paragraph.
In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.
In fairness, this isn’t quite as bad as it looks — or, rather, it’s exactly as bad as it looks, but some of these issues are possible to mediate. Tests can be tightened. Password requirements and security training can be improved. Vulnerability modeling can be enhanced. So far so good, right?
Unfortunately, the DoD doesn’t seem to be starting from, say, 2012 or even 2006. Think Captain Marvel’s MCU timeline and you’d be closer to the mark. From the report:
One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.
NPR writes: “In several instances, simply scanning the weapons’ computer systems caused parts of them to shut down.”
Tests had to be aborted afterward because the partial shutdown could’ve put the test team in danger. Problems, even when identified, are often left unresolved, with the GAO noting that out of 20 issues identified by a previous iteration of a security report with solutions, only one solution had been implemented.
One major reason for the problems? Pay scales. Top security engineers often earn more than $200K in the private sector, whereas the government isn’t known for being nearly so lucrative.
Continue reading
The Best Smart Home Security Systems
Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.
Look Up: You Can See All the Planets in Our Solar System Tonight
You've probably seen diagrams of the solar system that place the planets in nice, orderly lines, but the truth is they're often on the other side of the sun from Earth. We happen to be going through a period during which all the planets are visible. You just have to know where and when to look.
Meteorite Fragment Points to Missing Dwarf Planet in Early Solar System
Every asteroid that falls to Earth is a potential window into the origins of the solar system, but scientists have stumbled upon something quite strange when studying a fragment of the Almahata Sitta asteroid.
Linus Tovalds Blames Intel for Killing ECC RAM in Consumer Systems
Intel stripped ECC RAM support off its consumer products over a decade ago, and Linus Torvalds is still unhappy about it.