New Report Finds Pentagon Weapon Systems Riddled With Vulnerabilities

New Report Finds Pentagon Weapon Systems Riddled With Vulnerabilities

Periodically, the government issues reports reminding us that the nuclear missile system runs, in part, on 8-inch floppy disks. It’s disgraceful. It’s shameful. It’s a sign of government rot and poor prioritization.

Well, it might be. It’s probably not the smartest thing, in all respects, to run nuclear defenses off computers too weak to play Zork. But on the other hand, as a new GAO report makes clear, there are arguably some advantages to running one’s nuclear defense system off a computer that can’t play Zork. It leaves time for playing Spacewar on a PDP-1!

Image by Wikipedia
Image by Wikipedia

Just kidding. It’s because our other weapon systems are so riddled with vulnerabilities, you’d think they were running Windows 98 SE with ActiveX, Active Desktop, and Outlook Express installed. (Kids, to people of a certain era, that’s practically a death threat). The report starts by noting that for decades, the DoD “did not prioritize” matters of weapon security and is still figuring out how to better address these threats, despite the fact that we’ve been facing them for decades. This does not bode well for what happens in the next paragraph.

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.

In fairness, this isn’t quite as bad as it looks — or, rather, it’s exactly as bad as it looks, but some of these issues are possible to mediate. Tests can be tightened. Password requirements and security training can be improved. Vulnerability modeling can be enhanced. So far so good, right?

Unfortunately, the DoD doesn’t seem to be starting from, say, 2012 or even 2006. Think Captain Marvel’s MCU timeline and you’d be closer to the mark. From the report:

One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.

NPR writes: “In several instances, simply scanning the weapons’ computer systems caused parts of them to shut down.”

Tests had to be aborted afterward because the partial shutdown could’ve put the test team in danger. Problems, even when identified, are often left unresolved, with the GAO noting that out of 20 issues identified by a previous iteration of a security report with solutions, only one solution had been implemented.

One major reason for the problems? Pay scales. Top security engineers often earn more than $200K in the private sector, whereas the government isn’t known for being nearly so lucrative.

Continue reading

Google Pixel Slate Owners Report Failing Flash Storage
Google Pixel Slate Owners Report Failing Flash Storage

Google's product support forums are flooded with angry Pixel Slate owners who say their devices are running into frequent, crippling storage errors.

Western Digital Changes Its Reported Drive Speeds to Reflect Reality
Western Digital Changes Its Reported Drive Speeds to Reflect Reality

Western Digital has launched new WD Red Plus models to correct previous communicated inaccuracies regarding the spindle speeds on its 8TB-14TB products in this family.

Nvidia Will Mimic AMD’s Smart Access Memory on Ampere: Report
Nvidia Will Mimic AMD’s Smart Access Memory on Ampere: Report

AMD's Smart Access Memory hasn't even shipped yet, but Nvidia claims it can duplicate the feature.

Report: Samsung May Kill Galaxy Note Series, Add Stylus to Galaxy Z Fold3
Report: Samsung May Kill Galaxy Note Series, Add Stylus to Galaxy Z Fold3

Samsung may be planning a major shift in its smartphone strategy in 2021. According to a recent analyst report, Samsung may drop the popular Galaxy Note family in favor of a foldable with a stylus. The problem, it seems, is that the Note series isn't as popular as it once was.