Periodically, the government issues reports reminding us that the nuclear missile system runs, in part, on 8-inch floppy disks. It’s disgraceful. It’s shameful. It’s a sign of government rot and poor prioritization.
Well, it might be. It’s probably not the smartest thing, in all respects, to run nuclear defenses off computers too weak to play Zork. But on the other hand, as a new GAO report makes clear, there are arguably some advantages to running one’s nuclear defense system off a computer that can’t play Zork. It leaves time for playing Spacewar on a PDP-1!
Just kidding. It’s because our other weapon systems are so riddled with vulnerabilities, you’d think they were running Windows 98 SE with ActiveX, Active Desktop, and Outlook Express installed. (Kids, to people of a certain era, that’s practically a death threat). The report starts by noting that for decades, the DoD “did not prioritize” matters of weapon security and is still figuring out how to better address these threats, despite the fact that we’ve been facing them for decades. This does not bode well for what happens in the next paragraph.
In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.
In fairness, this isn’t quite as bad as it looks — or, rather, it’s exactly as bad as it looks, but some of these issues are possible to mediate. Tests can be tightened. Password requirements and security training can be improved. Vulnerability modeling can be enhanced. So far so good, right?
Unfortunately, the DoD doesn’t seem to be starting from, say, 2012 or even 2006. Think Captain Marvel’s MCU timeline and you’d be closer to the mark. From the report:
One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.
NPR writes: “In several instances, simply scanning the weapons’ computer systems caused parts of them to shut down.”
Tests had to be aborted afterward because the partial shutdown could’ve put the test team in danger. Problems, even when identified, are often left unresolved, with the GAO noting that out of 20 issues identified by a previous iteration of a security report with solutions, only one solution had been implemented.
One major reason for the problems? Pay scales. Top security engineers often earn more than $200K in the private sector, whereas the government isn’t known for being nearly so lucrative.
Pentagon Report Confirms Russian Development of Massive Nuclear Torpedo
The Pentagon's leaked 2018 nuclear report confirms that the Russians have built a long-range autonomous torpedo that could be fitted with a 100 megaton warhead.
Google Is Working With the Pentagon to Build Project Maven, an AI for Drones
Google has been working directly with the DoD to bake artificial intelligence into drone footage analysis software, despite previous concerns about such collaborations and apparent blowback from its own employees.
Google Employees Revolt Over Project Maven Pentagon Collaboration
Google employees are more than a little concerned about the company's collaboration with the DoD on Project Maven and many have called on Sundar Pichai to withdraw from it altogether.
Pentagon Halts Military Base Sales of Huawei, ZTE Devices, Citing Security Risks
The Pentagon has ordered all sales of Huawei and ZTE hardware to end on military bases, as the US investigates Huawei for possible breach of Iranian sanctions.