Dumping On Dummies
Join security researcher Keiose in her exploration into the notion that there is insufficient testing in kinetic based weapons systems across the US military.
The United States of America has one of the largest militaries in the world, spending $647 billion annually, which is twice as much as China’s, Saudi Arabia’s, the United Kingdom’s, India’s, and Russia’s defense budgets combined. Some of the most advanced weapon systems in the world were tested by the United States Military, including a High Energy Laser Mobile Demonstrator (HEL MD) photon cannon and a Laser Weapon System (LaWS). In 2016, the United States Navy commissioned one of the most technologically advanced warship (USS Zumwalt) to date. Despite being on the forefront of technology, according to a recent Government Accounting Office (GAO) report, the United States weapons systems developed between 2012 and 2017 have severe, even “mission critical” cyber vulnerabilities, and that the federal information security (i.e. cybersecurity) needs to improve “the abilities to detect, respond to, and mitigate cyber incidents”, increase its cyber workforce and increase cybersecurity training efforts.
From ships to aircrafts, the weapons made available to the Department of Defense are becoming more technologically advanced and uses more software and less hardware to control everything from navigation to weapons systems. The F-35 Lighting II software (aircraft) contains eight million lines of code and controls everything from flight controls to radar functionality, communications, and weapons deployment. The USS Zumwalk (the latest US Navy ship) is powered by Linux and an off-the-shelf server hardware (mainly IBM blade servers running Red Hat Linux) with six million line of software code. It contains sixteen Raytheon built self-contained, mini data centers called Electronic Modular Enclosures (EMEs) that tap into the Total Ship Computing Environment (the shipboard Internet) connecting all of the ship’s systems (internal and external communications, weapons, sensors, etc) over Internet protocols, including TCP and UDP. Instead of old-school telephones, the ship uses newer technology based on Voice Over IP (VOIP). The ship’s Common Display System runs on Intel Xeon processors with multiple LynxOS-based Linux virtual machines, which allows watch standers to manage any function of the ship without moving to a different watch station. The ship even has a classified wireless network that allows sailors to connect to the network and perform maintenance.
With the development of such heavily IT dependent and networked infrastructure and the Department of Defense’s plan to spend $1.66 trillion to improve its current portfolio of major weapons systems, the GAO decided to conduct a review of the DOD’s weapon systems and cybersecurity. With other nations developing highly sophisticated and well-funded cyber units intent on undermining US capabilities, the GAO was concerned that the combination of a weapon subsystem dependent on software and a successful cyberattacks could prevent the use of a weapons system, take control of a weapons system, or even worse cause loss of life. The GAO report provided examples such as powering a system on and off, targeting a missile, or even manipulating a pilot’s oxygen level. Intelligence reports show that these nations will conduct complex and long-term cyber operations, like cyber reconnaissance, to gain detailed knowledge of the system then develop more damaging attacks at a later date.
The GAO reviewed reports from 1991 to present on software, IT, networking and weapons systems from many different organizations, including the National Research Council and the Defense Science Board (DSB) as well as cybersecurity assessment reports tested from 2012 to 2017. The GAO found that the DOD has failed in the past to prioritize weapon systems cybersecurity and tests on those weapons systems exposed that most under development have major vulnerabilities.
The testers took control of these weapon systems and operated largely undetected. The operators of those systems who were able to detect the attack were unable to effectively respond to the hack and even most concerning is that the scope of the tests was limited, meaning the DOD likely does not know the full scale of its vulnerabilities.
The test teams used nascent to moderate tools and techniques (far from the sophisticated tools at the disposal of enemy states). In one such as, the tester was able to partially shut a system down by simply running a scan. Another issue was the bane of all IT security professionals, poor password management. One tester was able to figure out the password of an administrator in nine seconds and some did change the default password on commercial or open sourced software.
Some security controls were deemed insufficient because of how they were implemented. For example, a system had role-based access control, but the internal system communication was unencrypted. A regular user gained access by reading the administrators username and password, then used those credentials to gain access to the internal system. Another issue is that because the weapons system would experience unexplained crashes so frequently that it missed test teams conducting denial of service attacks that rebooted the system. Even if the operators were able to detect intrusions, the GAO found that in many circumstances operators were ill-trained or ill-equipped to handle the attacks. Some teams documented attacks in system logs but there was a lack of procedures to review logs.
The defense acquisition system is a system of statutes and regulations that any weapon systems developed for the DOD must abide by and is a gated review process that dictate cost, schedule, and performance. During this process, the program offices are responsible for planning, implementing, and adhering to cybersecurity measures and security controls for any weapon system under development. The National Security Agency and Cyber Command support some aspects of weapon systems security, but they are currently not responsible for reviewing and identifying potential cybersecurity vulnerabilities during the acquisition process of any weapons system.
The processes that is involved in testing DOD weapon systems for vulnerabilities is insufficient. The scope and length of tests are limited, most limited to a few days to a few weeks and the scope is limited to the “easiest or most effective way to gain access”. The scope does not identify all the ways an adversary could exploit the system and usually included nascent to moderate threats. They did not include target special components and non-Internet enabled devices and did not include parts that could potentially be counterfeited in the review of the systems. Despite the lack of properly vetting a system for cybersecurity flaws, program officials interviewed for the report have a false sense of confidence in the security and wholeheartedly believe their systems were secure, even those that that did not have a cybersecurity assessment.
In the past few years, however, the DOD has taken major steps to improve cybersecurity among its weapon systems, including issuing and updating fifteen department-wide policies, guidance documents, and memorandums. However, these steps are hindered by its inability to hire and keep cybersecurity personnel, and its inability to fully understand the scope of the issue. The federal government has traditionally been slow in keeping up with cyber security, despite several high-profile breaches.
References
6 of the most advanced weapon systems being tested by US military. (2015, 01 24). Retrieved from Heapolis: https://www.hexapolis.com/2015/01/24/6-of-the-most-advanced-weapons-systems-being-tested-by-us-military/2/
Gallagher, S. (2013, 10 18). The Navy’s newest warship is powered by Linux. (ars Technica) Retrieved 09 01, 2018, from https://arstechnica.com/information-technology/2013/10/the-navys-newest-warship-is-powered-by-linux/
GAO. (2018). Weapon Systems Cybersecurity. Washington, D.C.: Government Printing Office. Retrieved from https://www.gao.gov/assets/700/694914.pdf GFP. (2018).
Defense Spending by Country. Retrieved from Global Fire Power: https://www.globalfirepower.com/defense-spending-budget.asp Lockheed Martin. (2018, 04 12).
A Digital Jet for the Modern Battlespace. Retrieved from F-35: https://www.f35.com/about/life-cycle/software Whitwam, R. (2013, 10 21).
US Navy’s most advanced warship is powered by Linux and Intel. Retrieved from Geek: https://www.geek.com/chips/us-navys-most-advanced-warship-is-powered-by-linux-and-intel-1574434/