Pentagon Chief Weapons Tester: Almost All Military Programs Vulnerable to Cyber-Attacks

Even "novice" level attacks were able to crack military defenses

(Photo via Getty)

Dr. J. Michael Gilmore, Director of Operations Test and Evaluation for the Pentagon. (Photo via Getty)

As the President pushes dated cybersecurity legislation and Band-Aid solutions, the Department of Defense reminds us that we have much bigger threats to our cybersecurity than shared our HBO Go passwords.

After a year of running dozens of tests and simulations on over 40 military weapons systems, Pentagon Director of Operations Test and Evaluation (DOT&E) Michael Gilmore found that almost all of them have some kind of major cybersecurity weakness.

“Cyber adversaries have become as serious a threat to U.S. military forces as the air, land, sea, and undersea threats represented in operational testing for decades,” Mr. Gilmore wrote in his annual report for 2014. “Any electronic data exchange, however brief, provides an opportunity for a determined and skilled cyber adversary to monitor, interrupt, or damage information and combat systems.”

To test its weapons, the Department of Defense has labs and testing ranges that serve as sandboxes for Red Teams—or top military hackers who pretend to be foreign attackers and other malicious parties—to try and crack our own systems and discover vulnerabilities. But despite all of those top-gun resources, Mr. Gilmore reports that nearly all of the vulnerabilities were found using novice or intermediate-level hacking techniques.

The Pentagon also found that one of the most nagging problems that cybersecurity faces, no matter how many times they update procedure, are “compliance” problems: human error, unpreparedness and exploits as meager as bad passwords. And once a hacker gets access to a single weak password, it can lead to “rapid access and exploitation” of an entire weapons system.

“The generally poor defensive performance against dedicated attacks by Red Teams shows that a network is only as secure as its weakest link,” the DOT&E assessment said. “Unless compliance levels approach 100 percent, it is likely a dedicated cyber adversary will succeed in accessing a network.”

Here is the full cybersecurity section of the otherwise 366-page report: