New Investigation:

How Lax EPA Oversight Enabled Jackson's Water Crisis.

Championing Responsible National Security Policy
|
Analysis

What Should We Do About a Generation of Weapons Vulnerable to Cyberattacks?

An Obvious Solution Being Ignored
(Photo of U.S. Air Force Capt. Michael Slotten, 61st Fighter Squadron: USAF / Staff Sgt. Jensen Stidham; animated illustration: CJ Ostrosky / POGO)

Futurists have long predicted that the opening salvo of the next major war will more likely come in the form of a massive cyberattack than in waves of aircraft. That makes a string of recent government reports detailing America’s vulnerabilities to such attacks that much more disturbing. The first, an October 2018 Government Accountability Office (GAO) report, stated that every software-enabled weapon system that was tested from 2012 to 2017—which encompasses every system built during the last ten years—can be hacked. Now, a January 2019 Department of Defense (DoD) Inspector General report, summarizing several recent oversight reports, says Department components, including the services, collectively have 266 cyber vulnerabilities, mostly related to their ability to even identify potential threats.

All Americans should be concerned that we are actually paying extra for weapons that provide the enemy an opportunity to disrupt them.

In spite of all of this, many people involved with the acquisitions process think we should increase our dependence on cyber capabilities, with few questioning the wisdom of having every weapon beyond a pistol attached to the Internet. All Americans should be concerned that we are actually paying extra for weapons that provide the enemy an opportunity to disrupt them.

The GAO examined cybersecurity assessment reports from certain programs tested between 2012 and 2017, and found that programs across every service regularly identified “mission-critical cyber vulnerabilities.” For legitimate national security concerns, the GAO report does not specify the programs under review, but it does say auditors investigated a variety of weapons, including ships and aircraft, as well as communications systems. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.” This echoes a warning from former Pentagon testing director Dr. J. Michael Gilmore, who wrote in 2014 that “the cyber threat has become as real a threat to U.S. military forces as the missile, artillery, aviation, and electronic warfare threats.”

Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.

Government Accountability Office report, “Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities”

In spite of the danger posed by hackers, the services have not always been diligent in ensuring the security of their systems—like in 2015, when the F-35 Joint Program Office canceled a cyber test, citing concerns that the test could damage the troubled fighter jet’s computer system, and in so doing actually confirmed the need for such a test in the first place. Attitudes like this appear to be part of the new normal: the evaluators for this report found “program officials GAO met with believed their systems were secure and discounted some test results as unrealistic.”

The GAO report represents a significant step forward. It is the office’s first report on weapon systems acquisition security, in contrast to previous reports on information technology systems like computer networks and databases. Here, the aperture widens to include what the DoD refers to as “cyber-physical systems.” These are weapons and vehicles, like missiles and ships, which derive a significant portion of their functionality from embedded software and networked connectivity with other systems. Rather than infiltrating a network and stealing Social Security numbers and performance ratings, as the Chinese government accomplished with the 2015 Office of Personnel Management hack, a cyberattacker could gain full or partial control of one of these physical systems remotely.

Presenting Attack Surfaces

Every time an object touches the network, an opportunity for exploitation is created for a potential adversary. The Pentagon’s current approach of creating an ever-increasing number of networked systems is akin to going to the considerable effort of building a stone castle and then constantly knocking new gates through the outer walls. Some of these vulnerabilities are simple. Many military systems rely on commercial or open-source software. Evaluators found that in numerous instances, engineers failed to reset default passwords when installing software. The evaluators merely had to look up the passwords online to gain administrator privileges, allowing them to seize control of the system.

Hackers have already worked out ways to remotely disrupt networked vehicles. A pair of them demonstrated this in 2015 when they used a Jeep Cherokee’s Uconnect cellular connection to essentially carjack the vehicle with a laptop, while it was being driven. The duo turned up the air conditioning, changed radio stations, and activated the windshield wipers. They proceeded to cut the transmission and disable the vehicle’s brakes. The driver, who had agreed to take part in the hackers’ experiment, helplessly, but harmlessly, rode the Jeep into a ditch. It is easy to imagine what a hacker could do with an aircraft.

This is a real concern with a program like the F-35. The Pentagon has hyped it as a “computer that happens to fly.” And contractor Lockheed Martin brags on its website about the 8 million lines of software code embedded within the aircraft that control most of its functions, including flight controls, radar, communications, and weapons deployment. As we have reported, the F-35 was designed to operate as part of a network of aircraft and ground-based systems. Any one of the connections that makes this complex arrangement possible could be the one that enemy cyber-warriors use to infiltrate and disrupt or disable the aircraft expected to be the centerpiece of the U.S. military for decades.

The more troubling thing about the GAO report is not so much what it did report, but what it didn’t. Auditors did not look into “Internet of Things” devices, such as fitness devices, portable electronics, and smartphones. In 2018, the services received an object lesson in some of the dangers these devices pose: the locations of several previously secret overseas military bases were exposed when a global heat map plotted out popular running paths using data uploaded from service members’ fitness trackers.

Most notably, the GAO did not look into the security of contractor facilities, although the authors hinted that future reports would explore this issue. Security of contractor facilities is a vital issue because of the role they play in long-term support of a weapon after the Pentagon buys it. While many people focus on procurement costs, what really makes the F-35 program the most expensive in history is the money necessary to sustain it. The entire F-35 enterprise relies on the problematic Autonomic Logistics Information System (ALIS), which is owned and operated by Lockheed Martin, accounting for a significant portion of the program’s $1.4 billion annual sustainment costs. Described as the “IT backbone” of the program, ALIS is the complex computer network that integrates combat mission planning, threat analysis, maintenance diagnosis, the supply chain, maintenance scheduling, and training. The Pentagon’s top testing official, a specialist in software engineering, reported in January 2018 that his office has identified cyber vulnerabilities in the ALIS network that threaten its operation.

This is particularly significant because of the near-universality of contractor support for every vehicle, weapon, and communications gadget moving forward. In order to ensure lucrative sustainment contracts throughout the life of a weapons program, defense contractors seem to refuse to engineer themselves out of their wares. Most now designate the technology in these systems—all of it developed at government expense—as proprietary. They then negotiate contracts with the government allowing them to retain the intellectual property rights for the weapons purchased by the government. Especially in the case of cyber-physical systems, the Pentagon must work through the contractor for any upgrades to ensure compatibility.

Every time an object touches the network, an opportunity for exploitation is created for a potential adversary.

Contractors benefit from this arrangement in several ways. Where they really make their money is with annual sustainment contracts. By holding the intellectual property rights, the original contractor becomes the only entity capable of even bidding for a sustainment contract, since the government would not even be able to write the requirements for the bid proposal. For example, Northrop Grumman manufactures three mission package modules for the littoral combat ship. Each module performs a different function to meet the mission needs for antisubmarine warfare, mine warfare, and surface warfare, and can be switched around as needed. In its promotional materials, Northrop Grumman boasts of its role sustaining the modules. The Navy awarded Northrop Grumman a $46.7 million contract in March 2018 to do just this.

This aspect of defense acquisitions not only costs taxpayers a great deal, it also creates more opportunities for cyber infiltration. Through such arrangements, potential adversaries do not have to break into government computer networks—they could hack into them through the contractor’s networks instead. This is not a hypothetical problem. In November 2016, someone launched a cyberattack against an Australian defense firm working on the F-35 program. The hackers, believed to be based in China, stole sensitive information about the program, including schematics. This wasn’t the first time the F-35 program had been hacked. From 2007 to 2009, Chinese hackers broke into BAE Systems’ databases to steal data on the aircraft’s radar design and engine characteristics. (BAE Systems is a subcontractor for the F-35 program, building approximately 14 percent of each aircraft.) Documents made public by the Snowden leaks show that these attacks compromised several terabytes of information related to the program.

As far as is publicly known, these hacks have focused on the aircraft’s design. But attackers could potentially attack a weapon system through the contractor’s network and disrupt, disable, or even remotely control it. Because the F-35 is networked, it is not far-fetched to imagine a malign actor hijacking certain functions of the F-35 in-flight in the manner of the Jeep Cherokee hack.

A potential adversary likely would not even have to go to such lengths to disrupt the fleet. ALIS includes a function called the Mission Capability Override feature. This allows maintenance supervisors to clear an F-35 to fly if they believe ALIS’s embedded diagnostics software has erroneously recorded a fault that grounds the aircraft. This can happen when ALIS looks for what are called “Health Reporting Codes” generated in the aircraft that indicate maintenance issues that render the aircraft unsafe to fly. When ALIS detects one of these codes, it registers the aircraft as Non-Mission Capable, preventing the pilot from starting the aircraft. A cyberattacker, working through ALIS, could potentially inject phony Health Reporting Codes into the network for all F-35s, which would force maintenance supervisors to go through the override process for each aircraft before it could take off. With that kind of hack, an adversary could keep the F-35 fleet firmly on the ground at the moment of a Pearl Harbor or September 11th-style attack when fighters would need to scramble to meet a threat.

Paying a Premium to Add Vulnerabilities

The cost factor in all this cannot be ignored, either, as it creates a vicious cycle. The Pentagon pays a premium for software-enabled systems, compared to their analog equivalents. Each of these more expensive systems increases our vulnerability to hacking, which means the Pentagon needs to spend more to protect them. The DoD will spend nearly $8.5 billion on cybersecurity efforts in fiscal year 2019. This is a great arrangement for a software company selling the original “thing” and then charging the government for the security measures to protect it, but it isn’t great for the taxpayer—to say nothing for the troops, who may find themselves in combat with a weapon that suddenly stops working exactly when they need it most.

As if to illustrate the point of how vulnerable cyber-enabled weapons can be, a few months before the GAO issued its findings, the Army released a solicitation for a non-lethal weapon capable of disabling remote weapon stations. Army leaders want a small device a single soldier could carry that would render an enemy’s remote weapon useless by obscuring its optics, disabling its stabilization mechanism, or disrupting its basic electronic components. What they’re ignoring, of course, is the basic fact that if we are able to do this to the enemy, then they could do this to us. We are providing them with plenty of opportunities. The Army employs more than 8,000 Common Remotely Operated Weapon Stations on Stryker vehicles, M1A2 Abrams tanks, MRAPs, Humvees, and other vehicles. The Navy and Coast Guard each use a modified version on patrol boats.

Potential adversaries aren’t waiting for combat to demonstrate their own abilities to disrupt the electromagnetic spectrum. NATO military forces training in Norway in fall 2018 for the Trident Juncture exercise noticed scrambled GPS signals that could have misdirected military and civilian aircraft. Norwegian officials report they tracked the jamming signals to a Russian military base on the Kola Peninsula. U.S. officials said the jamming effort had “little or no affect [sic]” on American forces. Whether that is true or not, this episode shows that military leaders around the world understand how much the U.S. has come to depend on networked systems and are developing  capabilities to exploit the vulnerabilities we have created.

There are some people who know about and seem to understand these dangers. The DoD’s Defense Science Board issued the final report of its “Task Force on Cyber Deterrence” in February 2017. The task force concluded that “[b]arring major unforeseen breakthroughs in the cyber defense of U.S. civilian critical infrastructure, the United States will not be able to prevent large-scale and potentially catastrophic cyber attacks by Russia or China.” The danger extends far beyond civilian infrastructure. The report says this about military systems:

An attack on military systems might result in U.S. guns, missiles, and bombs failing to fire or detonate or being directed against our own troops; or food, water, ammo, and fuel not arriving when or where needed; or the loss of position/navigation ability or other critical warfighter enablers. Moreover, the successful combination of these attacks could severely undermine the credibility of the U.S. military’s ability to both protect the homeland and fulfill our extended deterrence commitments.

The task force did at least question the propriety of rendering every military vulnerable to such an obvious line of attack. The task force recommended that the Pentagon not attach nuclear weapon systems to the network because doing so “widens their attack surface to adversaries.” The report does not specify which systems, but the task force likely had in mind programs such as the Columbia-class ballistic missile submarine and the B-21 Raider—both of which the Pentagon is considering attaching to the network—while crafting this language.

Still, leading figures within the national security space want to double down on this strategy. Speaking before a gathering at the Center for Strategic and International Studies, General James Cartwright, a former vice chairman of the Joint Chiefs of Staff, said the military needs to reorient the way it thinks to accommodate even more technology. “The ability to move from the number of men per machine to the number of machines per man is the ultimate objective here in a command and control construct that allows that to occur,” Cartwright said.

The services are responding in kind. Army officials recently solicited ideas from the tech industry to use robots to disable or kill enemy targets at close range, particularly in urban areas. It will likely be several years before this type of system is pressed into active service, but the Pentagon continues to connect thousands of devices to the network every year. The Army purchased 9,783 Getac tablet computers in 2017 for soldiers to use to connect to the DoD’s web-based logistics network, the Global Combat Support System. Soldiers on the front lines in infantry, armor, and cavalry units are being equipped with smartphones for the Nett Warrior system. The software on the devices integrates GPS navigation, messaging, and Blue Force Tracking (the program that plots friendly units on a digital map) functions and connects to the network through a tactical radio receiver. Future versions will allow soldiers to tap into video feeds from aircraft flying overhead.

The Army can expect to pay at least $158 million to outfit its infantry formations with thousands of new devices, any one of which could be used by a potential adversary to infiltrate the network.

Many of the reports from soldiers in the field have been positive, but such a system creates an opportunity for enemy disruption. Army leaders want to equip each squad leader with a Nett Warrior system, which means there will be 600 in each Infantry Brigade Combat Team (IBCT). The Army and the National Guard currently have a combined 33 IBCTs. That means there will be 19,800 Nett Warrior systems just in the IBCTs. The GAO correctly states that “this growing dependence on software and IT comes at a price. It significantly expands weapons’ attack surfaces.” At $8,000 apiece, the Army can expect to pay at least $158 million to outfit its infantry formations with thousands of new devices, any one of which could be used by a potential adversary to infiltrate the network.

Nett Warrior operates on Android-based smartphones running on open-source software. There are numerous ways to infiltrate Android devices. In a man-in-the-middle attack, for example, a hacker uses the device’s wireless communications capabilities to gain access and redirect information. Through such means, someone could determine the device’s physical location and intercept voice and data communications. A quick Google search reveals thousands of websites offering tutorials on accessing an Android device remotely.

If It Isn’t Broke…

Just because something seems dated or isn’t sporting the latest gadgetry doesn’t mean it no longer has its place on the battlefield. Many iconic weapons and vehicles in American military history achieved their status not because they boasted cutting-edge designs, but because they didn’t. The troops tend to venerate simple weapons and technology that can be relied on to work when they’re needed. Liberty ships, M1911 pistols (which were in Army service for 75 years), and the Jeep are examples of simple designs that did exactly what they needed to do. Americans still see Jeeps on the road today because soldiers in World War II grew to love them. Jeeps could be used as machine gun platforms, makeshift ambulances, and artillery transports. At $650 apiece (about $9,000 today), the Jeep was cheap to buy, tough enough for any terrain, and easy to maintain.

This is not to suggest that the Pentagon scrap all networked systems in favor of their analog equivalents. Higher-echelon command centers, particularly at the brigade level and above, would likely not be able to effectively coordinate their efforts with adjacent and superior headquarters without being networked, for example.

But policymakers should carefully consider the amount of technology they heap upon tactical forces. A Marine communications officer recently made this point when he wrote about the difficulties involved in rigging high-bandwidth networks for tactical units. “It is common for Marines to troubleshoot data links for 18 hours straight, several days in a row,” he wrote. “This is partly because of the complexity of their systems but it more often is a result of having to coordinate with contractors at hub nodes who work in shift rotations, are unaware of the particular Marine Corps mission, do not operate within commander’s intent, and lack unity of effort.” He argues that the necessary information can be communicated through simpler and more secure low-bandwidth means.

In the cases where cyber capabilities are appropriate or unavoidable, Congress should demand that the Pentagon fully implement recent initiatives to test companies’ networks and systems to ensure they meet security standards prior to awarding contracts. Congress and the DoD should also support efforts to include cybersecurity as part of the basic design of future weapons programs.

Conclusion

As a general rule, the Pentagon should purchase the simplest possible tool to accomplish the intended task. If the services can complete a task without providing enemy cyber-warriors a point of entry, then they should pursue that option. In addition to actually fulfilling a specific task better than the low-tech alternative, the overall performance advantage for any high-tech weapon must offset consequent cyber vulnerabilities and additional logistical burdens. The services should reject any system that fails this test.

Admittedly, this is a tough sell. Only members of the Military-Industrial-Congressional Complex would be able to look at two different gadgets, both meant to perform the same task, and say, “Let’s buy the one that costs a fortune and makes us more vulnerable!”

Ellen Lord, the Pentagon’s top acquisition official, issued guidance late last year requiring standard language in future contracts requiring companies to increase cybersecurity efforts. Beyond that, the government’s cybersecurity efforts do not inspire much confidence. There is much more to do to ensure the military does not build the means to its defeat into its own tools. The starting point for this effort should be a reexamination of the conventional wisdom that high tech equals better tech.