New Report Finds Pentagon Weapon Systems Riddled With Vulnerabilities

This site may earn affiliate commissions from the links on this page. Terms of use.

Periodically, the government issues reports reminding us that the nuclear missile system runs, in part, on 8-inch floppy disks. It’s disgraceful. It’s shameful. It’s a sign of government rot and poor prioritization.

Well, it might be. It’s probably not the smartest thing, in all respects, to run nuclear defenses off computers too weak to play Zork. But on the other hand, as a new GAO report makes clear, there are arguably some advantages to running one’s nuclear defense system off a computer that can’t play Zork. It leaves time for playing Spacewar on a PDP-1!


Image by Wikipedia

Just kidding. It’s because our other weapon systems are so riddled with vulnerabilities, you’d think they were running Windows 98 SE with ActiveX, Active Desktop, and Outlook Express installed. (Kids, to people of a certain era, that’s practically a death threat). The report starts by noting that for decades, the DoD “did not prioritize” matters of weapon security and is still figuring out how to better address these threats, despite the fact that we’ve been facing them for decades. This does not bode well for what happens in the next paragraph.

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.

In fairness, this isn’t quite as bad as it looks — or, rather, it’s exactly as bad as it looks, but some of these issues are possible to mediate. Tests can be tightened. Password requirements and security training can be improved. Vulnerability modeling can be enhanced. So far so good, right?

Unfortunately, the DoD doesn’t seem to be starting from, say, 2012 or even 2006. Think Captain Marvel’s MCU timeline and you’d be closer to the mark. From the report:

One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. Multiple test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.

NPR writes: “In several instances, simply scanning the weapons’ computer systems caused parts of them to shut down.”

Tests had to be aborted afterward because the partial shutdown could’ve put the test team in danger. Problems, even when identified, are often left unresolved, with the GAO noting that out of 20 issues identified by a previous iteration of a security report with solutions, only one solution had been implemented.

One major reason for the problems? Pay scales. Top security engineers often earn more than $ 200K in the private sector, whereas the government isn’t known for being nearly so lucrative.

Now Read: The Pentagon Is Building an AI to Find Secret Nuclear Missiles, The United States Nuclear System Still Runs (in Part) on 8-Inch Floppy Disks, and US Air Force Considers Cutting F-35 Orders By a Third

ExtremeTechExtreme – ExtremeTech