they came, they saw, they hacked: why the pentagon isn’t ready for cyberwarfare
Of all the things you definitely don’t want hacked, $1.7 trillion worth of weapons meant to protect your country and project its power across the world should definitely rank right at the top. And yet, the byzantine maze that is the Pentagon’s acquisition pipeline hasn’t made it a priority to make sure their increasingly automated armaments can stand up to hackers, according to a recent Government Accountability Office report. Worse yet, instead of fixing the problems, the military is papering over them by assuming that newer systems have more protections, doing insufficient testing in positive reports, and then issuing certificates implying that due diligence was done and the weapons are secure. All this can only end badly.
Essentially, we’re looking at a situation similar to the launch of the ACA website but with the nation’s defensive and offensive infrastructure, and instead of treating this as the crisis it is, we have contractors and bureaucrats rushing to cover their rears. Yes, it’s certainly important to field the most effective and sophisticated weapons you can, but what good are they if your enemies can shut them down, listen in on your communications, or wreak havoc by turning those weapons against you and actively sowing confusion over your comm channels?
Some of the successful hacks identified by the GAO weren’t even hacks. Red teams, or the experts tasked with impersonating an adversary to test military defenses, were able to find manuals for off-the-shelf software and access supposedly secure systems just by using the default passwords. They were also able to quickly guess passwords for important systems, and following up on old vulnerabilities they previously identified quickly showed that only a handful were truly fixed. It appears things haven’t changed much behind the scenes even after the 2012 debacle with Predator drones broadcasting their live, unencrypted feeds among other glitches.
Even worse, consider that just a year prior to that, a type of virus known as a keylogger infected computers responsible for coordinating drone missions. What should’ve been a teachable moment for the Pentagon prompting a massive review of how they approach cybersecurity and realizing the full implications of a hackable fleet of the world’s most fearsome planes, ships, and drones, especially if they’re networked together, turned into a bureaucratic exercise with little obvious payoff. And this is extremely alarming because in the age of cyberwarfare, building and deploying a weapon that uses an operating system and has a chip enabling it to connect to a network doesn’t necessarily mean you’ll be the one operating it.
This report’s conclusions are especially disconcerting as the Pentagon is pushing into things like networked battlefields and drones armed with artificial intelligence as backup and support for humans. Buggy and hackable drones could cripple your own troops and turn the weapons you spent so much time and money building into your computer savvy adversary’s new forces. Badly encrypted communications will give away your position and strategy, which is the kind of failure that lost entire wars time and time again. And a culture that papers over these red flags to make political deadlines means that cybersecurity will not become a priority until a catastrophic defeat and months, if not years, of sustained pressure from the top to get it right.
Militaries are often faulted for fighting the last war, and it seems that the U.S. has an acute case of this, especially under the guidance of an administration that refuses to acknowledge that it lives in the 21st century. Slowly but surely, the age of brute force alone winning military conflicts is coming to a close. Wars are now asymmetrical and multi-dimensional. It helps to be able to level cities and take out defenses, but your enemies might just defend themselves by installing viruses in your weapons’ operating systems and hacking your infrastructure by taking advantage of complacency and technical illiteracy. And the Pentagon paying little more than lip service to digital security is like a dragon showing its soft underbelly and insisting that it’s definitely armored because a form says it should be.