WASHINGTON (Reuters) - Nearly every U.S. weapons program tested in fiscal 2014 showed “significant vulnerabilities” to cyber attacks, including misconfigured, unpatched and outdated software, the Pentagon’s chief weapons tester said in his annual report released Tuesday.
Michael Gilmore, director of operational test and evaluation (DOT&E), said program managers had worked to resolve problems discovered in previous years and security was improving, but this year’s testing had revealed new vulnerabilities.
“Cyber adversaries have become as serious a threat to U.S. military forces as the air, land, sea and undersea threats represented in operational testing for decades,” Gilmore wrote in the 366-page report.
“The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most (Department of Defense) networks, and could be in a position to degrade important DOD missions when and if they chose to,” he wrote.
The report comes amid growing attention to cybersecurity within the U.S. government, and was released days after fresh documents leaked by former U.S. intelligence contractor Edward Snowden said China had stolen “many terabytes” of data about the Lockheed Martin Corp F-35 fighter jet.
The Pentagon’s F-35 program office said classified data about the new warplane remained secure.
The report said tests of more than 40 weapons revealed problems with cybersecurity, and U.S. troops needed to learn to “fight through” cyber attacks, just as they do now with conventional attacks.
Gilmore said it was troubling that many issues found during operational testing could have been addressed when programs were still in development, and also cited numerous violations of Pentagon password policies.
Even novice techniques had allowed testers to penetrate networks, the report said.
Gilmore said it was critical to follow up cyber testing of weapons with an “adversarial assessment,” in which officials pose as enemies and try to hack into systems. He said the U.S. military also had a critical shortfall of cyber personnel.
Cyber testing had grown more realistic, but current cyber ranges needed to be expanded, the report said. It said the office had worked with military officials to develop “cyber playbooks” and battle drills that allow network “defenders” to practice techniques and tactics.
Elsewhere in the report, Gilmore cited specific cybersecurity problems with the U.S. Army’s Warfighter Information Network - Tactical built by General Dynamics Corp, the Navy’s Joint High Speed Vessel, built by Australia’s Austal, as well as the Freedom class of Littoral Combat Ship built by Lockheed.
Reporting by Andrea Shalal; editing by Andrew Hay