
DOD Just Beginning to Grapple with Scale of Weapon Systems Vulnerabilities - molecule
https://www.gao.gov/mobile/products/GAO-19-128
======
danielvf
The good stuff is in the PDF:

[https://www.gao.gov/assets/700/694913.pdf](https://www.gao.gov/assets/700/694913.pdf)

\- Running a port scan caused the weapons system to fail

\- One admin password for a system was guessed in nine seconds

\- "Nearly all major acquisition programs that were operationally tested
between 2012 and 2017 had mission-critical cyber vulnerabilities that
adversaries could compromise."

\- Taking over systems was pretty much playing on easy mode: "In one case, it
took a two-person test team just one hour to gain initial access to a weapon
system and one day to gain full control of the system they were testing."

~~~
pjc50
My thoughts on this are always related to "skin in the game": does it matter
personally to the people making and procuring the systems, especially at
senior management level, whether it actually works?

Back in WW2 it definitely did, especially in the UK where bombing had no
respect for the class system. Winning or losing the war would make a personal
difference.

But since then? All the wars have been overseas with no real threat to the
mainland US; there was a real technological race against the Soviet Union, but
that ended in the 1990s. The post-911 wars were more of an excuse to settle
scores and play the Great Game than a real effort against terrorism (no
pursuit of the Saudis for example).

The consequence is that the main thing that matters is selling the technology
to the Pentagon, or promoting a career inside it. Nobody really believes that
if they procure a crappy IT system the enemy is going to fly a 747 into their
office. Someone _might_ get killed, but nobody they know or who matters, and
it's never going to come back to the project manager or procurement person who
made terrible, expensive, uninformed choices about technology.

~~~
TeMPOraL
This is a very good question I've been pondering for years, and I generally
came to the same conclusion wrt. military-industrial complex in general - not
just software. It seems to me that no one expects any war that would hurt the
US any time soon, so it's an open season for fleecing the military budget for
all it's worth.

I also wonder sometimes if a similar thing isn't happening in enterprise
software - that is, actual software doesn't have to work; it only has to serve
as an object of trade between companies, and all the problems will disappear
in general organizational noise & inertia.

~~~
whatshisface
> _It seems to me that no one expects any war that would hurt the US any time
> soon, so it 's an open season for fleecing the military budget for all it's
> worth._

If that was the whole story, the military budget would be plummeting as our
representatives realized that they could _also_ , and far more legitimately,
take money away from the military to put in their pet projects.

~~~
pjc50
Military _is_ the pet project. It's the only form of public spending with
broad support even from anti Federal government people.

~~~
dragonwriter
> Military is the pet project. It's the only form of public spending with
> broad support even from anti Federal government people.

Law enforcement has about equally broad support, including from anti-federal-
government groups (though not always the same ones that back the military, as
their are pro-law-and-order anti-interventionist groups that aren't keen on
military spending, and pro-military groups that are federal law enforcement as
jackbooted authoritarian thugs.)

~~~
amanaplanacanal
Unfortunately federal law enforcement has lost some of its support among the
law and order crowd because of the perception that they are in bed with the
political opposition.

------
MrLeap
I was a dev contractor for the US Army for a few years. None of this surprises
me.

They had some goofballs policies that made it seem like vulnerabilities were
the goal. I could bitch at length. Their TSA style security theater practices
were the order of the day. The IA training was an embarrassing joke and they
made you do it often enough to make you a little crazy.

I just checked the certificate of networthiness page and they don't have a
valid SSL certificate. I recall that being the case years ago too. I wonder if
it's been that way for the last 7 years? That's a cute little terrarium of the
whole biome I remember.

Off topic a bit, but that all aside... I am more proud of the work I did there
than at any other place in my career. I got a lot of excitement and engaged
feedback about the interactive learning materials I created.

I'll never know if it made any difference, but the mere fact that someone's
son or daughter COULD have noticed an IED threat they wouldn't have otherwise
because of my work gives me all sorts of proud fuzzies.

That work had way more meaning than all the other CRUD/ML/Advertainment
schlock I'll get to do for the rest of my life :)

~~~
noxToken
> I just checked the certificate of networthiness page and they don't have a
> valid SSL certificate. I recall that being the case years ago too. I wonder
> if it's been that way for the last 7 years? That's a cute little terrarium
> of the whole biome I remember.

That's not quite true. Internal use sites don't have a valid cart _issued by a
"default" external vendor_.

Public sites use existing CAs that are in use by the public. E.g., the Marines
public facing site[0] is signed by DigiCert. If you go to a site that's public
facing but for internal use like MoL[1], you'll see that the cert is issue by
an internal DoD CA. This is intentional.

The DoD has an internal CA already set up. These internal use sites are a
gateway to sensitive information, so the DoD doesn't want to rely on an
external CA for HTTPS. What I never understood was why these internal CAs
weren't marked as trusted on the internal machines. That would avoid the
browser warnings when accessing one of these site from DoD hardware, and it
would (in theory) force the user to double check when accessing the site from
an external device.

[0]: [https://www.marines.com/](https://www.marines.com/) [1]:
[https://mol.tfs.usmc.mil/mol](https://mol.tfs.usmc.mil/mol)

~~~
rkeene2
They are trusted by internal machines -- since a lot of internal
authentication relies on these certificates. The DOD long ago moved away from
password-based authentication mechanisms to certificate-based authentication
(GSC-IS initially (CAC), now NIST SP 800-73 (PIV; CAC II)) and so the system
will have the correct certificates or the user generally won't be able to
login.

What I find as the most common error is that users setup an alternate browser
(such as Firefox) that does not use the system certificate store and then lack
the system's local certificate authorities.

Additionally, DOD PKI is now cross-signed with Federal PKI (FPKI), so it's
larger than the DOD now and other agencies also use the same smartcards (PIV).

~~~
noxToken
This bit is curious. I was issued a CAC while I was in, and as you said, it
eliminated the need for passwords. But the internal sites (no matter if it was
a laptop from the comm section, a hardwired desktop in a unit's building, or a
desktop in a base facility) always failed the check for the certificate store.
I _always_ got the security warning (or insecure message) regardless of
browser.

~~~
breatheoften
Slightly off-topic - but its semi-relevant here as this conversation involves
the requirement of knowing (1) the state of the system security store (2) the
state of an application's security store ... and maybe in some cases (3)
understanding how an application modifies any trusted stores.

It seems we end up with a lot of possibilities for the states of these stores
to diverge from our expectations ... I've been wondering how to verify a sane
state for all these stores for even a use as simple as my own personally
owned/controlled notebook ...

I'd really like a way to audit the system trust store in macOS and enforce
that is in alignment with whatever the current 'blessed by apple' certificate
trust relationships are and that any trust relationships I ever manually added
by mistake/debugging have been removed...

I asked a question about this on stackoverflow but no one has responded ...

[https://stackoverflow.com/questions/52527886/revert-all-
cert...](https://stackoverflow.com/questions/52527886/revert-all-certificate-
trust-relationships-to-system-default-on-macos-10-mojave)

~~~
rkeene2
I don't know the answer to your StackOverflow question as I don't use
macOS/Mac OS X.

What I ended up doing to help this process along is including the relevant
certificates inside my DOD Smartcard PKCS#11 module as certificate objects
(with, of course, no corresponding private key objects).

For applications that use PKCS#11 (such as Firefox, via NSS), this means that
when the module is loaded the appropriate certificates are also made available
automatically. This was also (I believe) supported by the "TokenD" driver used
to support macOS/Mac OS X so that enabling this driver made those certificates
available and provided by the token, so no modifications to the local macOS
system trust store were needed.

------
hlieberman
If you are interested in helping the US Government fix this particular
trashfire, consider joining the Defense Digital Service. We work on a variety
of DoD projects as part of the US Digital Service "tech peace corps".
[https://www.dds.mil/](https://www.dds.mil/)

If you're not ready for that level of commitment (though it's amazing work),
and you're interested in being involved as a security researcher, reach out to
me and we can talk about joining our bug bounty program.

~~~
iaabtpbtpnn
If this intrigued anyone else, just a quick summary: 3-6 week interview
process, no relocation assistance, no bonuses, no equity, citizenship
requirement, oh and the kicker: drug testing.

~~~
hlieberman
Yup! We’re all employees of the federal government, so we have to meet the
requirements of all Federal positions.

Honestly, you don’t do this job for the money. I took a pay cut when I joined,
on top of losing bonuses and equity. You join because you want to make a real
difference in people’s lives, in a visceral, real way.

I can say without exaggeration that there are people who would have died
except for the work that our team had done. Even when the stakes aren’t life
or death, the impact you can have working for USDS is massive compared to
anywhere else. You can personally change the lives of hundreds of thousands or
millions of people. That’s the kind of hook that beats equity for me any day.

~~~
BurnGpuBurn
> You join because you want to make a real difference in people’s lives, in a
> visceral, real way.

What that difference may entail varies greatly though. For one, it might be
not being blown up by that IED. For another, it might be being bombed to bits
at your cousins wedding, along with the other 40 members of your family, by a
drone operator in Nevada. Very visceral indeed.

If you think that working for the military is "doing good" and the US is oh so
innocent I suggest you watch the excellent documentary The Untold History of
the United States by Oliver Stone [0].

[0]
[https://en.wikipedia.org/wiki/The_Untold_History_of_the_Unit...](https://en.wikipedia.org/wiki/The_Untold_History_of_the_United_States)

------
unit91
I was an operator on a weapon system within the last decade that did not use
encryption. I was horrified, naturally, but the explanations were:

1\. Well, this is rapid deployment, we can't have everything.

2\. The enemy here is fairly low-tech. Shouldn't be a problem.

Needless to say, I'm not surprised by this report.

~~~
WrtCdEvrydy
> The enemy here is fairly low-tech. Shouldn't be a problem.

Would be perfectly acceptable if your hardware was only used for 2-3 years
against only low tech enemies that don't have access to electricity during
that whole time.

~~~
maxxxxx
I think this can be a downfall of the US military if they ever get into a
conflict with a capable enemy. They are so used to use super complex and
expensive weapons against enemies who can't really put up a resistance. I
wonder what would happen to the B-2 bomber or aircraft carriers if they had to
fight China. My guess is these weapons would be eliminated very quickly.

~~~
orf
> They are so used to use super complex and expensive weapons against enemies
> who can't really put up a resistance.

Tell that to Vietnam and Afghanistan. Historically the US does well against
standing armies (Iraq for example), but absolutely terribly against low-tech
enemies who don't engage in a way that allows these super high tech weapons to
be used effectively.

Reminds me of this:
[http://www.kiplingsociety.co.uk/poems_arith.htm](http://www.kiplingsociety.co.uk/poems_arith.htm)

    
    
      A scrimmage in a Border Station-
      A canter down some dark defile
      Two thousand pounds of education
      Drops to a ten-rupee jezail[1].
      The Crammer's boast, the Squadron's pride,
      Shot like a rabbit in a ride!
    

1\.
[https://en.wikipedia.org/wiki/Jezail](https://en.wikipedia.org/wiki/Jezail)

~~~
maxxxxx
I meant it in a sense of an enemy that can take on the high tech weapons.
Since the Korea war nobody challenged the high tech equipment in meaningful
way.

~~~
rphlx
I have to quibble with that a bit. The US regularly overflew the USSR and
China through at least the mid 70s, meaning our best aircraft were in a very
real sense fighting their best air defense systems 20 years+ after the Korean
war ended.

There have almost certainly been satellite, submarine and other engagements
too, they just aren't generally publicized by either side until 30-40+ years
later.

~~~
maxxxxx
True. However, I think in a real shooting war those aircraft could be attacked
by a huge number of low tech weapons and get overwhelmed. From what I know
about warfare often large numbers will eventually overwhelm every kind of
defense. For example could an aircraft carrier handle 10000 incoming drones? I
hope we'll never find out...

~~~
killjoywashere
10,000 drones? How big a drone are we talking? They would have to be big
enough to carry a weapon big enough to penetrate at least 1/2" steel (at the
thinnest, only accessible from the side). If out to sea, a small EMP could
drop them all.

Battles won by numerical superiority are usually won by defenders. If it's an
invader, it's almost certainly early in the game. Even at the end of WW2,
Germany wasn't invaded so much as it lost in France and Russia. The Allied
rush to Berlin was an early aftermath. By the time supply chains necessary to
conduct a protracted war have been committed, the true cost starts making
invaders progressively less interested.

A more interesting concern is the major powers using proxies to demonstrate
their new tech. If Russia sold Syria 10,000 drones, that might get
interesting.

~~~
titzer
> Even at the end of WW2, Germany wasn't invaded so much as it lost in France
> and Russia

Sorry, no. Germany was very quickly overrun in 1945.

[https://commons.wikimedia.org/wiki/File:1945-05-01GerWW2Batt...](https://commons.wikimedia.org/wiki/File:1945-05-01GerWW2BattlefrontAtlas.jpg)
[https://commons.wikimedia.org/wiki/File:1945-05-15GerWW2Batt...](https://commons.wikimedia.org/wiki/File:1945-05-15GerWW2BattlefrontAtlas.jpg)

~~~
emiliobumachar
What they possibly meant was: the war was already lost when they got invaded
at all.

~~~
maxxxxx
That certainly was true. The war was already lost when they were still deeply
into Russia. the last 2 years of WW2 were just trying to fight off the
inevitable.

------
the_duke
> Nearly all major acquisition programs that were operationally tested between
> 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries
> could compromise.

It's not too surprising and a little reminiscent of the security nightmare
that are IoT devices.

All those weapon systems come out of hardware/engineering companies with
little background in software engineering and the accompanying security best
practices.

~~~
pbhjpbhj
They don't know how to hire a security advisor or external team?

What I'd be most concerned about is that the procurement process is favouring
companies who clearly aren't up to designing in rudimentary security, in
weapons systems, ... smh.

That seems like getting clothing made and not having anyone flag that it was
glued together with PVA instead of being sewn; and the company you hiredb not
having anyone who realises that's a fundamental problem.

~~~
drak0n1c
Meanwhile, the software companies capable of fixing these issues face internal
revolt at the idea of defense contracts. Apparently inaccurate targeting
systems and vulnerable firmware in equipment that is going to deployed
(regardless of protest) is better for pacifism?

~~~
amanaplanacanal
It's a conundrum. Do you not work on it, and have innocent people accidentally
killed? Or do you work on it, and have innocent people purposefully killed?

~~~
drak0n1c
I think it is reasonable to assume that the number of innocent people that the
military is intentionally trying to kill is less than the number of innocent
people accidentally killed by imprecise munitions, miscommunication, lack of
verification/impulsivity, and bad sensors/intel (areas where technology
helps).

For perspective, not too long ago during WW2 and following wars the best
measures we had were napalm firebombs and binoculars. Civilian deaths were
much higher, and friendly fire incidents were commonplace. Technology, despite
dystopic appearances, has helped reduce the brutality of war.

------
samstave
When I was at Lockheed - we were building the RFID tracking systems they used
to track various everythings all over - and they were trying to make it a part
of the Port Security for every port... and even had Tom Ridge join the
board...

well, I recall asking about the security of the systems (I was the IT lead and
was to help design the global port tracking system which they hoped to track
all shipping containers) -- there was no encryption/authentication on _any_ of
the tags.

If you had a reader, you could read/write the tags.

They had not even thought about securing these systems - and they were trying
to tout them as a security system for weapons shipments. They even had tags
that had G-sensors that were to be able to tell you if a munition was dropped,
if it had armed (some weapons will only arm themselves once a certain g-force
is reached which indicates to the weapon they have been launched.)

------
degenerate
The graphic on page 26 of the report is kind of cute:
[https://i.imgur.com/MWrM2i8.png](https://i.imgur.com/MWrM2i8.png)

The inclusion of this graphic makes me realize the report is not intended to
explain the situation to engineers. It's to explain the problem to well-
decorated higher ups that probably don't understand modern technology all that
well, yet are calling all the budget shots.

------
Animats
The US is going to lose a war this way.

~~~
ceejayoz
Is there any reason to believe the state of Russian/Chinese/etc. security is
any better in this regard?

~~~
dleslie
Russia's aging military hardware is an asset in this case, as it's not as
vulnerable to electronic intrusion as a result of having little to intrude.

~~~
noobermin
Then there's a good argument the billions the DOD spends on its "modernization
efforts" should be spent elsewhere.

------
1001101
Now they can queue up some multi-billion dollar contracts to fix it. I'm in
the wrong business.

~~~
_audakel
Lol let's do a startup

------
underthelevel
Telnet: the backbone of our Defense Industry

------
jvanderbot
"Another test team reported that they caused a pop-up message to appear on
users’ terminals instructing them to insert two quarters to continue
operating."

------
sesteel
A ton of commercial systems have similar vulnerabilities. Teslas have gotten
hacked remotely a multitude of times over several years. People who
attack/hack systems are specialized in ways that those engineers that build
systems are not. None of this should be all that surprising. New
recommendations on proper system design should mean future programs should
have budgets to hire people to mitigate these problems. However, it should
always be assumed there are vulnerabilities that can be exploited by others;
any claims to the contrary should be met with extreme skepticism.

------
titzer
It's like, on a civilizational level, we're just begging for a scenario where
we accidentally destroy ourselves.

------
remarkEon
Most of the comments outline how awful and dire the situation is (or probably
is).

I'm less interested in this than I am in what we could do to fix it. Is it
just more money to hire competent security engineers? Is it a more responsive
talent acquisitions process that gets the right people in at the right time?

~~~
arink
There is no motivation on the defense contractor side to do anything more than
satisfy the requirements of the contract. And any R&D spent should result in
an interesting demonstration that brings in more business.

Standard operating procedure would need to change so the government entity has
security as a requirement, details on how the requirement can be satisfied,
and a bunch of money to pay for it.

So tack on $X million for each contract to have a 3rd party audit the code,
documentation, and hardware for security vulnerabilities. And an added
maintenance contract to fix any future vulnerabilities for the lifetime of the
program (20+ years most likely).

From the higher up side, what do you get for all that money spent? No new
functionality, no fancy demos. Going to be hard to convince them security is
important when they can fund something they view as more critical or more
interesting.

EDIT: To answer the question of what can be done, I think it'd require a
culture change on the contracting side. The engineering side of the house is
mandated to only do work that relates directly to the contract. The hours bid
will likely be for the minimum necessary to satisfy those requirements. You
can create a new interface, but you won't have the time to do any fuzz testing
for example.

------
noobermin
I guess my question then is why have a computer attached to these systems in
the first place, or if you must, why not make it as dumb as possible? Why
include more points of failure?

Also, I couldn't help it, the DOD plans to spend 1.66 Trillion on these
systems! Perhaps if we instead stop making new fangled, more complicated
devices that with have tenfold more vulnerabilities to catch, how about we
just stick with the machines we have and make then hardened. I imagine that it
would save us loads if we just do that.

------
Sniffnoy
Non-mobile link:
[https://www.gao.gov/products/GAO-19-128](https://www.gao.gov/products/GAO-19-128)

------
diogenescynic
Good luck closing the barn door after the horse has bolted:
[https://www.wired.com/2011/11/counterfeit-missile-
defense/](https://www.wired.com/2011/11/counterfeit-missile-defense/)

I am no military expert, but it seriously looks like China has us in a
stranglehold.

------
dzonga
$1.7T is a lot of money just to protect your major investments in killing
people efficiently. Modern society I guess.

------
Illniyar
Are these remotely activated systems that are at risk (like drones)? if not,
why is any weapon system that doesn't need remote activation actually plugged
into a public network?

------
gpvos
If I were the Russians, Chinese, or North Koreans, I would heavily invest in
offensive hacking capability. Oh wait, they're already doing that.

------
lifeisstillgood
Silver lining: when the DOD find good ways to harden their systems, we can all
copy them.

Cloud: it's probably unplug the aerial / network cable

~~~
HelloNurse
I'm afraid they need to catch up with the rest of the world before advancing
the state of the art.

The best case scenario is a quick cultural shift, with awareness of computer
security threats overflowing from the military to laws and society in general.

------
ISL
_You 'll see things here that look odd, even antiquated to modern eyes. Phones
with cords, awkward manual valves, computers that barely deserve the name. But
all of it is intentional. It's all designed to operate in combat against an
enemy who could infiltrate and disrupt all but the most basic computer
systems.

Of course, those attitudes have changed through the years and Galactica is
something of a relic. A reminder of a time when we were so frightened by the
capabilities of our enemies that we literally looked backward for protection.
Modern battlestars resemble Galactica only in the most superficial ways..._

~~~
admiralEyebrows
No networked computers on my ship.

~~~
enraged_camel
Reminds me of Battlestar Galactica, where the all the ships in the fleet get
hacked by Cylons, have their shields taken down and promptly destroyed, but
Galactica survives because it's computers aren't networked.

~~~
dsnuh
There's a reason it reminds you of it...

~~~
enraged_camel
I know the quote is from the series.

~~~
dsnuh
That's even more confusing! :)

------
microcolonel
GDC4S (now General Dynamics Mission Systems) and NICTA have been working on
seL4, and it at least seems that USDOD has _something_ to build on, if they
want to start providing assurances of some form on weapons systems.

They'll really have to set the passwords properly though.

~~~
anon49124
What's eyebrow-raising is that it's been used as para/virtualization platform
for Linux. (Ordinarily, SELinux MLS/MCS is pretty good though.)

If something like Minix 3 "NetBSD" in Rust ran on seL4, that would inspire
more confidence.

~~~
microcolonel
> _If something like Minix 3 "NetBSD" in Rust ran on seL4, that would inspire
> more confidence._

Yeah, I've been thinking about that for a while. There is Genode/seL4, but
it's hard to say if it makes as much sense.

------
ourmandave
Not to play the Whataboutism card, (proceeds to play whataboutism card), but
has anybody pen tested the Soviet's or Chinese' systems?

Just thinking this isn't a U.S. only problem.

~~~
sterlind
"The Soviet Union... I thought you guys broke up?"

[https://youtu.be/yFNRlvEh7ok](https://youtu.be/yFNRlvEh7ok)

