Sputnik has previously reported on Director of Operational Test and Evaluation (DOT&E) Robert Behler's report in December 2018 eviscerating the Pentagon's cybersecurity capabilities, which described how even as it was improving its cyber defense capabilities, the US military was continuing to lose ground against adversaries in cyberspace.
One especially embarrassing incident highlighted by the Government Accountability Office watchdog on October 9 of last year saw Pentagon testers hack the F-35 Joint Strike Fighter's password in only nine seconds. That's pretty worrisome for a plane boasted to be a "flying computer" that will serve as the US Air Force's "quarterback" during an air offensive, as Air Force Chief of Staff David Goldfein said earlier this week.
The Inspector General noted in a January 9 report that the Air Force still had not changed the passwords with problems exposed in the October fiasco.
Behler's December 2018 report also described the dangers posed to the security of the Stryker, a so-called Interim Armored Vehicle (IAV) manufactured by General Dynamics Land Systems — Canada, saying it "has cybersecurity vulnerabilities that can be exploited."
DOT&E examined two varieties of the famously modular Stryker slated to become the bread-and-butter of US rifle and scout forces in the 2nd US Cavalry Regiment: the Stryker-Dragoon and the Stryker CROWS-J, or Common Remotely Operated Weapons Station-Javelin. The former has an improved 30-millimeter cannon, and the latter carries a remote launcher for the Javelin anti-tank missile, both of which the Pentagon pushed for out of fear the Strykers would be out-gunned by Russian armor.
However, "in most cases, the exploited vulnerabilities pre-date the integration of the lethality upgrades," the report notes.
The report is vague as to where the cyber attacks exposing the vulnerability came from as well as which systems were targeted. However, the Drive postulates that the attacks disrupted the Stryker's data-sharing, navigation or digital communications systems. Further, the Army Times notes that "the shared language for the two systems and another comment point to something common in the hardware, not the new weaponry, on the Stryker."
Behler's recommendations don't offer much in the way of solutions, though, merely noting the Army should "correct or mitigate cyber vulnerabilities" and "mitigate system design vulnerabilities to threats as identified in the classified report," which seems like something that really shouldn't have to be explained. However, changing your stealth fighter's password after it gets hacked shouldn't be, either, and yet here we are.
"Security for any system is always a goal but can never be a static state of existence," web programmer and technologist Chris Garaffa told Sputnik Thursday. "Instead you can have a product that is secure ‘at this moment' where there are no known vectors for attack. It's a cat-and-mouse game with the developers of the hardware and software attempting to prevent or fix vulnerabilities, while on the other side there are security researchers and hackers with a variety of good or bad intentions trying to find these vulnerabilities."
"Just as this applies to your internet-connected phone, car or TV, it's also the reality for networked weapons systems like the upgraded Stryker and the F-35 fighter plane," Garaffa said, noting the GAO report blasted the Pentagon for its lack of preparedness for cyberwarfare.
"The Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats," the GAO's summary of its October 2018 report warns. "This state is due to the computerized nature of weapon systems; DOD's late start in prioritizing weapon systems cybersecurity; and DOD's nascent understanding of how to develop more secure weapon systems. DOD weapon systems are more software dependent and more networked than ever before."
However, Garaffa cautioned that the problem isn't simply one of changing protocols: it's endemic to the "entire military-industrial complex," which profits from cutting corners to save costs, resulting "in many cases [in] bare-minimum cyber security."
"It would be tempting to say that if an enemy was able to hack these systems they could do great damage ‘in the wrong hands,' but the truth is that these systems will do damage regardless of who controls them," he said. "Such extreme and preventable lapses in security in any system, regardless of whether it's a Pentagon system or a consumer product, should be viewed as absolute criminal negligence."