US Weapons Systems Vulnerable to Cyber Attacks

Authorized hackers were quickly able to seize control of weapons systems being acquired by the American military in a test of the Pentagon’s digital vulnerabilities, according to a new and eye-opening government review.

The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hacking.

A public version of the study, published last week, deleted all names and descriptions of which systems were attacked so the report could be published without tipping off American adversaries about the vulnerabilities. Congress is receiving the classified version of the report, which specifies which among the $1.6 trillion in weapons systems that the Pentagon is acquiring from defense contractors were affected.

But even the declassified review painted a terrifying picture of weaknesses in a range of emerging weapons, from new generations of missiles and aircraft to prototypes of new delivery systems for nuclear weapons.

“In one case, the test team took control of the operators’ terminals,” the report said. “They could see, in real time, what the operators were seeing on their screens and could manipulate the system” — a technique reminiscent of what Russian hackers did to a Ukrainian power grid two years ago.

The Government Accountability Office, the investigative arm of Congress, described “red team” hackers who were pitted against cyberdefenders at the Pentagon. The tested weapons were among a total of 86 weapons systems under development; many were penetrated either through easy-to-crack passwords, or because they had few protections against “insiders” working on elements of the programs.

Sometimes the testing teams toyed with their Pentagon targets. One team “reported that they caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”

The searing assessment comes after years of warnings about the vulnerabilities of the military systems — some of which the Government Accountability Office said were ignored — and just as President Trump gives American commanders more flexibility to deploy cyberweapons without obtaining presidential approval.

It also suggests that the United States is vulnerable to cyberattacks when it seeks to disable enemy systems.

Nuclear weapons themselves were not included in the report; they are mostly controlled by the Energy Department, which oversees their design and testing. But nuclear weapons have become a focus of increasing scrutiny, both inside and outside the defense establishment.

Last month, the Nuclear Threat Initiative, a group that studies nuclear threats, published a detailed report about the risks that nuclear weapons systems could be subject to cyberattacks. It warned that such attacks “could have catastrophic consequences,” including the risk that weapons could be used in response to “false warnings or miscalculation.”

“The world’s most lethal weapons are vulnerable to stealthy attacks from stealthy enemies — attacks that could have catastrophic consequences,” former Energy Secretary Ernest J. Moniz, former Senator Sam Nunn and former Defense Minister Des Browne of Britain wrote in that report.

“Today, that fact remains the chilling reality,” wrote the three Cold War veterans. “Cyberthreats are expanding and evolving at a breathtaking rate, and governments are not keeping pace. It is essential that the U.S. government and all nuclear-armed states catch up with — indeed, get ahead of and stay ahead of — this threat.”

It can be a scary business that we’re in sometimes, huh?

I think all people can ask for is that we have our very best men and women on the case protecting us at all times. And if your business is looking for that kind of protection, look no further than The 20. Contact us today.

I read a great article in the other day that posed that very thought, and so I felt I should share a bit of it with you. It serves as a nice follow up to the blog I wrote a couple of weeks ago, “Should I Be Concerned About Cybersecurity?”

First of all, did you know that cyberattacks jumped 32% between the first quarters of 2017 and 2018, according to a recent report? And yet many businesses assume their IT infrastructure is still secure.

Some entrepreneurs realize their security measures aren’t top-notch, but they don’t consider their companies targets because they don’t move billions of dollars each year. However, hackers aren’t just after money —  63% of those attacks specifically targeted data and credentials.

These numbers highlight why companies need up-to-date cybersecurity measures to effectively prevent, detect, respond to, and recover from cyberattacks.

Their cyberthreat report goes on to explain why you may want to think twice — even if you believe your company’s cybersecurity is taken care of.

Here are excerpts of their reasons:

1. Financial institutions aren’t as secure as you think.

The range of cyberattacks in 2017 was more varied than ever before, but banking and financial institutions still bore the brunt of the attacks. These attacks included infecting ATMs with malware that could be easily bought on the darknet and stealing funds straight out of victims’ accounts in more than 10 international financial organizations.

When these organizations’ cybersecurity measures failed, the situation was often made worse by insurance companies refusing to reimburse the losses incurred.

2. Every piece of data is valuable to hackers.

Almost every attack at banking and financial institutions is aimed at financial gain, but a recent report also showed that malware attacks increased by 75% during the last year, collecting information such as account logins, answers to security questions, Social Security numbers, and more.

Companies outside the financial sector don’t usually house customer financial data in their systems, but if you utilize a web application, your customers have to build profiles with personal data.

3. Even smart employees get phished.

Phishing attacks have proven to be one of the most prolific ways for hackers to get malware into companies’ systems. A cybersecurity report by Barracuda noted more than 10,000 unique phishing attacks in June 2018 alone, and the most successful ones were impersonating well-known companies such as Netflix and Citibank. Even smart employees need to remain diligent for things — like minor spelling errors in unsolicited emails — that could give away the scam.

4. Cybersecurity is an approach, not a single solution.

In response to these threats, Gartner predicts that companies worldwide will spend up to $96 billion on cybersecurity this year. Yet much of that spending will be in reaction to specific breaches rather than focused on implementing holistic, prevention-focused cybersecurity measures. This means many of those measures will still leave entrepreneurs’ organizations vulnerable, especially ones that work with smaller, less secure companies.

It’s common for companies to believe they’re safe from cyberattacks, but it isn’t always true. In 2017, the Online Trust Alliance tracked more than 159,000 cyber incidents. Those breaches cost companies up to $608 billion total, according to McAfee and the Center for Strategic and International Studies. This year, industries have the opportunity to stem the flood of attacks — which begins with acknowledging they may not be as secure as they thought.

Want to learn more about the IT services we deliver, and how we can implement holistic, prevention-focused cybersecurity measures? Contact us today!