Many of the Defense Department’s most complex and expensive weapons systems may suffer from critical software vulnerabilities, according to an Oct. 9 report from the Government Accountability Office. A governmentwide shortage of cybersecurity professionals has only exacerbated the problem.
Over a five-year period ending in 2017, Pentagon security analysts “routinely found mission-critical vulnerabilities in nearly all weapon systems under development,” according to the report.
“These weapons are essential to maintaining our nation’s military superiority and for deterrence,” the government’s top watchdog wrote in a letter to Senate Armed Services Committee leaders. “Cyber attacks can target any weapon subsystem dependent on software, potentially leading to an inability to complete military missions or even loss of life.”
Because the Pentagon only prioritized hardening its weapons platforms against cyberattacks in 2015, it doesn’t yet fully understand the scope of the threat, the report said.
Although the Pentagon has since taken steps to prevent vulnerabilities, its inability to recruit and retain skilled cybersecurity professionals represents a “systemic” challenge, the GAO said. With the cyber talent shortage unlikely to improve anytime soon, Pentagon officials will need to identify alternative approaches to ensuring that security vulnerabilities are caught and fixed before weapons systems reach the field.
A “Systemic” Challenge
The Pentagon is hardly the only federal agency facing a cybersecurity skills gap. Agencies have experimented with dozens of approaches to attract and hold onto trained security professionals, from incentive payments, to student loan forgiveness, to scholarships. But ultimately it may come down to the numbers.
The report referenced a 2014 study by the RAND Corporation, which found that penetration testers – individuals skilled at “hacking” systems to detect and remediate vulnerabilities on behalf of their employer – can earn as much as $200,000 to $250,000 a year in the private sector. That kind of salary “greatly exceeds DOD’s pay scale,” the GAO said.
In addition, as Pentagon officials told GAO, “general cybersecurity expertise is not the same as weapon systems expertise.” The skills needed to detect and eliminate vulnerabilities in weapons systems is more specialized, requiring security training as well as a sophisticated understanding of the systems in question.
With cybersecurity skills in high demand and short supply, expect Pentagon officials – as well as other agencies in a similar position – to respond by sharing skilled personnel across organizations, automation, outsourcing, and shifting cybersecurity responsibilities upstream in the development process to focus on vulnerability prevention, rather than detection.
“We are continuously strengthening our defensive posture through network hardening, improved cybersecurity, and working with our international allies and partners and our Defense Industrial Base and Defense Critical Infrastructure partners to secure critical information,” Pentagon spokesperson Audricia M. Harris wrote in a statement.
One way organizations around the world are dealing with systemic shortages of security professionals is by adopting a “shift left” strategy. It works by giving developers and systems engineers additional security tools and training. That way they’re able to write code that’s more secure and catch vulnerabilities earlier in the production process when they’re less costly to fix. Organizations can then redeploy their security teams more strategically.
This may mean that much of the burden for improving the security of U.S. weapons systems will fall to the systems integrators themselves. Meanwhile, the government will contract out more of its penetration testing responsibilities to specialized security firms, and adopt more of a policy and governance role.
Getting the Basics Right
One of the GAO report’s most glaring findings was the Pentagon’s basic lack of security hygiene. In many cases, penetration testers were able to exploit preventable vulnerabilities, such as weak passwords or missing encryption.
“One test report indicated the test team was able to guess an administrator password in nine seconds,” GAO wrote. In another case, one system that relied on open-source software still used a default password, allowing penetration testers to “look up the password on the Internet and gain administrator privileges.”
Once vulnerabilities were identified, they weren’t always addressed. In one instance, only one out of 20 bugs detected in a previous test had been fixed. Program officials attributed it to contractor error. These are the types of lapses that could undermine a company’s chances of winning recompete opportunities.
In addition, some Pentagon officials initially disputed the tests, asserting that they were “unrealistic” and could not be replicated in a real-world situation, the report alleged. For example, some attacks required direct access to the systems in question or data supplied to the penetration testers by defense officials.
If anything, the tests might have been too easy, experts from the National Security Agency told the GAO. Unlike penetration testers hired to audit Pentagon systems, they said, “adversaries are not subject to the types of limitations imposed on test teams, such as time constraints and limited funding.”
Although by GAO’s account the Pentagon is making progress, this report should serve as a wakeup call. The cybersecurity talent gap is real, and will be for some time. But that doesn’t mean agencies can’t take practical steps to eliminate preventable errors.
Chris Cornillie is a federal market analyst with Bloomberg Government.
To contact the analyst on this story: Chris Cornillie in Washington at firstname.lastname@example.org