…from Sputnik News, Moscow
[ Editor’s Note: I love to write about Defense Department internal reports as I don’t have to worry about being smeared as “anti-American” the day after. Today’s story is a classic.
In a cyber security test on the F-35 the opposition hackers broke the password in nine seconds. If you are thinking that if they can’t even have the front door secure, you might start worrying what other problems they have inside waiting to be discovered in a combat situation.
This has been happening in the Navy with its new ships, even in 2018, terrible mechanical problems and incompetency revealed in such things like the British new ship engines breaking down in the hotter Asian water climates having to limp home.
If the engineers left that out of the design parameters, and the checkers pretended to miss it, what does that say about the competency of the workers, or the political pressures to bring these systems in on time?
Is the public defense really being served with being buried under in weapons procurement debt, plus never ending expensive maintenance costs? Or are we too lazy or scared to take on the big military industrial complex, hoping that the tooth fairy will take care of it for us… Jim W. Dean ]
– First published … February 21, 2029 –
The two newest versions of the US Army’s Stryker combat vehicle in Europe have “cybersecurity vulnerabilities that can be exploited,” a US Department of Defense report reveals. It’s a growing problem for the US’ high-tech vehicles and weapons systems ‒ and one that reflects the priorities of the military-industrial complex, an expert tells Sputnik.
Sputnik has previously reported on Director of Operational Test and Evaluation (DOT&E) Robert Behler’s report in December 2018 eviscerating the Pentagon’s cybersecurity capabilities, which described how even as it was improving its cyber defense capabilities, the US military was continuing to lose ground against adversaries in cyberspace.
One especially embarrassing incident highlighted by the Government Accountability Office watchdog on October 9 of last year saw Pentagon testers hack the F-35 Joint Strike Fighter’s password in only nine seconds. That’s pretty worrisome for a plane boasted to be a “flying computer” that will serve as the US Air Force’s “quarterback” during an air offensive, as Air Force Chief of Staff David Goldfein said earlier this week.
The Inspector General noted in a January 9 report that the Air Force still had not changed the passwords with problems exposed in the October fiasco.
Behler’s December 2018 report also described the dangers posed to the security of the Stryker, a so-called Interim Armored Vehicle (IAV) manufactured by General Dynamics Land Systems — Canada, saying it “has cybersecurity vulnerabilities that can be exploited.”
DOT&E examined two varieties of the famously modular Stryker slated to become the bread-and-butter of US rifle and scout forces in the 2nd US Cavalry Regiment: the Stryker-Dragoon and the Stryker CROWS-J, or Common Remotely Operated Weapons Station-Javelin. The former has an improved 30-millimeter cannon, and the latter carries a remote launcher for the Javelin anti-tank missile, both of which the Pentagon pushed for out of fear the Strykers would be out-gunned by Russian armor.
However, “in most cases, the exploited vulnerabilities pre-date the integration of the lethality upgrades,” the report notes.
The report is vague as to where the cyber attacks exposing the vulnerability came from as well as which systems were targeted. However, the Drive postulates that the attacks disrupted the Stryker’s data-sharing, navigation or digital communications systems.
Further, the Army Times notes that “the shared language for the two systems and another comment point to something common in the hardware, not the new weaponry, on the Stryker.”
Behler’s recommendations don’t offer much in the way of solutions, though, merely noting the Army should “correct or mitigate cyber vulnerabilities” and “mitigate system design vulnerabilities to threats as identified in the classified report,” which seems like something that really shouldn’t have to be explained. However, changing your stealth fighter’s password after it gets hacked shouldn’t be, either, and yet here we are.
“Security for any system is always a goal but can never be a static state of existence,” web programmer and technologist Chris Garaffa told Sputnik Thursday. “Instead you can have a product that is secure ‘at this moment’ where there are no known vectors for attack.
It’s a cat-and-mouse game with the developers of the hardware and software attempting to prevent or fix vulnerabilities, while on the other side there are security researchers and hackers with a variety of good or bad intentions trying to find these vulnerabilities.”
“Just as this applies to your internet-connected phone, car or TV, it’s also the reality for networked weapons systems like the upgraded Stryker and the F-35 fighter plane,” Garaffa said, noting the GAO report blasted the Pentagon for its lack of preparedness for cyberwarfare.
“The Department of Defense (DOD) faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats,” the GAO’s summary of its October 2018 report warns.
“This state is due to the computerized nature of weapon systems; DOD’s late start in prioritizing weapon systems cybersecurity; and DOD’s nascent understanding of how to develop more secure weapon systems. DOD weapon systems are more software dependent and more networked than ever before.”
However, Garaffa cautioned that the problem isn’t simply one of changing protocols: it’s endemic to the “entire military-industrial complex,” which profits from cutting corners to save costs, resulting “in many cases [in] bare-minimum cyber security.”
“It would be tempting to say that if an enemy was able to hack these systems they could do great damage ‘in the wrong hands,’ but the truth is that these systems will do damage regardless of who controls them,” he said. “Such extreme and preventable lapses in security in any system, regardless of whether it’s a Pentagon system or a consumer product, should be viewed as absolute criminal negligence.”