The US military is lagging behind on cybersecurity and struggling to implement its own strategies to shore up defenses against threat actors, a government watchdog has said.
The US Department of Defense (DOD) has come under repeated fire from the Government Accountability Office (GAO) in recent years for failing to upgrade its protection against cyber sabotage of its military equipment.
“In short, I would say there has been some progress in addressing the gaps we found – but not a lot,” Joseph Kirschbaum of the GAO told CyberNews.
The watchdog director was referring to a damning report released in 2020 and a follow-up open letter last year, in which it raised the urgency on most of the key recommendations outlined in the original document. As an example, one of the GAO’s cybersecurity reviews found that of ten core tasks recommended, four had not been done, and the rest were undetermined because no one from the US military had been assigned to report on them.
These findings came despite the assertion of government cybersecurity advisors that nine in ten attacks could be averted by “implementing basic cyber hygiene and sharing best practices” – suggesting that the US military is not taking cybersecurity seriously.
“The DOD’s response to many of the recommendations we made indicated they intended to take few actions or that they believed some of the incomplete cyber initiatives we identified were no longer relevant,” added Kirschbaum. But he went on to say that the US government had “provided no evidence that the initiatives we highlighted were outdated.”
Though the US government was continuing to work with the GAO, Kirschbaum said that it remained “strong on strategy and weak on implementation.”
“The latter takes much more time, focus, and energy,” he added. “It is also the important part of making sure strategy - of any kind - is realized.”
Digital danger for the US
The comments are worrying, in light of the US military’s increased reliance on self-driving or autonomous vehicles, drones, and digital-based command networks to conduct operations.
Asked whether enemy states such as Iran or North Korea could use cyber mercenaries to hack into US military equipment, David Leichner of automotive cybersecurity firm Cybellum said: “it’s not a chance, it’s a guarantee. Iran and North Korea have already shown their cyber capabilities. They are constantly trying to break into command-and-control centers, systems, and equipment.”
Any equipment using WiFi, Bluetooth, or satellite technology was vulnerable to attack. “The more critical the equipment, the more of a target it is,” added Leichner.
Not all experts are quite so alarmist. While agreeing that any equipment using wireless communication technology – for instance, drones and unmanned naval vessels – could be vulnerable to attack, former Israeli intelligence officer Lionel Sigal of CYE cybersecurity firm stressed that military equipment is typically protected by strongly defended encryption channels that make it much harder to hack.
But he cautioned that threat actors could find other vectors to target military installations, for instance, by attacking supply-chain networks. “Military systems are complex and use many subcontractors,” said Sigal. “Attackers can take advantage of this to gain access for a computer network attack to cause damage.” Cyber radio frequency attacks could also be used to wreak havoc on military command and control networks.
Sigal also pointed to the patience of state-sponsored threat actors, who might be prepared to spend years on a complex operation to target Western military installations.
“When it comes to weapons projects, the attack surface is relatively big and the attacker has a lot of opportunity and time because of the nature of the project,” he said. “These projects usually contain many parts and suppliers, and take a long time, even years. State-level attackers can execute cross-domain ongoing attacks that include cyber [systems], supply chains, operations on the ground, and human intelligence.”
Hackers have own limits
Automated vehicles are particularly at risk because to function effectively in the field, they require constant access to a network connection, which in turn “creates a path to be hacked,” according to Ronald Nixon, cybersecurity architect for US defense contractor Sev1Tech.
But he stressed that there are limits as to what hackers can do, and remote controlling military vehicles or drones would require expertise that is beyond most threat actors.
“Disabling autonomous [vehicles] or misdirecting their programming is much easier than taking over control or modifying their behavior, which would require knowledge of the autonomous system at the code level,” said Nixon. "It can be done, but the talent base to modify vehicle programming is still relatively small.”
On the other hand, sabotaging shared technologies such as network connectivity or GPS positioning “are in the toolbox of most black-hat types.” This would allow hackers to effectively fool an autonomous vehicle into thinking it was in the wrong place – digital data feeds to self-driving vehicles depend on networks that can be targeted with distributed denial of service (DDOS) attacks or compromised with false data.
The danger posed by organized criminal gangs is only compounded by zero-day exploit traders such as Zerodium, who sell unidentified weaknesses in cyber defense systems to the highest bidder – often rogue nations who can afford their prices.
However, only the most sophisticated of threat actors could orchestrate such complex cyber campaigns. “Usually, military systems are developed in closed networks,” said Sigal. “It is possible to attack a supply-chain company and through that make your way to the closed network, [but] these kinds of operations are complex and require high-level capabilities and technologies.”
When asked what steps he believed the US military was taking to counter such increasingly sophisticated attacks, Sigal said: “We don’t know exactly what the US does, but we can assume it implements some of the following recommendations – secure code and development methods, strong cybersecurity with regards to the supply chain, and strong encryption in radio frequency channels.”
He also urged the US government to ensure it protects its hardware during the research and development phase, not just at operational level. Nearly half of all defense contractors servicing the American military and employing more than 500 staff surveyed by the National Defense Industrial Association in 2019 had suffered at least one cyber attack.
“Companies that develop military equipment are at high risk of state and superpower cyber attacks, as part of the new era of warfare and intelligence gathering,” said Sigal, adding that threat actors were also emboldened by a growing sense of impunity. “Hackers do as much damage as possible from a distance and with a high level of deniability.”
Human error also a risk
However, other observers believe the military should worry more about social engineering or phishing attacks directed at high-ranking officers than cyberattacks on its equipment.
“The most vulnerable points of entry for the US military are people rather than electronic systems,” said Chris Olson, head of digital security firm Media Trust. “It wouldn’t surprise me to find foreign adversaries spending more time targeting personnel through propaganda, social engineering and phishing attacks than equipment. One compromised army officer can divulge more sensitive information than attackers could glean through months of digital penetration and reconnaissance.”
“We have seen increased activity from foreign actors targeting military academies and training bases through the web and mobile applications. Micro-targeting and data collected by digital third parties enable attackers to find and exploit the most vulnerable targets.”
More from CyberNews:
Subscribe to our newsletter