Incident: Vulnerabilities in U.S. Military Weapons Systems Exposed to Hacking

Published Date: 2018-10-10

Postmortem Analysis
Timeline 1. The software failure incident happened between 2012 and 2017 as per the report in Article 76390. 2. The incident likely occurred in the years leading up to 2018 based on the timeline mentioned in the articles [76390, 76430].
System 1. Weapons systems being acquired by the American military [76430, 76390] 2. Various emerging weapons, including new generations of missiles, aircraft, and prototypes of new delivery systems for nuclear weapons [76430] 3. Major weapon systems that the federal government is acquiring, including submarines, missiles, cargo rockets, radars, fighter jets, refueling tankers, aircraft carriers, destroyers, satellites, helicopters, and electronic jammers [76430] 4. Columbia-class submarine and the replacement for the nation’s aging Minuteman missiles (Ground Based Strategic Deterrent) [76430]
Responsible Organization 1. Authorized hackers conducted penetration tests on weapons systems being acquired by the American military, revealing vulnerabilities in the systems [Article 76430]. 2. Testers hired by the Department of Defense were able to exploit mission-critical cyber vulnerabilities in weapons systems tested between 2012 and 2017 [Article 76390].
Impacted Organization 1. The Department of Defense [Article 76390] 2. The Pentagon [Article 76430]
Software Causes 1. Poor password management and unencrypted communications led to vulnerabilities in weapons systems tested by the Department of Defense [Article 76390]. 2. Lack of encryption and basic security hygiene, such as unchanged default passwords, allowed testers to gain control of weapons systems easily [Article 76390]. 3. Vulnerabilities in weapons systems were exploited through basic techniques like guessing admin passwords and scanning systems [Article 76390]. 4. The Department of Defense had difficulty detecting when testers were probing weapons systems, indicating a lack of effective intrusion detection [Article 76390].
Non-software Causes 1. Poor password management and unencrypted communications [Article 76390] 2. Lack of encryption and basic security hygiene [Article 76390] 3. Default passwords not changed on weapons systems [Article 76390] 4. Lack of understanding and detection of intrusion attempts by administrators [Article 76390]
Impacts 1. The software failure incident allowed authorized hackers to quickly seize control of weapons systems being acquired by the American military, potentially neutralizing them within hours. This exposed vulnerabilities in a range of emerging weapons, including missiles, aircraft, and prototypes of new delivery systems for nuclear weapons [76430]. 2. Test teams were able to manipulate the operators' terminals, see real-time data, and even cause pop-up messages instructing users to insert coins to continue operating the systems, highlighting the extent of control gained by the hackers [76430]. 3. The incident revealed that the Pentagon's weapon systems were penetrated through easy-to-crack passwords and lacked protections against insider threats, indicating a lack of robust cybersecurity measures in place [76430]. 4. The software failure incident raised concerns about the Defense Department's past failure to prioritize weapon systems cybersecurity, emphasizing the need for a new weapons security paradigm to address the vulnerabilities [76390]. 5. The report highlighted that almost all weapons tested by the Department of Defense between 2012 and 2017 had "mission critical" cyber vulnerabilities, with testers able to take control of systems using simple tools and techniques due to poor password management and unencrypted communications [76390]. 6. The vulnerabilities identified in the incident were not limited to specific systems but likely affected an entire generation of weapons systems that were designed and built without adequately considering cybersecurity, indicating a systemic issue within the Defense Department [76390].
Preventions 1. Implementing strong password management practices, such as using complex passwords and regularly changing them, could have prevented the incident [Article 76430, Article 76390]. 2. Encrypting communications within the systems could have enhanced security and prevented unauthorized access [Article 76390]. 3. Conducting thorough cybersecurity assessments during the development phase of the weapons systems could have identified and addressed vulnerabilities before they became critical [Article 76390]. 4. Regularly updating and patching software vulnerabilities, as demonstrated by the bug-bounty program, could have mitigated risks [Article 76390]. 5. Enhancing monitoring and detection capabilities to quickly identify and respond to potential intrusions could have prevented prolonged unauthorized access [Article 76390].
Fixes 1. Implementing strong password management practices and encryption protocols to prevent unauthorized access to weapons systems [76430, 76390]. 2. Conducting thorough cybersecurity assessments and penetration testing on all weapons systems to identify and address vulnerabilities [76430, 76390]. 3. Enhancing monitoring and detection systems to quickly identify and respond to potential cyber intrusions [76430, 76390]. 4. Prioritizing cybersecurity in the design and development of new weapons systems to build them with inherent security features [76430, 76390]. 5. Establishing a new weapons security paradigm within the Department of Defense to address the evolving cyber threats effectively [76390].
References 1. The US Government Accountability Office [Article 76430, Article 76390] 2. Department of Defense (DOD) [Article 76390] 3. Senate Armed Services Committee [Article 76390] 4. Officials at various DOD offices [Article 76390] 5. R. David Edelman, former White House cybersecurity adviser [Article 76390] 6. NSA officials [Article 76390] 7. Caolionn O’Connell, military acquisition and technology expert at Rand Corporation [Article 76390]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The articles report on a software failure incident within the Department of Defense (DOD) where almost all weapons tested between 2012 and 2017 had "mission critical" cyber vulnerabilities [Article 76390]. - The vulnerabilities included poor password management, unencrypted communications, and basic security hygiene issues [Article 76390]. - Testers were able to take control of systems and operate undetected due to these vulnerabilities [Article 76390]. - The DOD officials overseeing the systems appeared dismissive of the results, indicating a lack of awareness or action regarding the cybersecurity threats [Article 76390]. (b) The software failure incident having happened again at multiple_organization: - The articles mention that the vulnerabilities in the DOD's weapons systems are not unique to the department and highlight a broader issue in the defense sector regarding cybersecurity vulnerabilities [Article 76390]. - The report by the Government Accountability Office suggests that the DOD likely has an entire generation of systems designed and built without adequately considering cybersecurity, indicating a systemic problem across multiple organizations in the defense sector [Article 76390].
Phase (Design/Operation) design, operation (a) The articles discuss software failure incidents related to the development phases, particularly in the design aspect. The failures were attributed to vulnerabilities introduced during system development and updates. The Government Accountability Office report highlighted that many weapons systems under development by the Pentagon were found to have cybersecurity vulnerabilities that could be exploited by hackers [76430, 76390]. These vulnerabilities were due to factors such as poor password management, unencrypted communications, and basic security hygiene issues introduced during the design and development phases of the systems. Testers were able to gain control of systems and operate undetected, indicating weaknesses in the design and development processes that left the systems susceptible to cyberattacks. (b) The articles also touch upon software failure incidents related to the operation phase, specifically due to factors introduced by the operation or misuse of the systems. The report by the Government Accountability Office mentioned that testers were able to take control of weapons systems and operate undetected for extended periods, despite being intentionally "noisy" during their activities [76390]. This indicates a failure in the operation phase where administrators were unable to detect unauthorized access and activities within the systems. Additionally, the report highlighted instances where testers were able to guess admin passwords quickly or exploit basic vulnerabilities in the systems, showcasing operational weaknesses that allowed for unauthorized access and control.
Boundary (Internal/External) within_system, outside_system (a) The software failure incident reported in the articles is primarily within_system. The failures were due to vulnerabilities within the Department of Defense's weapons systems themselves, such as poor password management, unencrypted communications, and lack of basic security hygiene [76390]. Testers were able to take control of systems and operate undetected, highlighting the weaknesses originating from within the systems [76390]. Additionally, the report mentioned that the Department of Defense had a hard time detecting when testers were probing the weapons, indicating internal system vulnerabilities [76390]. (b) The software failure incident also involved outside_system factors. The incident involved authorized hackers seizing control of weapons systems, indicating external threats exploiting vulnerabilities within the systems [76430]. The report highlighted that the Department of Defense was facing cybersecurity threats from external sources, emphasizing the importance of addressing vulnerabilities originating from outside the systems [76390].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The articles report that authorized hackers were able to seize control of weapons systems being acquired by the American military in a test of the Pentagon’s digital vulnerabilities. The report by the Government Accountability Office concluded that many of the weapons or the systems that control them could be neutralized within hours [76430]. - Testers were able to take control of systems and operate undetected due to basic issues such as poor password management and unencrypted communications. The report highlighted vulnerabilities in the department’s weapon systems that began with poor basic password security or lack of encryption [76390]. (b) The software failure incident occurring due to human actions: - The articles mention that testers were able to guess admin passwords on weapons systems in a short amount of time, and some weapons used commercial or open-source software with default passwords not being changed [76390]. - The report also highlighted that program officials believed their systems were secure and discounted some test results as unrealistic, indicating a level of complacency or dismissal of cybersecurity concerns by human actors overseeing the systems [76390].
Dimension (Hardware/Software) software (a) The articles do not provide specific information about a software failure incident occurring due to hardware-related contributing factors. (b) The articles discuss software failure incidents due to contributing factors that originate in software. The reports highlight how testers were able to exploit vulnerabilities in weapons systems due to poor password management, unencrypted communications, and lack of encryption [76390]. Testers were able to guess admin passwords in seconds, shut down systems by scanning them, and gain full control of systems within hours [76390]. The Department of Defense (DOD) testers found significant vulnerabilities in weapon systems, and the DOD had difficulty detecting when testers were probing the systems [76390]. The GAO report emphasized that the DOD needs a new weapons security paradigm to address the cybersecurity vulnerabilities in its systems [76390].
Objective (Malicious/Non-malicious) malicious, non-malicious (a) The software failure incident reported in the articles is malicious in nature. The incident involved authorized hackers seizing control of weapons systems being acquired by the American military in a test of the Pentagon’s digital vulnerabilities. The hackers were able to neutralize many weapons systems within hours, with testers taking control of operators' terminals, manipulating the systems, and causing disruptions like pop-up messages instructing users to insert coins to continue operating [76430]. The incident highlighted serious cybersecurity vulnerabilities in the weapons systems, indicating a deliberate attempt to exploit weaknesses in the systems for malicious purposes. (b) The software failure incident is also non-malicious in nature. The vulnerabilities in the weapons systems were identified through penetration tests conducted by the Department of Defense itself between 2012 and 2017. Testers were able to exploit basic issues such as poor password management and unencrypted communications to take control of systems and operate undetected. The report emphasized that the DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity, indicating unintentional vulnerabilities introduced during the development and testing phases [76390].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident related to poor_decisions: - The software failure incident was related to poor decisions made in the Department of Defense regarding cybersecurity vulnerabilities in weapons systems [76390]. - The report by the Government Accountability Office highlighted that the Department of Defense had an entire generation of systems designed and built without adequately considering cybersecurity, leading to mission-critical cyber vulnerabilities [76390]. - Testers were able to exploit vulnerabilities in weapons systems due to basic issues such as poor password management and unencrypted communications, indicating poor decisions in system security measures [76390]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident was not primarily related to accidental decisions but rather to systemic issues and poor cybersecurity practices within the Department of Defense [76390]. - Testers were able to exploit vulnerabilities in weapons systems due to poor basic security hygiene, such as weak passwords and lack of encryption, rather than accidental decisions [76390].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident occurring due to development incompetence: - The articles highlight that the Department of Defense (DOD) remains in denial about cybersecurity threats to its weapons systems, with almost all weapons tested between 2012 and 2017 having "mission critical" cyber vulnerabilities [Article 76390]. - The report by the Government Accountability Office concluded that the DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity, indicating a lack of professional competence in addressing cybersecurity vulnerabilities in weapon systems [Article 76390]. (b) The software failure incident occurring accidentally: - The articles mention that testers were able to take control of systems and operate undetected due to basic issues such as poor password management and unencrypted communications, indicating failures introduced accidentally [Article 76390]. - The report also highlights instances where testers were able to guess admin passwords quickly, shut down systems by scanning them, and take full control of weapons systems within a short period, showcasing accidental vulnerabilities that were exploited during testing [Article 76390].
Duration temporary The software failure incident reported in the articles can be categorized as a temporary failure. The incident involved vulnerabilities in the Department of Defense's weapons systems that were exploited by testers during penetration tests conducted between 2012 and 2017 [76390]. Testers were able to take control of systems and operate undetected due to basic issues such as poor password management and unencrypted communications. The vulnerabilities were identified through testing, indicating that the failure was temporary and not a permanent issue introduced by all circumstances. Additionally, the report highlighted that the Department of Defense was only beginning to grapple with the scale of vulnerabilities in its weapons systems, suggesting that the failure was due to specific circumstances rather than inherent flaws in the systems [76390].
Behaviour omission, other (a) crash: The articles do not specifically mention a software failure incident related to a crash where the system loses state and does not perform any of its intended functions. (b) omission: The articles discuss software vulnerabilities that allowed testers to take control of weapons systems and operate undetected due to basic issues such as poor password management and unencrypted communications. Testers were able to partially shut down a weapons system by scanning it, and in some cases, testers were able to take full control of the weapons systems [Article 76390]. (c) timing: The articles do not mention a software failure incident related to timing, where the system performs its intended functions correctly but too late or too early. (d) value: The articles do not specifically mention a software failure incident related to the system performing its intended functions incorrectly. (e) byzantine: The articles do not explicitly mention a software failure incident related to the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident described in the articles includes testers being able to gain control of weapons systems, operate undetected, shut down systems, and take full control of the systems due to vulnerabilities in password management and unencrypted communications [Article 76390].

IoT System Layer

Layer Option Rationale
Perception unknown (a) sensor: Failure due to contributing factors introduced by sensor error - The articles do not specifically mention failures related to sensors in the cyber physical system. Therefore, it is unknown if the failure was related to sensor errors.
Communication unknown The articles do not provide specific information about a software failure incident related to the communication layer of the cyber physical system that failed.
Application TRUE The software failure incident reported in the articles was related to the application layer of the cyber physical system. The failure was due to poor password management, unencrypted communications, and basic security issues such as default passwords not being changed, which allowed testers to take control of systems and operate undetected [Article 76390]. Testers were able to guess admin passwords in seconds, shut down systems by scanning them, and gain full control of systems within hours [Article 76390]. Additionally, the Department of Defense (DOD) officials overseeing the systems believed they were secure and discounted test results, despite testers finding mission-critical cyber vulnerabilities in systems under development [Article 76390]. This indicates that the failure was indeed related to the application layer of the cyber physical system, as it was caused by bugs, poor security practices, and unhandled exceptions.

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) death: There is no mention of people losing their lives due to the software failure incident in the provided articles [76430, 76390]. (b) harm: The articles do not mention people being physically harmed due to the software failure incident [76430, 76390]. (c) basic: There is no information about people's access to food or shelter being impacted due to the software failure incident [76430, 76390]. (d) property: People's material goods, money, or data were impacted due to the software failure incident as vulnerabilities in weapons systems were exploited by hackers, potentially compromising national security and defense systems [76430, 76390]. (e) delay: There is no mention of people having to postpone an activity due to the software failure incident in the articles [76430, 76390]. (f) non-human: Non-human entities were impacted due to the software failure incident as vulnerabilities in weapons systems, including submarines, missiles, aircraft, and electronic jammers, were exploited by hackers [76430, 76390]. (g) no_consequence: There were real observed consequences of the software failure incident, particularly in terms of national security vulnerabilities and potential exploitation of weapon systems [76430, 76390]. (h) theoretical_consequence: The articles discuss potential consequences of the software failure incident, such as the risk of cyberattacks on nuclear weapons systems and the catastrophic consequences that could result from such attacks [76430, 76390]. (i) other: The articles do not mention any other specific consequences of the software failure incident beyond those discussed in the options (a) to (h) [76430, 76390].
Domain government (a) The failed system was related to the defense industry, specifically the Department of Defense's weapons systems. The software vulnerabilities identified in the articles were in weapons systems being acquired by the American military, highlighting critical cybersecurity weaknesses in these systems [76430, 76390]. (l) The failed system also had implications for the government sector, particularly in the realm of defense and national security. The Department of Defense's weapons systems, which were found to have significant cyber vulnerabilities, are crucial components of the government's defense infrastructure [76430, 76390].

Sources

Back to List