DOD Just Beginning to Grapple with Scale of Vulnerabilities
"To present information in an unclassified format, we do not disclose details regarding weapon system vulnerabilities, which program offices we interviewed, or which cybersecurity assessments we reviewed. The examples we cite from cybersecurity assessments are unique to each weapon system and are not applicable to all weapon systems. Furthermore, cybersecurity assessment findings are as of a specific date, so vulnerabilities identified during system development may no longer exist when the system is fielded. In addition, we illustrated some concepts using fictitious depictions. In some cases, we were deliberately vague and excluded some details from examples to avoid identifying specific weapon systems. We also presented examples of publicly known attacks in sidebars to illustrate how poor cybersecurity can enable cyber attacks. DOD conducted a security review of the report and cleared it for public release. We will provide a classified briefing of our findings to Congress.
This is our first report specific to cybersecurity in the context of weapon systems acquisitions. For that reason, we did not look in depth at related issues in the context of weapon systems, such as the security of contractor facilities, so-called “Internet of Things” devices, microelectronics, contracting, and industrial control systems. In addition, we are not making recommendations in this report, but plan to continue evaluating key aspects of DOD’s weapon systems cybersecurity efforts in the future."
by GAO | Read more:
[ed. Full report in .pdf format here. See also: US Weapons Systems Are Easy Cyberattack Targets, New Report Finds. I suppose now we'll have to supplement DoD's 2018 $650 billion defense budget to fix cybersecurity issues that should have been secure from the get go (fyi: Dept. of Education budget in 2018: $59 billion. A 17 percent decrease from 2017).]
