The less-hyped, but more realistic threats to US national security

Weapons systems cybersecurity threat

U.S. weapons systems heavily depend on software, IT, and networking to achieve their intended performance. Weapons systems are connected to an extensive set of networks within the Department of Defense (DOD). Some weapons systems are connected to external networks of subcontractors while other systems are connected to non-networked systems that connect to the internet. A successful compromise of any of these systems may allow a cyberattacker to gain access to other systems through the network interconnections.

A Government Accountability Office (GAO) report highlighted that our weapons system vulnerability stems from the fact that DOD historically focused on the cybersecurity of its networks but not the weapons systems themselves. DOD’s cyberfocus was on the use and operation of weapon system hardware rather than on the IT systems that support the use and operation of the weapons and critical IT capabilities embedded with those systems. Alarmingly, GAO reported that until recently, cyber survivability was not factored into “Requirements,” the most important system capabilities that must be met when developing weapons systems. As a result, there was limited emphasis on cybersecurity during weapons system design. Further, GAO reported until around 2014, weapons system testing was limited due to absence of cybersecurity requirements. GAO concluded that nearly all major weapons systems acquisition programs that were operationally tested between 2012 and 2017 had mission critical cyber vulnerabilities that adversaries could compromise.