Ultra Intelligence & Communications

DoD: Practice what DHS preaches

November 9th, 2018 / By

Just a few weeks ago, the US Government Accountability Office (GAO) released a report stating that US weapon systems developed between 2012 and 2017 have “mission critical” cyber vulnerabilities. The GAO released its report in response to a Senate Armed Services Committee request, prior to approval of $1.66 trillion in spending by the armed forces to develop current weapon systems. To say the least, the GAO’s findings were alarming. But what was even more shocking was the granular details of the GAO report – that possibly the most sophisticated and unique weapons system in the world suffered from many of the same security weaknesses as enterprises, including poor password management, a lack of properly patched and updated systems, and unencrypted communication channels. It is particularly ironic that the GAO report was issued in October, the month designated as “Cybersecurity Awareness Month,” when the DHS regularly promotes tips for ensuring protection from cyber-attacks.

The first major issue called out by the GAO was that passwords are by far the weakest link in cybersecurity today. Using nascent to moderate tools and techniques, one GAO test team was able to guess an administrator password in nine seconds.39 multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. According to DHS recommendations, in addition to using secure passwords, the DoD should be using two-factor authentication, (2FA) to add an extra step to the basic log-in procedure.

The next call out is that cyber trackers also look for system components that have not applied known security updates or patches. Developers of commercial off-the-shelf (COTS) components (common in weapons systems networks) usually publicly announce any security patches and, ironically, provide a roadmap for an attacker to attack a system or component. The GAO report noted that while network administrators are supposed to apply patches within 21 days of when they are released, fully testing a patch can take months due to the complexity of the system, and so updates are often delayed or just don’t happen at all. Although there are valid reasons for delaying or forgoing weapon systems patches, this means some weapon systems are operating, possibly for extended periods, with known vulnerabilities. DHS recommendations for helping to ward off hackers? Schedule regular updates and install patches when available.

A third tactic essential to cybersecurity today is encryption, scrambling the information carried over a network into a code so that it’s not accessible to others. Using encryption is the most effective way to secure any network from intruders; integrating comprehensive encryption and authentication technology ensures confidentiality and integrity of sensor and network data. 3eTI solutions like WiFiProtect and CyberFence offer strong, certified, off-the-shelf encryption solutions with a key strength up to AES 256 bit. Certified to meet FIPS 140-2 Level 2, Common Criteria and DoDIN APL, 3eTI’s suite of encryption solutions are an easy fit for solutions up to, and including, the US Secret classification level. Through utilization of CNSA (formerly NSA Suite B) 3eTI products provide strong encryption for not only government use, but also commercial solutions as well.

“Physician, heal thyself.” “Talk the talk – walk the walk.” “Do as I say, not as I do.” These are all common idioms that basically mean someone’s behavior does not reflect the advice they give. The DoD and the current state of security for its weapons systems should be a cause of real concern as well as a lesson for both businesses and consumers. The DHS provides sound advice on maintaining a stable, safe, and resilient cyber environment – and they’re not preaching just to consumers or enterprise. All federal entities need to pay attention and do it. Having a hacker leak your financial information is definitely a nuisance. Having a hacker launch a fully-armed Minuteman missile towards Russia could be a lot more disastrous.