Untold lines of code make Pentagon weapons vulnerable

Weapons systems remain vulnerable to hacking despite the billions of dollars the Defense Department spends annually on cybersecurity, Pentagon officials have acknowledged. Frank Kendall, the department’s top acquisition official, is taking a stab at the problem through his latest round of guidance, but he appears to be up against formidable foes in the scope of the threat and the cost of addressing it.

There are nine million lines of code in the F-35 joint strike fighter jet, plus 15 million lines in support systems, according to Richard Stiennon, chief research analyst at IT-Harvest. Cleaning up all the code in the weapons systems being produced for DOD would cost hundreds of billions of dollars alone, reckoned Stiennon, who is writing a book on cyber warfare. “In other words, if we ever go to war with a sophisticated adversary, or have a battle, they could pull out their cyber weapons and make us look pretty foolish,” he said.

Big weapons are, in essence, “big computers” because of their reliance on IT, and that reliance is a boon for potential adversaries, said Carl Herberger, a former electronic warfare officer in the Air Force.

“From an adversarial perspective, [what is] really wonderful about this issue is that they really get to level the playing field in a way” that would not otherwise be possible, added Herberger, who is now vice president of security solutions at Radware, a data security firm. A U.S. government document leaked by former National Security Agency contractor Edward Snowden and published by German newspaper Der Spiegel alleged Chinese hackers have stolen terabytes of data on the F-35 program.

Kendall, the undersecretary of Defense for acquisition, technology and logistics, has made cybersecurity in weapons a key piece of Better Buying Power 3.0, the latest round of acquisition guidance to the services and all other DOD components. “Each service, each program has got to go through and ensure that the fielded systems, as well as the ones in development, are as secure as we can reasonably make them,” he told reporters recently. “Many of the things that are in the field today were not developed and fielded with cybersecurity in mind. So the threat has sort of evolved over the time that they’ve been out there.”

Each military branch’s component of Cyber Command has a role in trying to make weapons systems more secure. Lt. Gen. Edward Cardon, head of Army Cyber Command, said in a recent interview that he was “absolutely” concerned by the cyber vulnerabilities inherent in weapons systems. However, many Army systems – such as tanks – can still operate in a “degraded mode” if hacked, Cardon said, adding that the same may not be true for aircraft and ships.

Cardon said it is important to focus on the vulnerabilities that are most pressing, and that he has drawn inspiration from a YouTube video of white-hat hacker Dan Guido explaining this prioritization. In the 2011 video, Guido asserts that of the thousands of vulnerabilities made public every year, only about 15 are “critically important” to all Internet users because they are exploitable.

Does the Army have such a list of exploitable vulnerabilities in weapons systems?

“I think we’re working on it,” Cardon said. “There’s growing recognition that [we, as a society, are] hooking things up to the Internet that we never intended to hook up to the Internet. That’s part of the problem.”

Stiennon of IT-Harvest said cyber vulnerabilities have been baked into the defense acquisition system. “The Pentagon made a mistake common to many manufacturers,” he wrote in an op-ed in November 2014. “They assumed that because their systems were proprietary and distribution was controlled there would be no hacking, no vulnerabilities discovered, and no patch-management cycles to fix them. This is security by obscurity, an approach that always fails over time.”

Monetary help could be on the way from Congress. The fiscal 2016 defense policy bill the Senate Armed Services Committee recently approved would authorize $200 million for “a new initiative to enable the services to begin evaluating all major weapons systems for cyber vulnerabilities,” according to a markup summary. Faced with such a daunting challenge, the operative word in that initiative could be “begin.”