From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Protecting Military Weapon Systems from Cyberattacks

Description: The Department of Defense is increasingly fielding
high-tech weapon systems to maintain U.S. battlefield superiority.
However, these sophisticated, expensive weapon systems are at risk of
cyberattacks. In 2018, we reported that DOD had only recently begun to
prioritize the cybersecurity of weapon systems. GAO's Bill Russell
provides and update on DOD's efforts.

Related GAO Work: GAO-21-179, Weapon Systems Cybersecurity: Guidance
Would Help DOD Programs Better Communicate Requirements to Contractors

Released: March 2021 

[Intro music]

[Bill Russell:] If you don't get good cybersecurity requirements in to
the contract, you can't expect to get it.

[Music]

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability
Office--celebrating one hundred years of fact-based, non-partisan
government oversight. I'm Holly Hobbs.
The Department of Defense is increasingly fielding high-tech weapon
systems to maintain U.S. battlefield superiority. However, these
sophisticated, expensive weapon systems are at risk of cyberattacks. In
2018, we reported that DOD had only recently begun prioritizing the
cybersecurity of weapon systems. Today, we'll get an update on DOD's
efforts from GAO's Bill Russell--an expert on defense security and a
director in our Contracting and National Security Acquisitions Team--who
has a new report out on this issue. Thank you for joining us Bill! 

[Bill Russell:] Thanks for having me, Holly!

[Holly Hobbs:] So Bill, can you start by giving us some examples of the
type of high-tech weapon systems that are at risk of cyberattacks? 

[Bill Russell:] Sure a good example--if you think about, the Army has
fighting vehicles and tanks. Traditionally, those would be standalone
systems. But the next generations, imagine things like having autonomous
and semi-autonomous drones that would accompany the fighting vehicle.
And you can see having those systems networked and working together
provides a lot of advantages. But that also creates
cyber-vulnerabilities that have to be guarded against.  

[Holly Hobbs:]  And what could go wrong if these systems were attacked?

[Bill Russell:] The key for all of these systems is that they need to
work effectively on the battlefield. DOD is making sure those are
cyber-resilient, which basically means they could still achieve their
mission despite a cyberattack. And our adversaries are really investing
a lot of time and energy in their offensive cyber capabilities for just
that reason--to attack the networks and other things as a way of
mitigating some of those U.S. military advantages. 

[Holly Hobbs:] So, since 2018, our last report, what steps has DOD taken
to protect these weapons systems?

[Bill Russell:] Certainly we've seen some enhanced cyber testing. They
issued a risk management framework that helps the military department
and other programs to think about cybersecurity controls that they could
implement. Those are positive steps but you have to translate all of
that information in to sound contract requirements. Because ultimately
if the cybersecurity requirements are not in these weapon system
contracts, you're not going to get it from the contractors.  And we
found a number of incidences in some of the contracts we looked in major
weapons programs where there were no cybersecurity requirements, or if
they were there they were so general that it wasn't clear how a
contractor would actual executive and make sure those systems are
cyber-secure.

[Holly Hobbs:] Why was this only a priority starting in 2018 or around
2018? Why wasn't it a priority earlier? We've known about cyberattacks
for a while.  

[Bill Russell:] Traditionally DOD has focused its cybersecurity efforts
on protecting its IT networks. And it hadn't really thought or focused
its energy to recognize the transitions that a lot of its weapon systems
were making from these standalone systems like a tank or a jet fighter
to the real networked, complex, sophisticated approaches that they were
evolving in their weapons programs. DOD has taken some steps to try to
bake in good cybersecurity practices earlier in the acquisition process,
but they still have a ways to go. It's much easier to make things
cyber-secure when you're designing the system verses discovering a
problem after you've already fielded the system and then trying to
retrofit the solution later, which is much more expensive and much more
complicated.

[Holly Hobbs:] So given that, are there any steps that we're looking for
DOD to take?  

[Bill Russell:] Certainly. We point out that it's very to have specific,
defined requirements, and then ultimately have a good process for how
you're going to verify the requirements have been met. Just as an
example - in some of the weapon system contracts we looked at ---very
specific requirements around the torque of a specific bolt. How much
vibration a set component could withstand to meet requirements. Verse
looking at the cybersecurity requirements, which were either very
general or were not there. So, we focused on what the military
departments could do to improve guidance and provide other direction to
the acquisition programs in translating some of the broad concepts and
frameworks to a tailored approach that you can put into the actual
weapon system contracts to improve outcomes. 

[Music]

[Holly Hobbs:] So, it sounds like the Department of Defense was delayed
in taking action to prioritize the cybersecurity of sophisticated and
expensive weapon. And that while DOD has taken steps to protect these
systems, there is still work to be done. Bill, did we make any
recommendations to help DOD protect these systems? 

[Bill Russell:] We did. We made recommendations to the Army and the
Department of the Navy, which includes the Marine Corps, to provide
better guidance to their acquisition programs on how to incorporate real
tailored weapon system cybersecurity requirements that have clear
acceptance criteria and a means to verify that the contractors have
delivered on those requirements into their weapon system contracts. And
that's aimed to ensure that you can measure and think about
cybersecurity of these weapon systems early in development. That it's
baked into the process right from the beginning right into the actual
development contracts. 

[Holly Hobbs:] And last question Bill, what's the bottom line of this
report?

[Bill Russell:] The bottom line is really, cybersecurity requirements
are really important; and if they're not in the contract, you can't
expect to get it.

[Holly Hobbs:] That was Bill Russell talking about GAO's recent review
of weapon systems cybersecurity. Thank you for your time Bill! 

[Bill Russell:] Thank you, Holly.

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts. And make sure you
leave a rating and review to let others know about the work we're doing.
For more from the congressional watchdog, the U.S. Government
Accountability Office, visit us at GAO.gov.