WASHINGTON (Reuters) - The chief U.S. weapons tester said on Tuesday he was working with the Joint Chiefs of Staff to draft military requirements to address widespread cyber vulnerabilities in nearly every arms program and military command.
An announcement is expected soon from the Joint Chiefs, who oversee and set requirements for all military weapons purchases, said Michael Gilmore, the Pentagon’s director of operational test and evaluation.
Gilmore said the office of Navy Admiral James Winnefeld, vice chairman of the Joint Chiefs, has made “a lot of progress” on developing a “sensible and measurable” joint military requirement for cybersecurity.
Gilmore painted a bleak picture of cybersecurity protection across the U.S. military at a conference hosted by the Consortium for IT Software Quality.
Pentagon testers managed to break into military networks and steal or manipulate “really sensitive mission data” and prevent critical networks from operating as needed, he said. At least one military mission in each of 14 major assessments in 2014 was found to have a “high risk of cyber attacks,” he noted.
Problems during testing mirrored issues found during normal operations off the networks, he said, citing publication of default passwords on suppliers’ websites, and regular loss of intellectual property data.
“When we do cybersecurity assessments ... we get in almost every time,” Gilmore said, noting the testing staff generally used novice and intermediate techniques, not even the more sophisticated malicious software used by foreign countries.
Even physically separating or “air gapping” classified and unclassified systems offered little protection, since hackers could use minor connections between systems to break in, Gilmore said.
The military needs to step up operational testing of cybersecurity of weapons programs and military commands, he said, citing lingering resistance from some military commanders who feared problems would be found.
Gilmore documented the problems in an unclassified annual report released in January, but shared a more detailed version with top Pentagon leaders, including Defense Secretary Ash Carter, his deputy Robert Work, and Navy Admiral Winnefeld. He said the officials shared his concerns and were taking steps to correct them.
Winnefeld’s office had no immediate comment on the new requirements, which Gilmore said would complement the Pentagon’s efforts to include cybersecurity in new acquisition rules to be released later this year.
Reporting by Andrea Shalal; Editing by Richard Chang