Most of the U.S. military’s weapons systems were built without any effort to protect them from cyberattacks on hardware components, and there is evidence that some already have been fitted with digital backdoors, meaning an enemy could make them fail in a real conflict, Pentagon science advisers said.
In its latest report, the Defense Science Board published the results of research by its Task Force on Cyber Supply Chain, concluding that despite the risk, the capital cost of building and maintaining a DoD-owned “foundry” to make its own microchips “is not a feasible expense.”
The task force warns in stark terms that current weapons systems may already have been back-doored, meaning they would be useless — or worse — in a shooting war.
“Of particular concern are the weapons the nation depends upon today,” reads the report, adding “almost all were developed, acquired, and fielded without formal protection plans,” to guard against the the insertion of malicious components.
“Because system configurations typically remain unchanged for very long periods of time,” microelectronic components that are deliberately built with vulnerabilities, or in which vulnerabilities are discovered by an adversary, remain vulnerable for years and years, the authors note.
Attacks exploiting such vulnerabilities “are especially pernicious because they can be difficult to distinguish from electrical or mechanical failures,” the report states.
“The task force observed instances that may have been unsuccessful attacks on critical weapons systems via malicious insertion,” the report’s authors warn, adding, “It is difficult to know whether such activity is widespread, but the existence of counterfeit electronics in the supply chain demonstrates the potential for such attacks.
Malicious insertion, when done properly, “will not be detectible until actuated and it may present as a design flaw when ultimately observed,” the report states.
The authors note that “cyber supply chain vulnerabilities may be inserted or discovered throughout the lifecycle of a system” — i.e. at any stage from design, building and deployment through what the military calls sustainment: The routine maintenance and repair of deployed weapons systems.
Because military systems typically take a long time to design and build, and because the market for microelectronics develops so fast, an average of 70 percent of components used in a weapons system are obsolete by the time they are deployed — making it hard to get spare parts from the original manufacturer.
“This may force [the Defense Department] to purchase from distributors where pedigree is less secure and provenance is more difficult to track,” the report states, referring to a gray market of resellers.
“Furthermore, the longer a system is in the field with the same microelectronic parts and embedded software, the more likely it is that adversaries will be able to gain system information and to insert or discover vulnerabilities,” the authors note, concluding that both “malicious insertion and discovery of exploitable latent vulnerabilities are concerns in both the acquisition and sustainment supply chains.”
Weapons systems currently being developed are supposed to include supply chain threats in the security programs that protect them, but “Program protection planning activities are uneven in quality and focus” — with some looking at protection of personnel or system security rather than cyber vulnerabilities.
Even where cyberthreats are included, the authors state that “security and information system managers address security primarily after the system design has been completed” — the opposite of security best practices.
Moreover, program protection planning activities peter out after the acquisition phase, although the threats actually multiply once the weapons system is deployed. “There is little evidence that robust program protection activities continue after a system has been fielded or that documentation is being maintained as the system continues to evolve through sustainment,” the authors state.