Pentagon office left military designs for body armor, vehicle gear open to hackers, watchdog finds
The office in charge of the U.S. military’s 3D printing left designs for defense technology vulnerable to theft by hackers and adversaries, according to a watchdog report made public on Wednesday.
If left unfixed, the security gaps could lead to a number of nightmare scenarios, including adversaries stealing military designs, compromising Department of Defense networks or even introducing flaws into design data that could make its way into battlefield products, the report’s authors concluded. Designs included blueprints for protective body armor, tactical vehicle gear, weapons systems brackets and prosthetic body parts, according to the report.
The report found that officials were unaware that the systems connected to local networks and the internet. Because the systems were miscategorized, the office failed to conduct a risk assessment required by the department altogether. Officials also failed to monitor removable media entering the systems.
The security gaps would have left a plethora of entry points for hackers. As DHS’ Cybersecurity and Infrastructure Security Agency warns, removable media such as USB drives provide hackers an inexpensive and portable way to infect computers with malware.
Although the Defense Department’s chief information officer disagreed with several recommendations, actions planned by individual offices sufficiently meet the intent of the recommendations, according to the office of the Inspector General. The DoD office in charge of the components manufacturing agreed to update all computer operating systems to the most recent version required by the DoD.
Pentagon officials also missed basic maintenance on systems, including failing to patch a 2019 vulnerability that would have allowed attackers to use unauthorized access to a single computer to jump into others within the network, according to the report. Of the 46 computers attached to the printing tools, 35 hadn’t been updated for more than five years putting the computers and printers connected to them at risk.
Part of the problem was that individuals working with the technology failed to understand how the printers, which the military has ramped up investments in over the past five years, differed from traditional production tools.
“Navy FRC‑SW engineers stated that they treated the AM systems as other manufacturing machines, such as milling and welding machines that did not require consideration of cybersecurity,” the report noted.
The report recommends that the DoD chief information officer require the systems to establish and immediately implement security controls.