Nearly all US arms programs found vulnerable to cyber attack

Nearly every US weapons program tested in fiscal 2014 showed "significant vulnerabilities" to cyber attacks, including misconfigured, unpatched and outdated software, the Pentagon's chief weapons tester revealed in his annual report.

Michael Gilmore, director of operational test and evaluation, said program managers had worked to resolve problems discovered in previous years and security was improving, but this year's testing had revealed new vulnerabilities.

"Cyber adversaries have become as serious a threat to US military forces as the air, land, sea and undersea threats represented in operational testing for decades," Gilmore wrote in the 366 page report.

"The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most (Department of Defense) networks, and could be in a position to degrade important DOD missions when and if they chose to."

The report comes amid growing attention to cybersecurity within the US government, and was released days after fresh documents leaked by former US intelligence contractor Edward Snowden said China had stolen 50 terabytes of data about the Lockheed Martin  F-35 fighter jet.

The Pentagon's F-35 program office said classified data about the new warplane remained secure.

The report said tests of more than 40 weapons revealed problems with cybersecurity, and US troops needed to learn to "fight through" cyber attacks, just as they do now with conventional attacks.

Gilmore said it was troubling that many issues found during operational testing could have been addressed when programs were still in development, and also cited numerous violations of Pentagon password policies.

Even novice techniques had allowed testers to penetrate networks, he reported.

Gilmore said it was critical to follow up cyber testing of weapons with an "adversarial assessment," in which officials pose as enemies and try to hack into systems. He said the US military also had a critical shortfall of cyber personnel.

Cyber testing had grown more realistic, but current cyber ranges needed to be expanded, according to the report. It said the office had worked with military officials to develop "cyber playbooks" and battle drills that allow network "defenders" to practice techniques and tactics.