This site may earn chapter commissions from the links on this page. Terms of use.

Periodically, the government bug reports reminding us that the nuclear missile system runs, in role, on 8-inch floppy disks. It's disgraceful. It's shameful. It'south a sign of authorities rot and poor prioritization.

Well, information technology might be. It's probably non the smartest affair, in all respects, to run nuclear defenses off computers likewise weak to play Zork. But on the other hand, as a new GAO report makes articulate, there are arguably some advantages to running one'due south nuclear defence system off a figurer that can't play Zork. It leaves time for playing Spacewar on a PDP-one!

Merely kidding. It's because our other weapon systems are then riddled with vulnerabilities, you'd remember they were running Windows 98 SE with ActiveX, Active Desktop, and Outlook Limited installed. (Kids, to people of a certain era, that'south practically a death threat). The report starts past noting that for decades, the DoD "did non prioritize" matters of weapon security and is still figuring out how to better address these threats, despite the fact that we've been facing them for decades. This does not bode well for what happens in the adjacent paragraph.

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, withal program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to bones bug such every bit poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of full vulnerabilities due to testing limitations. For example, not all programs take been tested and tests do not reverberate the total range of threats.

In fairness, this isn't quite as bad as it looks — or, rather, information technology'due south exactly equally bad as it looks, just some of these problems are possible to mediate. Tests can be tightened. Password requirements and security training tin can be improved. Vulnerability modeling can be enhanced. So far so good, right?

Unfortunately, the DoD doesn't seem to exist starting from, say, 2022 or fifty-fifty 2006. Think Captain Curiosity's MCU timeline and you'd be closer to the mark. From the report:

Ane examination study indicated that the test team was able to guess an ambassador password in nine seconds. Multiple weapon systems used commercial or open source software, simply did not change the default password when the software was installed, which immune test teams to look up the countersign on the Net and gain ambassador privileges for that software. Multiple test teams reported using costless, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.

NPR writes: "In several instances, but scanning the weapons' computer systems acquired parts of them to close down."

Tests had to exist aborted afterward because the partial shutdown could've put the test squad in danger. Problems, fifty-fifty when identified, are often left unresolved, with the GAO noting that out of 20 issues identified by a previous iteration of a security report with solutions, only one solution had been implemented.

I major reason for the problems? Pay scales. Top security engineers often earn more than than $200K in the private sector, whereas the government isn't known for existence nearly so lucrative.

Now Read: The Pentagon Is Edifice an AI to Find Secret Nuclear Missiles, The United States Nuclear Organization All the same Runs (in Part) on viii-Inch Floppy Disks, and US Air Strength Considers Cut F-35 Orders By a Third