DOD is actually doing a good job in keeping some of its weapons secure

Each branch of the military and U.S. Special Operations Command demonstrated timely analysis and reaction to cyberthreats, which earned them a pat-on-the-back from the DOD IG.
A B-2 Spirit bomber deployed from Whiteman Air Force Base, Missouri, is parked on the flightline at Joint Base Pearl Harbor-Hickam, Hawaii, Jan. 10, 2019. B-2s were one of the systems recently audited by the IG. (U.S. Air Force photo by 2nd Lt. Allen Palmer)

The Department of Defense — which has struggled to secure its IT, especially in its supply chain — has met most of the cybersecurity best practices for keeping critical weapons systems secure, according to an inspector general report.

The report, published Friday, was conducted as a checkup on the cybersecurity of weapons later in their lifecycles. Each branch of the military and U.S. Special Operations Command demonstrated timely analysis and reaction to cyberthreats, which earned them a pat-on-the-back from the IG.

“We identified best practices employed by program officials that ensured that information gathered and analysis performed was sufficient to identify and mitigate potential malicious activity, cyber vulnerabilities, and threats; and assess the effectiveness of protection measures within the weapon system for data and cyber resiliency,” the report stated.

The report looked specifically at the operations and support phase of the acquisition lifecycle, which is the last phase in which weapons are used and sustained through repairs and updates. Operations and support lasts for years, making it a ripe time for damaging cyberattacks as systems age and are in use. Leaders have warned that weapons systems remain vulnerable and must be constantly monitored since even slight variations in control could undermine trust and accuracy of their deployment.


The report dove into five systems, including the B-2 Spirit Bomber and guided missiles used by the Navy. The many other weapons systems not inspected in this report should learn from the best practices implemented on the five systems the IG audited, the report noted.

“We did not identify any internal control weaknesses related to developing and updating cybersecurity requirements based on risk for the programs we assessed,” it said.

One of the critical best practices was the timely sharing of information, a difficult function for siloed government agencies. By sharing new cyberthreats between offices for different systems, patches and risk reduction could more quickly be deployed. The IG pointed to working groups that different agencies and program offices made in order to boost collaboration on threat assessment and risk mitigation as a best practice others should adopts.

“Program officials for all weapon systems should consider the best practices described in this report when developing plans and procedures for reducing cybersecurity risks within their programs,” the report stated.

Latest Podcasts