A new report found more than 400 cybersecurity vulnerabilities across dozens of Defense Department programs, including the Navy’s Consolidated Afloat Networks and Enterprise Services and the DoD Automated Biometric Identification System.
The findings were included in an annual report by DoD’s Office of the Director for Operational Test and Evaluation and released Jan. 29. The office assessed 33 DoD programs in fiscal 2012 and 2013. Half of the 400 security vulnerabilities were identified as category one, meaning they could allow “debilitating compromise” to DoD systems.
As of November 2012, CANES had 29 category one vulnerabilities and 172 less severe vulnerabilities, the report found. It isn’t clear how many of those issues have been resolved, but the report’s most recent recommendations suggest the Navy mitigate outstanding cyber vulnerabilities prior to initial operational test and evaluation.
CANES will replace legacy networks on ships, submarines and shore sites.
“The majority of system vulnerabilities discovered in operational testing over the last two years could and probably should have been identified and resolved prior to these tests,” Director Michael Gilmore said of the 400 vulnerabilities.
“There is general agreement that systems must be assessed for cybersecurity earlier in a system’s development,” Gilmore said in the report, adding that his office is collaborating with the under secretary of defense for acquisition, technology and logistics to revise cybersecurity policy to address the shortfall.
Among the category one vulnerabilities, the most common were out-of-date or unpatched software, configurations that included known code vulnerabilities, and the use of default passwords in fielded systems, the report noted.
Eighty-nine percent of the 400 vulnerabilities could have been found in developmental testing, versus the remainder that required an operational test to uncover.
“Testing over the past several years has indicated the need to move the discovery and resolution of system vulnerabilities earlier in program development, and the revised cybersecurity [test and evaluation] process addresses this need,” Gilmore said in the report.