Doubtless, large swathes of this story are covered by blankets of classification; it’s one of the governments’ best tools for hiding incompetence. Because – not to mince words – the only way this thing could have happened is massive incompetence.
The Army may have festooned its Stryker fighting vehicles with a slew of new armaments as part of the Pentagon’s relentless pursuit of lethality, but the upgunned infantry carriers are apparently hobbled by a major deficiency that makes them especially vulnerable in a fight against Russia or China.
The Stryker Infantry Carrier Vehicle – Dragoons that are currently flexing their muscles with the 2nd Cavalry Regiment in eastern Europe remain vulnerable to cyber attacks, so far that “adversaries demonstrated the ability to degrade select capabilities of the ICV-D when operating in contested cyber environment,” according to the Pentagon’s operational testing and evaluation report released last month.
Even worse, the report notes that “the exploited vulnerabilities predate the integration of the lethality upgrades,” suggesting that the the Army spent too much time slapping new weapons systems like Stryker ICV-D’s 30mm autocannon onto the new vehicles and not enough time fixing a major design flaw.
“Major design flaw” and “30mm autocannon” are not words that go together well, my Michelle.
What’s probably going on here is that some energetic folks in the Stryker program realized they needed a computer system and a network for some purpose, and got the job done using some Linux distro, or other. I’ll bet a dollar to a stack of donuts that whoever did that said (at the time) “we should eventually replace this with a production system” and someone else said, “no let’s put it in production now!” and someone else who did not like how that happened arranged for the final, integrated system, to get a good vulnerability scan, which revealed that the whole system was thrown together at the last minute. Normally, that kind of result gets classified but in this case someone made sure the story leaked and faces are getting egg on them.
I’ve seen this sort of thing before and it’s really depressing. Especially since a vulnerability scan presupposes you’re on the target’s network, which is basically presupposing “game over, man.” As the report implies: if the underlying network is being degraded, the services that run atop it will, too. That’s something that needs to be thought about at design-time, not once it’s too late and the systems are deployed. Because it’s always more expensive and time-consuming to try to repair something that was built wrong than it is to avoid building it wrong in the first place.
Operation “Throw Money At The Problem” [the drive]