Well, this is terrifying and something you don\u2019t ever want to hear, but according to a report by the U.S. Government Accountability Office, \u201cFrom 2012 to 2017, DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.\u201dThe U.S. Department of Defense (DoD) has embraced automation and connectivity in military capabilities, but they also make weapon systems more vulnerable to cyber attacks. As the GAO pointed out, \u201cDoD plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems.\u201dDespite that mind-boggling amount to dump into weapon systems, test teams that were acting as adversaries found it easy to take control of weapon systems. They found \u201cwidespread examples of weakness in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond and recover.\u201dSecurity vulnerabilities discovered in the DoD weapon systemsI did not have enough faces or palms for the facepalm-worthy tidbits in this full report (pdf), but here are some of the highlights:Sometimes, running a simple port scan caused parts of the weapon system to fail: \u201cOne test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise.\u201dDefault password usage for weapon systems? Unfortunately, the GAO said poor password management was a common problem: \u201cMultiple weapon systems used commercial or open-source software, but did not change the default password.\u201dAlso, multiple times, the red team used free information or software downloaded from the internet to defeat weapon system security controls.In another test, the red team guessed an admin\u2019s password in nine seconds.A two-person red team needed \u201cjust one hour to gain initial access to a weapon system and one day to gain full control of the system,\u201d the report said.After gaining a foothold, the red teams escalated privileges and moved throughout a system until they managed to take full or partial control.One test team operated for several weeks without being detected.A red team wasn\u2019t even detected when it was \u201cdeliberately noisy\u201d and didn\u2019t hide its activities.Attack activity was in the system logs, but apparently operators couldn\u2019t be bothered to check them.Another test team \u201cemulated a denial of service attack by rebooting the system, ensuring the system could not carry out its mission for a short period of time. Operators reported that they did not suspect a cyber attack because unexplained crashes were normal for the system,\u201d the GAO report said.In another case, the red team took control of the operators\u2019 terminals and watched them, in real time, as the \u201cattackers\u201d manipulated the system.A different test team made a message pop up on users\u2019 terminals \u201cinstructing them to insert two quarters to continue operating.\u201dSeveral different red test teams were able \u201cto copy, change, or delete system data, including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.\u201dThe report may be unsettling, but at least it sounds like the red team had some fun.The GAO didn\u2019t mention specific weapon systems or vulnerabilities, but it did say the Pentagon is \u201cjust beginning to grapple\u201d with the scale of vulnerabilities.So \u2026 happy National Cyber Security Awareness Month?