A report by the Defense Department's Inspector General found that the US Ballistic Missile Defense System is riddled with security problems, which include both cybersecurity issues, as well as a host of physical security issues.
The report, "Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information," was published December 10 and released this week in a public document that includes numerous redactions to shield classified information.
This report stems from testimony that the Director of the Missile Defense Agency (MDA) gave to Congress in 2016, expressing concern about access to technical information about the Ballistic Missile Defense System (BMDS).
In turn, following a two-year investigation, the Inspector General issued two reports about security within BMDS facilities -- the one released this week and an earlier document published in March.
The report also follows an examination by the US Government Accountability Office that found that Pentagon's most advanced weapons systems were vulnerable to cyber attacks. (See GAO: Pentagon's New Weapons Systems Vulnerable to Cyber Attacks.)
This new report paints a disturbing picture of cybersecurity practices with the Pentagon's complex BMDS, including a lack of two-factor authentication to access classified information, technical details stored on removable devices and the need for greater intrusion detection capabilities.
Cybersecurity is also only one of many problems with BMDS.
The report finds that security officers at various facilities did not always limit unauthorized access to physical BMDS details and documents. In addition, when inspecting five different facilities, the officials found that server racks were left unlocked and that the data center manager did not always have the keys.
The document notes:
The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks. Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.
To put into perspective what is at stake, Ballistic Missile Defense System is what the Defense Department calls a "layered" architecture that gives the Pentagon several different opportunities to destroy incoming missiles and nuclear warheads before they reach targets.
BMDS is made up of numerous sensors on the ground, at sea and in space for detecting a tracking ballistic missiles; interceptor missiles for destroying ballistic missiles; and management and communications network that links all the parts together.
With the scope of the BMDS in the background, it makes the lack of cybersecurity protections within these various facilities, as well as the responsibility of the Army and Navy for IT security, particularly unnerving.For example, the Inspector General found that even though the Defense Department required the use of multi-factor authentication, those working within BMDS used single-factor authentication, such as username and password, to access information instead of being required to have a Common Access Card (CAC) or an RSA token.
While it can take two weeks to obtain a CAC or RSA token, the report found 34 different incidents when someone continued to access data using only the single-factor method. One person was able to access information for more than seven years using the less secure single-factor method.
Additionally, the Inspector General found that software patches to protect against vulnerabilities were not always applied, including for flaws that were listed as high or critical.
The report offers a series of recommendations that would seem more tailored for a mid-level enterprise than one of the most complex weapons systems on Earth, but these guidelines can cutdown on several security holes within an facility, whether government or private.
- Enforcing multi-factor authentication to access systems that process, store and transmit
technical information or obtain a waiver directly from the CIO
- Plan and patch software vulnerabilities when they become known to the IT staff
- Encrypt technical information that is stored on removable media and devices
- Close the gaps in physical security, including the use of security cameras to track personnel throughout the facility
— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.