A U.S. Department of Defense Inspector General report released this week outlines the inadequate cybersecurity practices being used to protect the United States' ballistic missile defense systems (BMDS ).
Ballistic missile defense systems are used by the U.S.A. to counter short, medium, intermediate and long range ballistic missiles that target the United States of America. As these systems are controlled by computers and software, they are at risk for being targeted by state-sponsored attacks that attempt to gain control of the systems, damage them, or steal classified information & source code.
On March 14, 2014, the DoD Chief Information Officer stated that the DoD must implement National Institute of Standards and Technology (NIST) security controls to protect their systems, which includes BMDS.
In a heavily redacted report by the DoD, it has been shown that BMDS facilities have failed to utilize required security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors, and did not perform routine assessments to make sure that these safeguards were in place.
In one facility, users were allowed to use single-factor authentication (only username + password) for up to 14 days during account creation. The report showed that in many cases, users would continue to use just a username and password for well past 14 days. At another facility, the domain administrator never bothered to configure policies that prevent users from logging in if they are not using multifactor authentication. Finally, one facility was using a system that does not even support multifactor authentication.
Vulnerabilities that would allow attackers to hack into the systems or facilities were also not properly patched and secured at numerous facilities. For example, a March 2018 scan of vulnerabilities at one facility showed that vulnerabilities found in a Janaury 2018 scan were never fixed. Other facilities contained vulnerabilities that were discovered in 2013 and had not been patched when they had conducted an April 2018 vulnerability assessment.
The reports also states that facilities were not encrypting data that was being stored on removable devices or using systems that kept track of what data was being copied. Some facilities stated that they did not know they even needed to encrypt data on removable devices.
"In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption," stated the DoD report. "Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted]."
In addition to computer and data security issues, there were physical security issues as well. There were instances of server racks not being locked, for four years a door was reporting that it was closed when in fact it was open, people gained unauthorized access simply by pulling open doors, and security cameras were not always installed at required locations.
The recommendations by the DoD Inspector General's office is what you would expect. Fix these problems and follow required federal requirements. Unfortunately, Chief Information Officers from various facilities did not respond to the draft report and the Inspector General's office has now asked the Director, Commanding General, Commander, and Chief Information Officers to comment on the final report by January 8, 2019.