Some basic cybersecurity practices would go a long way toward protecting the systems that are supposed to shield Americans from missile attacks, a new report says.
An inspector general audit of Department of Defense ballistic missile defense systems (BMDS) found a host of existing network vulnerabilities that could allow adversaries to access technical information on those systems and sidestep the nation’s defenses.
“The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks,” says the audit. “Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.” The technical information at risk includes things like “military or space research and engineering data, engineering drawings, algorithms, specifications, technical reports, and source codes.”
Network administrators and data center managers failed to use some very basic cybersecurity controls on missile defense systems, the redacted report says. The IG found analyzed the physical and network security controls at five Army, Navy and Missile Defense Agency facilities, which are unlisted in the public version of the report. There are 104 total locations worldwide that manage BMDS information, the report says.
Specifically, the auditors found that administrators and managers did not:
- Require multifactor authentication on missile systems.
- “Identify and mitigate known network vulnerabilities at three of the five Components visited.”
- Lock server racks.
- Protect removable media.
- Encrypt technical information during transmission.
- Implement intrusion detection capabilities.
- “Require written justification as a condition to obtain and elevate system access for users.”
Auditors broadly recommend in the report’s conclusion that the CIOs responsible for the five locations work to ensure they are “using multifactor authentication to access networks and systems that contain BMDS data; mitigating vulnerabilities in a timely manner; protecting data stored on removable media; and implementing adequate physical security controls exist at the other DoD facilities that manage BMDS technical information.” Auditors also asked that they “develop and implement a plan to ensure network, system, and physical security weaknesses are corrected.”