The managers of the nation’s missile defense system aren’t implementing basic cybersecurity practices, according to a new inspector report.
Critical cyber vulnerabilities could allow adversaries to undermine the system of interceptors and sensors that protect U.S. territory from enemy missiles, the Pentagon’s inspector general said in a new report.
Much of the Dec. 10 report is redacted to hide the names of the five facilities and components that were under scrutiny. But the readable portions paint a picture of failures to take even the sort of basic cyber security precautions that are standard in business, such as enabling two-factor authentication, encrypting files that are removable, physically locking up server racks, and using cybersecurity software to detect intrusions.
“The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks,” the report said.
The problems ranged from bad to very bad.
Although Pentagon guidelines say operators should have to enter a password and swipe their physical CAC card to access sensitive systems — inspectors found that at two facilities, such multi-factor authentication wasn’t implemented consistently. They even found one operator who had been coasting on just a password and username access for seven years.
One of the five facilities wasn’t running intrusion-detection software, a rather basic precaution against a third party breaking in, stealing data, changing it, or even establishing a presence on the network to observe the operators.
Three facilities weren’t encrypting files that were removable from the premises. Two weren’t locking up servers. Three had poor physical security measures, including cameras in the wrong place and security guards that didn’t properly check if visitors were supposed to have access to the areas and computers they were trying to access. In some instances, doors weren’t properly secured. The report recommends that facility’s “require facility security or maintenance personnel to physically verify, at least daily, that entry and exit doors operate as intended.”
None of the five facilities kept proper database records of who had been granted access to the system and why, a practice called the “justification” for access.
The report is the latest in a series of government and media revelations highlighting poor cybersecurity practices at the Defense Department. Last week, a Wall Street Journal report highlighted that Chinese hackers had successfully targeted U.S. Navy contractors to steal sensitive information. In October, a Government Accountability Office report showed that the newest weapons in the U.S. arsenal were riddled with vulnerabilities, many of which had been previously disclosed.