The US Department of Defense Inspector General (DOD IG) published a report detailing the cybersecurity status of the Ballistic Missile Defense System (BMDS). The results are far from good and can hardly put US tax payer’s thoughts at ease. In summary, the report found that there was no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities as just a few of the failings discovered. The authors of the report inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles that form part of the BMDS, which is a Department of Defence program developed to protect US territories by launching ballistic missiles to intercept enemy missiles.
The report concluded that “the Army, Navy, and MDA did not protect networks and systems that process, store, and transmit BMDS technical information.” This conclusion was drawn from several problematic areas with multifactor authentication been the most problematic according to the Inspector General. According to MDA employment guidelines, any new MDA employee would receive a username and password so they can access BMDS' network. As new employees are eased into their new jobs, they would later also receive a common access card (CAC). This is specifically designed to enable their accounts in conjunction with their password, as a second-factor authentication. The normal procedure says that all new MDA workers must use multifactor authentication within two weeks of being hired.
The report found that at three of the five inspected locations, investigators found that many users did not enable multifactor authentication for their accounts, and were still using their username and password to access BMDS' network. It was also found that one employee had accessed BMDS data for seven years without the protection provided by their card, and at another MDA site, investigators found that the network was never configured to support multifactor authentication at all despite guidelines requiring such authentication to be employed. In general, the lack of multifactor authentication leaves employees vulnerable to phishing attacks.
Another area found to be of concern centered around the patching of vulnerabilities. Inspectors discovered that at three of the five locations failed to apply security patches, leaving computers and adjacent network systems vulnerable to remote attacks as well as local attacks. It was discovered that systems were not patched for vulnerabilities discovered and fixed in 2016, 2013, and even going as far as back as 1990. This section of the report is heavily redacted which would suggest that patching of vulnerabilities is underway by MDA staff. Included in the areas of concern were not secured server racks, MDA officials did not consistently use encryption when moving data between air-gapped systems using removable media, and administrators failed to install an intrusion detection and prevention system, meaning an antivirus suite to you and me.
Not the First Time
This is not the first time a US military department was found to lack cybersecurity protocols. In October of this year a report compiled by the US Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress found that new computerized weapons systems currently under development by the DOD can be easily hacked. According to the report GAO investigators played the role of adversary and found several vulnerabilities. Many of these vulnerabilities were uncovered,
“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.”
The report includes some eye-catching hacks performed by GAO investigators. One such case was when the testers took control of operator terminals enabling them to see, in real-time, what the operators were seeing on their screens and could manipulate the system. Another team downloaded 100 gigabytes, while multiple teams reported that they were able to copy, change, or delete system data. Lastly, it was found that,
“Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise”
While the report highlighted security vulnerabilities it also showed the DOD is far from perfect when addressing previous flaws. The reported stated,
“For example, one test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected. The test team exploited the same vulnerabilities to gain control of the system. When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason, it had not been implemented. They attributed it to contractor error.”
The report did not mention the next generation weapons systems by name but GAO did say all systems were heavily computerized and many were also networked together, which would make them a high-value target for many foreign nation-state hacking groups once they go live. This also means that once such systems go live they will essentially live on the Internet and if the security issues are not corrected they could potentially be hacked by any interested party.
Warning and Recommendations
The US Department of Defense Inspector General’s report detailed at the start of the article will hopefully be the shot in the arm that the MDA and other military departments need to ensure their networks are secure. This may be doubly true when you consider that the MDA has 104 ballistic missile locations and plans to build another ten. If vulnerabilities are not addressed there is a legitimate fear these bases could be easily attacked in case of a conflict. The DOD IG report made a set of recommendations that top officials and the rest of the MDA bases are now supposed to review and implement. These recommendations included the enforcing of multifactor authentication and encrypting BMDS technical information stored on removable media just in case those in charge skip the body of the report.