Declassified DoD/IG report shows US missile defense cybersecurity was a mess

Cal Jeffrey

Posts: 3,129   +863
Staff member

The DoD conducted an audit of five random BMDS locations. These installations are where the Missile Defense Agency houses and controls interceptor missiles. The IG found that most of the sites had major security failures, according to the formerly Secret/NOFORN report (PDF).

Three out of the five locations did not use multi-factor authentication. It was not a matter of not being capable, but the installations’ staff had failed to enable it. Instead, employees just used their access badges and passwords to get into the systems.

It also found that three out of the five sites were using software with unpatched vulnerabilities. Even worse is that some of the weaknesses date back as far as 1990. If that was not enough, one of the installations did not use any form of anti-virus or any other security tools.

It is worth mentioning that the BMDS computers are not connected to the internet. They only operate on internal networks. However, someone with physical access could easily tamper with the servers or infect computers, but that wouldn’t be too easy would it?

"Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorized personnel from gaining unauthorized access to the facility."

Well, according to the report, two of the site did not have server racks locked down. Having unsecured server rooms is against standard protocol at the facilities, but it appears that violating protocol is common for BMDS workers.

The IG found that many of the removable network drives and other media were not encrypted, also violating protocol. Couple that with the fact that some of the locations had poor surveillance camera coverage with multiple gaps, and it makes them ripe for someone to walk out with unencrypted data.

It has been a bad year for the DoD where cybersecurity is concerned. Just last week we reported that the US Navy had suffered several successful breaches over the last year and a half suspected to have originated in China.

All of these shortcomings in the BMDS case were resultant of poor cyber hygiene rather than unnoticed security flaws, so it sounds like the DoD has some housecleaning to do. Judging by the fact that the report was just declassified on December 10, I assume there are already some former government IT staffers looking for work. Just a guess.

Permalink to story.


Jeff Re

Posts: 238   +213
I'd be interested to know more about this. For example, were hardware/software requested and denied? Was there a lack of funding in general? I've seen this happen plenty.


Posts: 1,024   +493
I'd be interested to know more about this. For example, were hardware/software requested and denied? Was there a lack of funding in general? I've seen this happen plenty.
I would assume lack of mission focus after most of the BMD mission was forced onto the Navy.

Uncle Al

Posts: 8,167   +6,925
Not so surprised since most of the young recruits probably know how to hack, but don't have a clue how to ...... shall we say "unhack" ...... LOL


Posts: 685   +441
There's really no need for these sites to be guarded, since they exist only to protect against fake nuclear weapons to begin with. It's funny that they would tell us this so blatantly here though, practically admitting there's nothing to worry about. Probably another indication of the infighting between the intelligence agencies in the last two decades.


Posts: 231   +150
I’m sorry about having to crash the party, but this sort of missile defense only works if you’re being attacked by a third world country.
The main purpose of the system was to divert public funds and to calm people's minds (which were previously scared up for that purpose).
If you were going against France, China, Russia and the like, those systems wouldn’t help you at all. ;-)