Facepalm: A recent inspection of the United States’ Ballistic Missile Defense System (BMDS) found cybersecurity measures lacking to the point of being virtually nonexistent. The Department of Defense Inspector General published a report last April, which was recently declassified, but is heavily redacted, showing lazy and incompetent security practices.
The DoD conducted an audit of five random BMDS locations. These installations are where the Missile Defense Agency houses and controls interceptor missiles. The IG found that most of the sites had major security failures, according to the formerly Secret/NOFORN report (PDF).
Three out of the five locations did not use multi-factor authentication. It was not a matter of not being capable, but the installations’ staff had failed to enable it. Instead, employees just used their access badges and passwords to get into the systems.
It also found that three out of the five sites were using software with unpatched vulnerabilities. Even worse is that some of the weaknesses date back as far as 1990. If that was not enough, one of the installations did not use any form of anti-virus or any other security tools.
It is worth mentioning that the BMDS computers are not connected to the internet. They only operate on internal networks. However, someone with physical access could easily tamper with the servers or infect computers, but that wouldn’t be too easy would it?
"Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorized personnel from gaining unauthorized access to the facility."
Well, according to the report, two of the site did not have server racks locked down. Having unsecured server rooms is against standard protocol at the facilities, but it appears that violating protocol is common for BMDS workers.
The IG found that many of the removable network drives and other media were not encrypted, also violating protocol. Couple that with the fact that some of the locations had poor surveillance camera coverage with multiple gaps, and it makes them ripe for someone to walk out with unencrypted data.
It has been a bad year for the DoD where cybersecurity is concerned. Just last week we reported that the US Navy had suffered several successful breaches over the last year and a half suspected to have originated in China.
All of these shortcomings in the BMDS case were resultant of poor cyber hygiene rather than unnoticed security flaws, so it sounds like the DoD has some housecleaning to do. Judging by the fact that the report was just declassified on December 10, I assume there are already some former government IT staffers looking for work. Just a guess.