The classified networks in the facilities where ballistic missile defense system technical information is housed are vulnerable to a raft of internal and external cyber-threats, according to the Department of Defense Inspector General.
In a heavily redacted report issued last week, the DoD issued an assessment that the networks that process, store and transmit both classified and unclassified ballistic missile defense system (BMDS) technical information are riddled with security holes, including a lack of basic best practices, such as implementing antivirus software.
The “technical information” in question refers to military or space research and engineering data, engineering drawings, algorithms, specifications, technical reports and source codes, among other information.
Overall, the DoD found a host of issues, starting with the fact that network administrators and data center managers don’t consistently require multifactor authentication to access BMDS data; and, that the data isn’t always encrypted when transmitted. It also found several unpatched, known network vulnerabilities lurking on the systems, including one that dates back to the 1990s; a lack of monitoring for classified data stored on removable media; and a lack of intrusion detection and antivirus capabilities.
Lest we forget what’s at stake, the DoD noted in the report that “increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information.”
Further, there’s also no requirement for written justification as a condition to obtain and elevate system access for users. “Limiting access to BMDS technical information to users with a mission-related need to know reduces the risk of intentional or unintentional disclosures of data critical to national security,” the report pointed out.
More information may need to be published in order to give a full picture of the problem. The report is based on visits to just five facilities, out of 104 – and the DoD admitted that this represents a “non-statistical sample.”
Lamar Bailey, director of security research and development at Tripwire, added that while the findings are alarming, it’s not quite as bad as it seems initially, given that the security problems were not found in a blanket fashion across the five facilities that were audited.
“While I agree at first glance this sounds horrible, the key word in the findings is ‘consistently,’” he said via email. “Only one audit hit all five [networks audited] and this dealt with justification for access. [Not only were they] not consistently used, but this can apply to ‘administrative, facility, a lab or both,’ so they may not apply to the networks with the defense/offense controls.”