We’re constantly reading about cybersecurity weaknesses and cyber break-ins at our banks, department stores, and large corporations. The results include disclosure of our credit card numbers, Social Security numbers, and other personal information. But cybersecurity breakdowns can have much more ominous results, as a Department of Defense report reveals.
Serious cybersecurity flaws have been found in the U.S. ballistic missile defense system (BMDS). These flaws were found to put at risk our ability to defend ourselves if we are attacked by an enemy with an intercontinental ballistic missile (ICBM).
In the report filed on December 10 by the inspector general (IG) for the Department of Defense, it was disclosed that a number of security issues were found with the networks that process, store, and transmit both the classified and unclassified technical information related to our ballistic missile defense systems. The issues include access to removable storage media that contains classified information, weak password controls, failures to encrypt technical information transmission, and problems in detecting intrusions — all relating to BMDS.
The report, which is full of redactions, can be viewed here. It reads in part:
We determined that officials from the (redacted) did not consistently implement security controls and processes to protect BMDS technical information. Specifically, (redacted) network administrators and data center managers did not:
require the use of multifactor authentication to access BMDS technical information at the (redacted)
identify and mitigate known network vulnerabilities at three of the five Components visited
lock server racks at the (redacted)
protect and monitor classified data stored on removable media at the (redacted)
encrypt BMDS technical information transmitted between (redacted)
implement intrusion detection capabilities on classified network
require written justification as a condition to obtain and elevate system access for users at the (redacted)
The report notes, “We determined that officials did not consistently implement security controls and processes to protect BMDS technical information and facility security officers did not consistently implement physical security controls to limit unauthorized access to facilities that managed BMDS technical information.” As a result, “The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks,” the report explained.
The weapons at the center in question are part of the nation’s land- and sea-based defensive anti-missile systems but are not nuclear-tipped offensive missiles.
The inspector general noted that the weaknesses exist due to a lack of consistent oversight and a failure to determine whether the security procedures being used actually work.
The report made eight recommendations for action. They include using multifactor authentication; mitigating vulnerabilities in a timely manner; protecting data on removable media; implementing intrusion detection capabilities; enforcing the use of multifactor authentication to access systems that process, store, and transmit BMDS technical information or obtain a waiver from using multifactor authentication from the DoD chief information officer; developing plans and taking appropriate and timely steps to mitigate known vulnerabilities; encrypting BMDS technical information stored on removable media; and assessing gaps in physical security coverage and install security cameras to monitor personnel movements throughout facilities.
So, next time your credit card is compromised, think about how much worse it could be.