Worrying Finds from a Cybersecurity Audit on US Ballistic Missile Defense Systems
This week it was revealed that inadequate cybersecurity practices are being used to protect the US ballistic missile defense systems (BMDS). The report was released earlier this week by the US Department of Defense.
The report is heavily redacted due to security and privacy concerns, as is typical with government documents of this nature. However, it does highlight some areas where US cybersecurity for the BMDS is lacking:
- Failed to utilize multifactor authentication
- Vulnerability assessments and mitigation are underutilized
- Server rack security is a concern
- High protection needed for classified data stored on removable media
- More physical security should be utilized, such as cameras and sensors
- Lack of, or not enough routine assessments
- Increased protection needed for encrypting transmitted technical information
Some specific examples of cybersecurity issues are as follows. In one DoD facility users were permitted to use a single-factor authentication (username and password) for up to 14 days after their account creation. However, it was found that even when these 14 days passed, users were continuing to use a single factor authentication. In another facility, a system was being used that doesn’t even support multifactor authentication.
Even at facilities that did have multifactor authentication, other security concerns were at play. Many systems were not patched correctly, in one facility it was found that a security patch to protect against vulnerabilities was not applied, and this patch was available in January 2018.
Other facilities were not encrypting important data that was being stored on removable devices, adding to this, some facilities said they weren’t aware they needed to encrypt data on removable devices. Some facilities were using systems that didn’t keep track of what data was being copied.
In terms of next steps, the DoD is planning to fix these issues in their facilities and provide a higher level of cybersecurity going forward.