A US DOD cybersecurity audit of US missile defense systems outlined the failure in the implementation of basic cybersecurity controls like data encryption and multifactor authentication.
The report which was released last Friday, also revealed how officials are employing substandard cybersecurity practices to fortify the United States' ballistic missile defense systems (BMDS).
The findings were compiled in the report after DOD IG investigators inspected five places where BMDS ballistic missiles were stationed by the Missile Defense Agency (MDA). BMDS is a DOD program made with an objective to protect US territories by launching ballistic missiles to intercept incoming nuclear rockets.
The audit deduced that the networks and systems that store, process and transmit BMDS technical information were not protected by the US Army, Navy, and MDA. The information that was left unfortified by the US officials is of highly sensitive nature and could have been exploited to incite security threats.
"The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks." the heavily redacted report reads.
The audit deduced that the networks and systems that store, process and transmit BMDS technical information were not protected by the US Army, Navy, and MDA. The information that was left unfortified by the US officials is of highly sensitive nature and could have been exploited to incite security threats.
"The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks." the heavily redacted report reads.
“Inadequate security controls that result in unauthorized access to or disclosure of BMDS technical information may allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to missile attacks that threaten the safety of U.S. citizens and critical infrastructure,”
"Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted]." stated the DoD report.
Along with the computer and data security issues, the presence of physical security issues was also noted. Officials discovered mismanagement at data center managers at BMDS facilities, they found instances of server racks not being locked.
Along with the computer and data security issues, the presence of physical security issues was also noted. Officials discovered mismanagement at data center managers at BMDS facilities, they found instances of server racks not being locked.
“The National Security Agency publishes capabilities packages that provide architecture and configuration requirements that allow organizations to implement secure solutions to protect data at rest using commercial off-the-shelf products,” states the report.
Unfortunately, the draft report attracted no response from Chief Information Officers of various facilities. Now, the Director, Commanding General, Commander, and Chief Information Officers are asked by the Inspector General's office to comment on the findings of the final report latest by 8th of January, 2019.
