Unlocked server racks, missing encryption and worse…
Ballistic Missile Defence Systems (BMDS) in the United States have come under fire from a U.S. Department of Defense Inspector General report which found “systemic weakness” in their cybersecurity practices.
BMDS are a set of counter measures designed to intercept long to short range ballistic missiles targeting the United States.
These systems comprise several components: from networked sensor arrays that help to detect in coming threats, to interceptor missiles designed to take out incoming threats. Strategic command facilities operate the communication networks required to run these systems.
In a blistering, heavily redacted report, an inspection of BMDS facilities found that there were serious deficiencies in the cybersecurity practices at some of these facilities.
The report found in some cases that: “Officials did not have controls in place to monitor the type and volume of classified data personnel downloaded to removable media.”
This is not just poor cybersecurity practice, but directly contravenes the U.S. committee on National Security Systems Directive which requires Federal agencies to log, audit and monitor any data which is removed from systems.
Ballistic Missile Defence Systems
The report also found that administrators could not inform the inspectors about which users had appropriate access or that users approved in the system had proper clearance for the data they could access.
This was due to the fact that administrators: “Did not always retain user access forms and, for the forms that they did retain, they did not always require users and supervisors to justify why the user needed access to BMDS technical information.”
The inspectors also discovered that not all data removed from the system was done in an encrypted manner and that security managers did not enforce the use of encryption on removed media devices.
Why? They used “legacy systems that lacked the capability and bandwidth to encrypt data, did not have the resources to purchase encryption software.”
When encryption software was in place in some of these legacy systems it was found that the software did not ‘align’ with the encryption software that was currently been used by the Department of Defence.
Physical security at the facilities was also found to be sub-par; poor practice was evident in the management of system hardware, as server racks in datacentres were found in unlocked states.
“Leaving the server racks unlocked and failing to control access to the keys increases the risk that insiders could compromise or exfiltrate data even though they are authorized to be in the data center,” the inspector noted.
During their inspection they also learnt that some network administrators were not implementing intrusion detection software which would have allowed them to monitor suspicious activity on their classified networks.
The report recommends that the U.S. Department of Defence takes swift measure to immediate these inadequacies with their hardware and software capabilities