View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 17, 2018

Ballistic Missile Defence Systems Blasted for Poor Security Hygiene

Unlocked server racks, missing encryption and worse...

By CBR Staff Writer

Ballistic Missile Defence Systems (BMDS) in the United States have come under fire from a U.S. Department of Defense Inspector General report which found “systemic weakness” in their cybersecurity practices.

BMDS are a set of counter measures designed to intercept long to short range ballistic missiles targeting the United States.

These systems comprise several components: from networked sensor arrays that help to detect in coming threats, to interceptor missiles designed to take out incoming threats. Strategic command facilities operate the communication networks required to run these systems.

In a blistering, heavily redacted report, an inspection of BMDS facilities found that there were serious deficiencies in the cybersecurity practices at some of these facilities.

The report found in some cases that: “Officials did not have controls in place to monitor the type and volume of classified data personnel downloaded to removable media.”

This is not just poor cybersecurity practice, but directly contravenes the U.S. committee on National Security Systems Directive which requires Federal agencies to log, audit and monitor any data which is removed from systems.

Ballistic Missile Defence Systems

The report also found that administrators could not inform the inspectors about which users had appropriate access or that users approved in the system had proper clearance for the data they could access.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

This was due to the fact that administrators: “Did not always retain user access forms and, for the forms that they did retain, they did not always require users and supervisors to justify why the user needed access to BMDS technical information.”

Ballistic Missile Defence Systems

The inspectors also discovered that not all data removed from the system was done in an encrypted manner and that security managers did not enforce the use of encryption on removed media devices.

Why? They used “legacy systems that lacked the capability and bandwidth to encrypt data, did not have the resources to purchase encryption software.”

When encryption software was in place in some of these legacy systems it was found that the software did not ‘align’ with the encryption software that was currently been used by the Department of Defence.

See Also: Third-Party Vendor Leaves U.S. DoD and the Pentagon Open to Attack

Physical security at the facilities was also found to be sub-par; poor practice was evident in the management of system hardware, as server racks in datacentres were found in unlocked states.

“Leaving the server racks unlocked and failing to control access to the keys increases the risk that insiders could compromise or exfiltrate data even though they are authorized to be in the data center,” the inspector noted.

During their inspection they also learnt that some network administrators were not implementing intrusion detection software which would have allowed them to monitor suspicious activity on their classified networks.

The report recommends that the U.S. Department of Defence takes swift measure to immediate these inadequacies with their hardware and software capabilities

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU