Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

Technical Data on U.S. Missile Defense System Lacks Adequate Protections, DoD Says

Technical Information of U.S. Ballistic Missile Defense System is Improperly Protected, Audit Finds

Security controls and processes necessary to protect ballistic missile defense system (BMDS) technical information and the United States Department of Defense (DoD) facilities haven’t been properly implemented, a newly published audit report reveals. 

Technical Information of U.S. Ballistic Missile Defense System is Improperly Protected, Audit Finds

Security controls and processes necessary to protect ballistic missile defense system (BMDS) technical information and the United States Department of Defense (DoD) facilities haven’t been properly implemented, a newly published audit report reveals. 

Conducted by the DoD itself, the audit discovered that some network administrators and data center managers did not properly implement security measures such as multi-factor authentication, encryption of data in transit, protection and monitoring of data stored on removable media, and more. 

The technical information the redacted report (PDF) refers to includes, among others, military or space research and engineering data, engineering drawings, algorithms, specifications, technical reports, and source codes. A BMDS is used to counter short to long range ballistic missiles targeting the country. 

After being asked by the Congress, DoD conducted two audits to assess the controls in place to protect BMDS technical information from unauthorized access and disclosure, and both discovered security weaknesses. The new audit was performed at 5 of 104 DoD locations at four military installations that manage BMDS elements and technical information. 

The audit found that at two locations server racks weren’t consistently secured, and that physical security controls to limit unauthorized access were not implemented at three of them. No written justification was required to obtain and elevate system access for users at neither of the five locations. 

At three of the visited facilities, known network vulnerabilities weren’t identified and mitigated, the report reveals. The audit also discovered that data on removable media was not consistently protected and monitored, and that multifactor authentication was not consistently used either. 

The report also includes a series of recommendations meant to improve the security posture of the audited facilities, such as the implementation and enforcement of multifactor authentication when accessing systems that manage BMDS technical information. 

The report also recommends the implementations of intrusion detection capabilities and of protections for data stored on removable media drives, and mitigating vulnerabilities in a timely manner. At some of the facilities, the report recommends the installation of security cameras to monitor personnel movements. 

Another recommendation in the report is the implementation of a process for the identification of individuals authorized to use removable media, and of measures “to monitor the type and volume of data transferred to and from removable media.”

“The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks. Increasing threats of long-range missile attacks from adversaries requires the effective implementation of system security controls to help reduce the number of exploitable weaknesses that attackers could use to exfiltrate BMDS technical information,” the report reads. 

Related: DoD Launches ‘Hack the Marine Corps’ Bug Bounty Program

Related: Outdated DoD IT Jeopardizes National Security: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Cybersecurity powerhouse Palo Alto Networks on Thursday announced plans to spend $195 million in cash to acquire Israeli startup Cider Security, a deal that...