A new report from the Department of Defense Office of the Inspector General (IG) found weaknesses in cybersecurity defenses for ballistic missile defense systems, putting technical information on the systems at risk.
The report, redacted to exclude sensitive information, found that network administrators failed to implement multifactor authentication, mitigate known network vulnerabilities, encrypt technical information in transit, implement intrusion detection capabilities, and verify the effectiveness of security controls.
“The Army, Navy, and MDA [Missile Defense Agency] did not protect networks and systems that process, store, and transmit BMDS [ballistic missile defense systems] technical information from unauthorized access and use,” the IG found.
“Without well-defined, effectively implemented system security and physical access controls, the MDA and its business partners … may disclose critical details that compromise the integrity, confidentiality, and availability of BMDS technical information. The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks.”
The DoD IG report comes in the wake of an October GAO report that warned of “mounting challenges in protecting weapons systems from increasingly sophisticated cyber threats.” In response to that report, DoD noted that it is “continuously strengthening” its cyber posture.
The report recommended that the agencies involved “develop and implement a plan to correct the systemic weaknesses identified in this report at facilities that manage BMDS technical information.” However, none of the CIOs or agency officials responded to the report’s recommendations, leading the IG to send the report further up the chain.