Crossfire over slack cyber security at US anti-missile system

An internal audit at the United States Department of Defence (DoD) has discovered poor security practices that risked disclosing technical information about the country's Ballistic Missile Defence System (BDMS) to adversaries, with potentially lethal consequences.

In a recently declassified but redacted report [pdf], the DoD Inspector-General published a second report on how well miltary installations implement physical and cyber security controls, in order to safeguard BDMS technical information from threats.

For the second report, the Inspector-General picked a nonstatistical sample of 5 out of 104 DoD locations at four military installations, assessed their cyber security controls, and was unimpressed by them.

Network and database admins and data centre managers had been slack at identifying and mitigating network vulnerabilities at three of the locations visited, and had not implemented intrusion detection capabilties at these.

BDMS technical data should be encrypted, but wasn't, and admins and managers did not consistently implement protection and monitoring for information stored on removable drives.

Users accessing BDMS data weren't required to use multi-factor authentication.

Although US standards mandate physical security measures, the data centre manager the Inspector-General spoke to did not think it was necessary to lock server racks and secure the keys for these, as the person considered existing protocols that limited who had access to the facility to be sufficient protection.

The US has designed the BDMS as a layered system with four components to shoot down hostile missiles at short, medium, intermediate and long ranges, before they reach their targets.

These include the Aegis Ballistic Missile Defence (ABMD) which is is the BDMS naval component, and the Ground-Based Midcourse Defence (GBMD) that's designed to engage long-range ballistic missile threats in space.

The PATRIOT anti-aircraft and missile defence system also forms part of BDMS, along with the rapid-deployment Terminal High-Altitude Area Defence (THAAD) interceptors.

There is no indication that the information had leaked out. Had it happened, the consequences for the US defence forces could have been serious.

"The disclosure of technical details could allow US adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks," the report stated.