The potential scenario of this cybersecurity flaw being exploited is not as severe, as say, the plot from the movie Wargames, but several major holes have been found in defense facilities housing technical information on the nation’s ballistic missile defense systems (BMDS) that could prove disastrous to America’s ability to defend itself against an ICBM attack.

In a report filed last week, the Inspector General (IG) for the Department of Defense found systematic issues surrounding BMDS networks that process, store and transmit both classified and unclassified BMDS technical information. Some of the problems included not using multifactor authentication, protecting removable media holding classified information, encrypt BMDS technical information transmission and implement intrusion detection capabilities.

“We determined that officials did not consistently implement security controls and processes to protect BMDS technical information,” the report stated, “facility security officers did not consistently implement physical security controls to limit unauthorized access to facilities that managed BMDS technical information.”

The weapons in the ballistic missile defense system are not nuclear-tipped offensive missiles but are part of the nation’s land and sea-based defensive anti-missile systems.

“The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks,” the report stated.

The IG noted the weaknesses exist and persist because those in charge do not consistently verify whether or not the security protocols put in place are actually effective.

The report suggested eight recommendations be made:

  • using multifactor authentication;
  • mitigating vulnerabilities in a timely manner;
  • protecting data on removable media; and
  • implementing intrusion detection capabilities.
  • enforce the use of multifactor authentication to access systems that process, store, and transmit BMDS technical information or obtain a waiver from using multifactor authentication from the DoD Chief Information Officer;
  • develop plans and take appropriate and timely steps to mitigate known vulnerabilities;
  • encrypt BMDS technical information stored on removable media; and
  • assess gaps in physical security coverage and install security cameras to monitor personnel movements throughout facilities.

Lamar Bailey, Tripwire’s director of security research and development, pointed out that at first glance this report looks “horrible”, but he noted the report covered very few defense facilities and the main takeaway was security was not consistently applied across the board.

“[The report] shows results for the facilities visited broken down into weaknesses in the seven areas audited. Only one audit hit all five locations and this dealt with justification for access. Five of the weaknesses say they were not “consistently” used but this can apply to “administrative, facility, a lab or both” so they may not apply to the networks with the defense/offense controls.  This audit was also only done at five facilities, which is less than 5 percent of the facilities in operation,” he said.