US officials did not consistently implement security controls and processes to protect ballistic missile defense system (BMDS) technical information, according to a newly declassified report, Security Controls at DoD Facilities for Protecting Ballistic Missile Defense System Technical Information, from the US Department of Defense (DoD) Inspector General.
The redacted report was published on December 10, 2018, and detailed the results of an audit conducted “in response to a congressional requirement to audit the controls in place to protect BMDS technical information.”
“We analyzed only classified networks because BMDS technical information was not managed on unclassified networks. The classified networks processed, stored, and transmitted both classified and unclassified BMDS technical information. This is the second of two audits to determine whether the DoD protected BMDS technical information from unauthorized access and disclosure,” the agency wrote.
The audit found that network administrators and data center managers failed to require multi-factor authentication in order to access the BMDS technical information and did not identify and mitigate known network vulnerabilities at three of the five components visited.
In addition, they did not lock server racks, protect and monitor classified data stored on removable media, encrypt BMDS technical information while being transmitted, implement intrusion detection capabilities on classified networks or require users to provide written justification to be granted elevated system access.
“While I agree at first glance this sounds horrible, the key word in the findings is 'consistently,' said Lamar Bailey, director of security research and development at Tripwire. “Table 1 shows results for the facilities visited broken down into weaknesses in the seven areas audited.
“Only one audit hit all five locations and this dealt with justification for access. Five of the weaknesses say they were not 'consistently' used, but this can apply to 'administrative, facility, a lab or both,' so they may not apply to the networks with the defense/offense controls. This audit was also only done at five facilities, which is less than 5% of the facilities in operation. We should not take a Chicken Little stance here but remember basic security hygiene and foundational security controls apply to everyone.”