• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!

Inspectors Find Big Cyber Vulnerabilities in US Missile Defense System

Rogue Valley

Lead or get out of the way
DP Veteran
Joined
Apr 18, 2013
Messages
93,583
Reaction score
81,660
Location
Barsoom
Gender
Male
Political Leaning
Independent
Inspectors Find Big Cyber Vulnerabilities in US Missile Defense System

defense-large.jpg


12/17/18
Critical cyber vulnerabilities could allow adversaries to undermine the system of interceptors and sensors that protect U.S. territory from enemy missiles, the Pentagon’s inspector general said in a new report. Much of the Dec. 10 report is redacted to hide the names of the five facilities and components that were under scrutiny. But the readable portions paint a picture of failures to take even the sort of basic cyber security precautions that are standard in business, such as enabling two-factor authentication, encrypting files that are removable, physically locking up server racks, and using cybersecurity software to detect intrusions. “The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks,” the report said. The problems ranged from bad to very bad. Although Pentagon guidelines say operators should have to enter a password and swipe their physical CAC card to access sensitive systems — inspectors found that at two facilities, such multi-factor authentication wasn’t implemented consistently. They even found one operator who had been coasting on just a password and username access for seven years. One of the five facilities wasn’t running intrusion-detection software, a rather basic precaution against a third party breaking in, stealing data, changing it, or even establishing a presence on the network to observe the operators.

Three facilities weren’t encrypting files that were removable from the premises. Two weren’t locking up servers. Three had poor physical security measures, including cameras in the wrong place and security guards that didn’t properly check if visitors were supposed to have access to the areas and computers they were trying to access. In some instances, doors weren’t properly secured. The report recommends that facility’s “require facility security or maintenance personnel to physically verify, at least daily, that entry and exit doors operate as intended.” None of the five facilities kept proper database records of who had been granted access to the system and why, a practice called the “justification” for access. The report is the latest in a series of government and media revelations highlighting poor cybersecurity practices at the Defense Department.

For the life of me, I can't figure out why the country that virtually birthed the modern digital age is still so damned lousy with DoD cyber-security.

Related: US ballistic missile systems have very poor cyber-security
 
Because we spend too much on our actual military engagements and paying a fortune for new "advanced" weapons and equipment some plagued with problems to worry much about silly things like cyber-security for our missile defense systems, taking care of soldiers and our broken VA system, etc.
 
Most of what is listed there is a lapse in OPSEC...not capability.
 
Inspectors Find Big Cyber Vulnerabilities in US Missile Defense System

defense-large.jpg




For the life of me, I can't figure out why the country that virtually birthed the modern digital age is still so damned lousy with DoD cyber-security.

Related: US ballistic missile systems have very poor cyber-security

Funny. The last place I worked had a government contract for DoD information. We had annual inspections (DIACAP) to ensure we kept our noses clean. Perhaps it was that we were a small shop with people who appreciated security.
 
Funny. The last place I worked had a government contract for DoD information. We had annual inspections (DIACAP) to ensure we kept our noses clean. Perhaps it was that we were a small shop with people who appreciated security.

Perhaps so. The lapses above were found on at least 5 separate facilities. So it's seems to be systemic in this little [yet important] patch of the DoD.
 
Inspectors Find Big Cyber Vulnerabilities in US Missile Defense System

defense-large.jpg




For the life of me, I can't figure out why the country that virtually birthed the modern digital age is still so damned lousy with DoD cyber-security.

Related: US ballistic missile systems have very poor cyber-security

Because we've been involved in bull**** wars all around the globe that are extremely profitable for the war industry? Thus placing cyber security on the back burner?

Because our war on terror has nothing to do with defensive measures and is all about drones and killing strangers on the other side of the planet?
 
OK, now an insiders view.

Yes, I have worked in the "BMDS" area for years. And there is a lot here which makes me question the validity of the article.

First off, what were the systems being mentioned? There is not just one, there are actually a great many of them. PATRIOT Missiles? THAAD? Ticonderoga class cruisers? Burke class Destroyers? The mid-phase systems in California and Alaska? They do not even give this much information.

Then you have the issue that a lot of these systems are "Legacy". For example, the PATRIOT is primarily updated 1970's technology, with some early 20th century improvements. The system predates things like CAC cards by so much that there is really little way to implement much of what they are talking about in this article.

And unless the system has a constant live 2-way feed at all times there is simply no way to implement such a system. CAC Cards work because of the credentials that are verified with other databases that the DoD uses. If that was to be put into place, that means that new users could not be added if say an operator was injured and another brought in to replace them. Not a good thing at all.

And also, most of these are layers and layers deep in security. I have done security on high security bases in the past. Want to go to the "Admin areas" of the base, simply show your ID and in you go. But as you go deeper and deeper towards the sensitive stuff, there are more and more checks involved. Sure, at my first posting we had nuclear weapon bunkers that were visible from the 405 freeway. But to get to that bunker you would have to pass 6 different checkpoints, each with more and more strict requirements to allow entry. For the final 3, they were so strict that each of us knew every individual allowed access.

Servers not locked down? Really? Once again, they would be talking about at a location so deep in security zones where everybody has a Secret Clearance or higher. It is not like these would just be where any old Tom, Dick or Mary could just wander in and start ripping out servers.

Want to solve many of these problems though, you just have to throw money at it. A great deal of the infrastructure our military works on is literally dated to the Reagan Administration. Legacy equipment so old that such measures did not even exist at the time, and are now almost impossible to implement today.
 
For the life of me, I can't figure out why the country that virtually birthed the modern digital age is still so damned lousy with DoD cyber-security.

Well, knowing what the systems are would help a lot.

We only have a few of them, but I will throw out the 2 that the Navy uses right away. I doubt they tried to break on active warships to find out this information.

This really only leaves 4 possible contenders. The various GBI systems in California and Alaska. But first and foremost, these are test systems still in development. These are not final products, they are literally a test program that was thrown into operational status because of real world requirements. In such test systems, security is not a major consideration, they are stimply trying to "make it work".

Now the other 2 (or 2.5 if you add MEADS to PATRIOT and THAAD) are mobile systems. So a lot of what they are talking about simply does not apply at all. Intrusion alarms, proximity alarms, etc, none of those can possibly apply to systems such as that. The same goes with "locking down" things.

The most critical parts of mobile systems like that are designed and intended to be removed quickly. For one, those items are locked up in a secure location if not in use. And this is also because if say the equipment can not be moved through mechanical failure or a position is about to get over-run, it can be either removed and evacuated, or destroyed.

This article is so poorly written with such little actual information, that I am pretty much dismissing it as entirely hype.

And this is the beauty of being both a 14T (PATRIOT Systems Operator) and 25B (IT Systems and Security) in that I understand both sides.
 
Back
Top Bottom