US nuclear arsenal has been running without any credible cybersecurity measures

• Missile Defense Agency (MDA) locations were found lacking in physical and cybersecurity measures by an investigation conducted by the DoD IG.
• Some of the major cybersecurity flaws at MDA locations include lack of multifactor authentication, lack of fixes for known vulnerabilities, use of unencrypted removable media, and lack of intrusion detection.

Learning about exposed consumer devices or even corporate networks does not come as a shock to any cybersecurity professional. However, finding out that the world’s largest nuclear arsenal runs with almost no credible cybersecurity measures is shocking.

However, this is the evident reality, as exposed in a report by the Department of Defense (DoD) earlier this year. The officials from the DoD Office of Inspector General assessed five random ballistic missile facilities operated by the Missile Defense Agency (MDA), as part of the Ballistic Missiles Defense System (BMDS) program. BMDS is a program under DoD, built for intercepting enemy nuclear missiles to protect US territories.

The report shed light on the fact that “the Army, Navy, and MDA did not protect networks and systems that process, store, and transmit BMDS technical information.”

Weak Authentication Practices

One of the most serious lack of security measures pointed out in the report highlighted the inconsistent use of multifactor authentication. Normally, new MDA employees are given login credentials to access BMDS’ network. Later on, they are also given a Common Access Card (CAC) which is to be used in combination with their login credentials for accessing the network.

This would act as a second factor for authentication. All new MDA employees are supposed to start using multifactor authentication within two weeks of joining, under normal circumstances.

However, the report points out that that the inspecting officials found many employees using just their username and password for authentication at three out of the five locations inspected.

In one case, an employee had been accessing the network without using his/her card for seven years. In another case, officials found that one of the locations had left its network unconfigured for supporting multi-factor authentication.

This kind of negligence could prove costly if any employee falls prey to a phishing attack and loses their login credentials to an attacker, who could then access the BMDS network without any checks.

Unpatched vulnerabilities and servers

Another critical issue highlighted by the report was the lack of fixes needed to be applied by the IT staff at three of the five locations, which were crucial for mitigating known vulnerabilities. The officials found that some vulnerabilities dating all the way back to 1990 and onwards, had not been fixed by the IT staff.

Not just software vulnerabilities, but physical vulnerabilities were also discovered during the investigators. In two locations, servers racks were left unlocked and easily accessible by guests or visitors. An attacker could easily infect the servers by plugging in a malware-laced USB device into the servers.

The negligence of the employees is visible from the fact that one data center manager was not aware of the security protocol and did not seriously consider the vulnerability, citing limited access to the base.

Use of unencrypted removable media

MDA employees were found to be using unencrypted devices when using removable media to move data between air-gapped systems. This issue existed in three of the five locations inspected.

In one case, the MDA employees were even unaware of the necessity of using encrypted media devices while moving data. In another case, they did not have the systems in order to detect if any data was being downloaded and whether it was encrypted.

The blame was laid on the limited capabilities of the legacy systems in use and the lack of resources to purchase encryption software, by the MDA officials.

In one of the inspected locations, the IT staff had not installed any intrusion detection and prevention system. The issue occurred due to the lack of approval supervisors for installing such a system, as per the officials working in that location.

Lack of an access hierarchy and monitoring

None of the five locations inspected by the DoD IG officials maintained a log with records for every time an employee accessed the BMDS network and their justification for the same. Due to the lack of such a database or log, there was no way to enforce an access hierarchy and monitoring system.

Inadequate physical security measures

Weak physical security in MDA sites is one of the most alarming findings of the DoD IG investigation. The surveillance cameras used at the MDA locations often did not cover the entire premises and many door sensors also malfunctioned, showing an incorrect door lock state.

Lastly, auditors were also able to explore many parts of top-secret locations without proper badges or authentication, which displays the lack of caution showed by the MDA officials.

As shown by the DoD IG investigation, many of the current 104 MDA ballistic missile locations need to drastically improve their physical as well as cybersecurity practices. The report provided a set of recommendations for the MDA to make the necessary changes to avoid disastrous consequences in case of an attack.