US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

Re:Why would the DOD need a report?

[ShanghaiBill]

Shouldn't the DOD know exactly what our missile defense system is running? Why did they need to generate a report for this?

How do people "know" things? By learning. How would they learn? By reading. What would they read? A report. Where would the report come from? Someone tasked with generating it.

Do you really think everyone in DoD is somehow born with knowledge about missile system OSes, and all the flaws in those OSes?

Also, this has nothing to do with the security of "ballistic missiles". The missiles managed by MDA are NOT ballistic.

Re:Why would the DOD need a report?

[ShanghaiBill]

Yes, they ARE ballistic, because they have to be to hit a ballistic trajectory target before terminal stage.

The are NOT ballistic missiles. They have terminal guidance to a moving target.

Ballistic missile

Re:I hope they are using 40 year old tech

[The123king]

Will people stop thinking it's PC's. The military run PDP11's and VAXen. There's not an 8086 anywhere near, and the only intel chips are RAM chips

Re:Why would the DOD need a report?

[LostMyBeaver]

Having been a contractor in this sector a few times, let me just say that it's a revolving door system.

The DoD, DoE, TSA, DHS, etc... are generally run by people completely lacking the ability to make decisions related to technology. This is not uncommon, hell, most of my company's customers are completely at the mercy of some slide shows and gartner reports.

Consider this... what percentage of Cisco customers actually need what Cisco pedals? I've been reviewing most of our customer's networks and realized that the average customer paid $20 million over 5 years for their network. I assessed their needs, their requirements (then and now) and concluded that they should throw their networks away completely and replace them with systems costing and average of $500K CapEx and about $200K OpEx annually. But they will continue to spend an average of $4 million a year each because they are completely at the mercy of the salespeople who sell them tons of shit they don't need.

The TLAs (three letter agencies) aren't even run by business leaders. They are run by bureaucrats. As such, they are even more poorly managed. I've worked with multiple organizations that hire people, stick them in secure environments after their clearance ... well clears and then cycles them out based on the fact that contracts are rolled over and over and over for no apparent reason other than the company who was currently contracted failed to do the job they were given because in order to get the job, they were forced to make a large number of false promises and now someone else making other false promises because they couldn't get the job if they answered honestly has taken over.

No... the DOD has absolutely no idea what the hell is going on in the IT systems because they never hire anyone long enough to get a foothold. I was at an SAIC office not long ago which had over 200 desks and in most cases, those desks were filled by sub-sub-sub-contractors and most people had no idea what anyone did or even what company they worked for.

If you think the DOD is bad, you should look at the State Department. I'm entirely convinced they simply let everyone walk through there unchecked.

I think it really went all downhill with the introduction of the TSA which is basically nothing more than a way of keeping people off welfare and not calling it socialism. They have 1.2 million people in their Active Directory last I checked.... how many do you think are actually tracked and verified?