How not to secure US missile defences

What sort of organisation might suffer the following list of security failures?

Three out of five physical locations visited for an audit failed to implement multi-factor authentication (MFA) on networks used to secure sensitive technical data.

Two weren’t securing their equipment racks.

Three weren’t routinely encrypting highly-sensitive data held on USB sticks.

At all five locations, admins could access and maintain systems without having to justify that level of privilege.

Most extraordinary of all, as of 2018, one site’s patching was so deficient that it failed to address a critical vulnerability that first came to light nearly three decades earlier, in 1990.

This might have been an extreme one-off except that another site had sat on another serious flaw dating from 2013 despite being reminded of that fact in early 2018.

The organisation in question is the US Department of Defense’s Ballistic Missile Defense System (BMDS), five of whose 104 sites were chosen at random in early 2016 for a security audit by the DOD’s Inspector General.

It’s hard to know what to make of the number of weaknesses uncovered in computer security across so few sites, but if these findings (published in redacted form in April but only recently noticed) are typical of the other 99, the BMDS has a problem on its hands.

As the DOD Inspector General spells it out in its report:

The disclosure of technical details could allow US adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks.

The BMDS is a group of systems used to intercept incoming missiles, which is important to US defence for two reasons.

It intercepts missiles using its own missiles, hopefully sparing targets from destruction and the fact that it does this at least some of the time benefits first-strike deterrence.

Securing it should be a priority.

It’s a story that will remind readers with longer memories of the 2013 claim that for two decades during the 1960s and 1970s, the launch code for the US Minuteman nuclear missiles was eight zeros (00000000).

Whether that sounds like something from Dr Strangelove depends on how we interpret the point of that code – was it to secure the missiles with a secret code or, as appears to be the case, a way of making it easy for personnel to launch them in a hurry?

The thing about the past is they do things differently there in ways that don’t always make sense in hindsight.

A system as large and complex as the BMDS wasn’t designed but evolved over many decades, with networked computing systems added more recently. Some of the failures might simply reflect out-of-date processes that were well-intended when they were first implemented.

It’s also true that many of the above failings – administrators who don’t patch their systems, lock their racks, or encrypt removable drives – might apply to almost any organisation, although possibly not ones responsible for defending a world superpower.

What matters is the willingness to say what needs to be said to put things right – on that point at least, this report might do its job.