The U.S. Ballistic Missile Defense System (BMDS) falls short of critical cybersecurity standards, according to an audit issued by the Department of Defense Inspector General.
The report issued by the Inspector General’s office details several basic lapses in security protocols at five separate locations, including:
- A lack of multifactor authentication to access BMDS technical information
- Known and unpatched network vulnerabilities dating back as far as 1990
- No physical locks on server racks
- Unencrypted transmissions between networks
The findings spoke to the severity of the vulnerabilities and lax security:
“DoD systems that process, store, and transmit technical details about BMDS are
exposed to greater risks unless actions are taken to improve security and reduce the
threat of compromise… networks, systems, and facilities… are vulnerable to cyberattacks, data breaches, data loss and manipulation, and unauthorized disclosure of technical information… leaving the United States vulnerable to missile attacks that threaten the safety of U.S. citizens and critical infrastructure.”
The report makes several recommendations to mitigate the systemic vulnerabilities, most of them widely recognized best cybersecurity practices including multi-factor authentication, increased video surveillance at facilities, securing server racks and placing tighter controls on removable media such as USB keys.
The BMDS isn’t the only military defense system to receive a failing grade in security; a report issued by the Government Accountability Office earlier this year found that nearly all of U.S. weapons systems developed between 2012 and 2017 are vulnerable to cyberattacks, despite regular warnings from government watchdogs.